Full Disclosure mailing list archives
Re: Linux - Indicators of compromise
From: Bzzz <lazyvirus () gmx com>
Date: Mon, 16 Jul 2012 18:38:47 +0200
On Sat, 14 Jul 2012 12:46:50 +0000 "Ali Varshovi " <ali.varshovi () hotmail com> wrote:
Does anyone have any guidelines/useful material on analysis logs of a Linux machine to detect signs of compromise? The data collection piece is not a challenge as a lot of useful information can be captured using commands and some scripts. I'm wondering if there is any systematic approach to analyze the collected logs? Most of the materials I've seen are more aligned to malware and rootkit detection which is not the only concern apparently.
Hi Ali, I'd say send log to another machine, use a "checksumator" (like tripwire), store its computation files on an external storage device and when you check the system with it, boot it on a liveCD. And as G.Baribault says, each compromised system tries to store its findings elsewhere on the Internet (often encrypted these days), so a fine traffic analyzer would be a good thing; but is there a very good one working out of the box, I don't know!? (beware it can be very disk space greedy). JY -- < Overfiend> well, excellent. I get to tear someone a new asshole. -- in #debian-devel _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Linux - Indicators of compromise, (continued)
- Re: Linux - Indicators of compromise Leutnant Steiner (Jul 20)
- Re: Linux - Indicators of compromise Giles Coochey (Jul 25)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 25)
- Re: Linux - Indicators of compromise Scott Solmonson (Jul 26)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 26)
- Re: Linux - Indicators of compromise valdis . kletnieks (Jul 26)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 26)
- Re: Linux - Indicators of compromise Scott Solmonson (Jul 28)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 30)
- Re: Linux - Indicators of compromise jerry (Jul 28)
- Re: Linux - Indicators of compromise coderman (Jul 16)
- Re: Linux - Indicators of compromise Григорий Братислава (Jul 19)
- Re: Linux - Indicators of compromise Scott Solmonson (Jul 23)
- Re: Linux - Indicators of compromise Benji (Jul 16)
- Re: Linux - Indicators of compromise coderman (Jul 16)