Full Disclosure mailing list archives
RE: [inbox] Re: Reacting to a server compromise
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Sun, 3 Aug 2003 23:07:09 +0200 (CEST)
On Sun, 3 Aug 2003, Curt Purdy wrote:
Jennifer, I made a reply to someone disagreeing with your statement on copying the drive, supporting your contention. However, most courts will not accept log files on magnetic media as evidence due to the ease of alteration. This is why we collect all logs on a central syslog server that writes directly to write-once media. That is irrefutable evidence.
Of that someone spoofed a log message to your central log server, or that someone messed with the log server itself to log fake entries? What is your write-once media? Does it ensure integrity of the data stored (so that it is evident when a prinout or a cd or whatnot is replaced)? If not, it's hardly "irrefutable". If yes, what was the cost of this device and how many businesses can afford one? Besdies, what do your logs prove? That someone sent packets with some poor guy's IP address as a source? Most courts - IANALBMSUTO - will accept electronic logs, although they usually expect them to be confirmed by several sources (i.e. the attacked host, your ISP) and backed with an official expert opinion to be of any value. Still, hardly an evidence the owner of the box was in control of the application that sent the offending traffic. The hard evidence comes from a different source, usually. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2003-08-03 22:54 -- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Reacting to a server compromise, (continued)
- Re: Reacting to a server compromise Peter Busser (Aug 02)
- RE: Reacting to a server compromise Wayne Chang (Aug 02)
- Re: Reacting to a server compromise SecuresDotComs (Aug 02)
- RE: Reacting to a server compromise Edward W. Ray (Aug 02)
- Re: Reacting to a server compromise Aron Nimzovitch (Aug 03)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 04)
- RE: [inbox] Re: Reacting to a server compromise Ron DuFresne (Aug 04)
- RE: Reacting to a server compromise Edward W. Ray (Aug 02)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 03)
- RE: [inbox] Re: Reacting to a server compromise Michal Zalewski (Aug 03)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 04)
- RE: [inbox] Re: Reacting to a server compromise Michal Zalewski (Aug 05)
- RE: [inbox] Re: Reacting to a server compromise Curt Purdy (Aug 05)
- RE: [inbox] Re: Reacting to a server compromise Bojan Zdrnja (Aug 06)
- RE: [inbox] Re: Reacting to a server compromise Michal Zalewski (Aug 06)
- Re: [inbox] Re: Reacting to a server compromise Valdis . Kletnieks (Aug 05)
- Re: Reacting to a server compromise SecuresDotComs (Aug 02)