Re: Advice from the experts

[twig les <twigles () yahoo com>]

One thing I would like to do to facilitate this type of
investigation is use tcpdump to constantly snag all traffic off
the wire and archive it, but in an ISP environment this is a
tough one to sell (and do).  This allows post-mortem on alarms
using data before *and* after the suspected intrusion happened. 
Also it's nice to have uncut data to run filters against at your
whim.

Don't thank me for that wisdom, I stole it from Stephen
Northcutt in his "network intrusion detection" book.


--- Mike Koponick <mike () redhawk info> wrote:
> Hello,
>
> We have been having a discussion around our office about
> attacks, and how to
> keep track of them. I thought this would be a good place to
> bring up a
> couple of issues regarding attacks and attackers since all
> that post seem to
> have a good handle on this subject.
>
> We mainly having been discussing how to keep track of attacks
> that occur
> over a period of time. For instance, an attacker could spoof a
> source IP
> address, and "test" the system for vulnerabilities, then a
> month later test
> it another way. This is the same way the military tests it's
> enemies during
> war time. It would make sense if the attacker was patient to
> do it in this
> manner, as it would be harder to trace. I suppose the bottom
> line would be
> that when you see an attacker, catch him/her with their hand
> in the cookie
> jar and use that as evidence.
>
> Currently, our policy for security log files is to keep them
> for a year at a
> time. In other words, we archive the logs daily, and keep the
> archives for a
> year. Does this sound like a good practice, since it might be
> possible to
> parse through these files for a history (after the fact
> attack)?
>
> What other practices are being used?.. it might be a good
> discussion for
> all.
>
> Thanks in advance for your wisdom.
>
> Mike
>
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Scholarships for Techies!
> Can't afford IT training? All 2003 ictp students receive
> scholarships.
> Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX,
> and more.
> www.ictp.com/training/sourceforge.asp
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/


-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users