Snort mailing list archives
Advice from the experts
From: "Mike Koponick" <mike () redhawk info>
Date: Tue, 25 Feb 2003 21:05:48 -0800
Hello, We have been having a discussion around our office about attacks, and how to keep track of them. I thought this would be a good place to bring up a couple of issues regarding attacks and attackers since all that post seem to have a good handle on this subject. We mainly having been discussing how to keep track of attacks that occur over a period of time. For instance, an attacker could spoof a source IP address, and "test" the system for vulnerabilities, then a month later test it another way. This is the same way the military tests it's enemies during war time. It would make sense if the attacker was patient to do it in this manner, as it would be harder to trace. I suppose the bottom line would be that when you see an attacker, catch him/her with their hand in the cookie jar and use that as evidence. Currently, our policy for security log files is to keep them for a year at a time. In other words, we archive the logs daily, and keep the archives for a year. Does this sound like a good practice, since it might be possible to parse through these files for a history (after the fact attack)? What other practices are being used?.. it might be a good discussion for all. Thanks in advance for your wisdom. Mike ------------------------------------------------------- This SF.net email is sponsored by: Scholarships for Techies! Can't afford IT training? All 2003 ictp students receive scholarships. Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more. www.ictp.com/training/sourceforge.asp _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 25)
- Re: uricontent option in 1.9 vs 1.8.6 Joe McAlerney (Feb 25)
- Advice from the experts Mike Koponick (Feb 25)
- Re: Advice from the experts twig les (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Erek Adams (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Brian (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Chris Green (Feb 26)
- Advice from the experts Mike Koponick (Feb 25)
- <Possible follow-ups>
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 Erek Adams (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Brian (Feb 26)
- uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- RE: uricontent option in 1.9 vs 1.8.6 David Gordon (Feb 26)
- Re: uricontent option in 1.9 vs 1.8.6 Chris Green (Feb 26)
(Thread continues...)
- Re: uricontent option in 1.9 vs 1.8.6 Joe McAlerney (Feb 25)