Full Disclosure mailing list archives
Re: Break-in discovery and forensics tools
From: Valdis.Kletnieks () vt edu
Date: Wed, 23 Apr 2003 14:18:53 -0400
On Wed, 23 Apr 2003 09:18:58 PDT, Hotmail <se_cur_ity () hotmail com> said:
I realize the importance of after incident forensics... What I dont understand is logs used in a court for prosecution. Logs are inheritly not preservable or physical evidence, it is tamperable from the time the external data hits a MAC, if that were the case basicly I could take my logs and edit any damn originating ip i choose, send thosse logs to law enforcement, and have an innocent person convicted. Logs are nice.. but IMHO defeatable in court.
Very good point - which is why things like this are proposed: A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Security Issues in Network Event Logging Working Group of the IETF. Title : Syslog-Sign Protocol Author(s) : J. Kelsey, J. Callas Filename : draft-ietf-syslog-sign-10.txt Pages : 35 Date : 2003-4-7 This document describes syslog-sign, a mechanism adding origin authentication, message integrity, replay-resistance, message sequencing, and detection of missing messages to syslog. Syslog-sign provides these security features in a way that has minimal requirements and minimal impact on existing syslog implementations. It is possible to support syslog-sign and gain some of its security attributes by only changing the behavior of the devices generating syslog messages. Some additional processing of the received syslog messages and the syslog-sign messages on the relays and collectors may realize additional security benefits. A URL for this Internet-Draft is: http://www.ietf.org/internet-drafts/draft-ietf-syslog-sign-10.txt
Attachment:
_bin
Description:
Current thread:
- Re: Break-in discovery and forensics tools, (continued)
- Re: Break-in discovery and forensics tools yannick san (Apr 23)
- Re: Break-in discovery and forensics tools Dirk Mueller (Apr 23)
- RE: Break-in discovery and forensics tools roman . kunz (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- Re: Break-in discovery and forensics tools Shawn McMahon (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- Re: Break-in discovery and forensics tools Shawn McMahon (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- Re: Break-in discovery and forensics tools yannick san (Apr 23)
- RE: Break-in discovery and forensics tools Richard M. Smith (Apr 23)
- RE: Break-in discovery and forensics tools Ron DuFresne (Apr 23)
- Re: Break-in discovery and forensics tools Valdis . Kletnieks (Apr 23)
- Re: Break-in discovery and forensics tools Tina Bird (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- Re: Break-in discovery and forensics tools Hotmail (Apr 23)
- RE: Break-in discovery and forensics tools batz (Apr 24)
- Re: Break-in discovery and forensics tools Hotmail (Apr 24)
- SPOOFED HOTMAIL ADDRESS --- http://www.security-hotmail.com/ morning_wood (Apr 26)