Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Linux - Indicators of compromise

From: Bzzz <lazyvirus () gmx com>
Date: Mon, 16 Jul 2012 18:38:47 +0200
On Sat, 14 Jul 2012 12:46:50 +0000
"Ali Varshovi " <ali.varshovi () hotmail com> wrote:


Does anyone have any guidelines/useful material on analysis logs
of a Linux machine to detect signs of compromise? The data
collection piece is not a challenge as a lot of useful information
can be captured using commands and some scripts. I'm wondering if
there is any systematic approach to analyze the collected logs?
Most of the materials I've seen are more aligned to malware and
rootkit detection which is not the only concern apparently.


Hi Ali,

I'd say send log to another machine, use a "checksumator" (like
tripwire), store its computation files on an external storage 
device and when you check the system with it, boot it on a liveCD.

And as G.Baribault says, each compromised system tries to store its
findings elsewhere on the Internet (often encrypted these days), so
a fine traffic analyzer would be a good thing; but is there a very
good one working out of the box, I don't know!? (beware it can be
very disk space greedy).

JY
-- 
< Overfiend> well, excellent.  I get to tear someone a new asshole.
                -- in #debian-devel

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: