Advice from the experts

["Mike Koponick" <mike () redhawk info>]

Hello,

We have been having a discussion around our office about attacks, and how to
keep track of them. I thought this would be a good place to bring up a
couple of issues regarding attacks and attackers since all that post seem to
have a good handle on this subject.

We mainly having been discussing how to keep track of attacks that occur
over a period of time. For instance, an attacker could spoof a source IP
address, and "test" the system for vulnerabilities, then a month later test
it another way. This is the same way the military tests it's enemies during
war time. It would make sense if the attacker was patient to do it in this
manner, as it would be harder to trace. I suppose the bottom line would be
that when you see an attacker, catch him/her with their hand in the cookie
jar and use that as evidence.

Currently, our policy for security log files is to keep them for a year at a
time. In other words, we archive the logs daily, and keep the archives for a
year. Does this sound like a good practice, since it might be possible to
parse through these files for a history (after the fact attack)?

What other practices are being used?.. it might be a good discussion for
all.

Thanks in advance for your wisdom.

Mike




-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users