| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20120716183847.43aedc9f@anubis.defcon1> Date: Mon, 16 Jul 2012 18:38:47 +0200 From: Bzzz <lazyvirus@....com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Linux - Indicators of compromise On Sat, 14 Jul 2012 12:46:50 +0000 "Ali Varshovi " <ali.varshovi@...mail.com> wrote: > Does anyone have any guidelines/useful material on analysis logs > of a Linux machine to detect signs of compromise? The data > collection piece is not a challenge as a lot of useful information > can be captured using commands and some scripts. I'm wondering if > there is any systematic approach to analyze the collected logs? > Most of the materials I've seen are more aligned to malware and > rootkit detection which is not the only concern apparently. Hi Ali, I'd say send log to another machine, use a "checksumator" (like tripwire), store its computation files on an external storage device and when you check the system with it, boot it on a liveCD. And as G.Baribault says, each compromised system tries to store its findings elsewhere on the Internet (often encrypted these days), so a fine traffic analyzer would be a good thing; but is there a very good one working out of the box, I don't know!? (beware it can be very disk space greedy). JY -- < Overfiend> well, excellent. I get to tear someone a new asshole. -- in #debian-devel _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists