lancespitzner.net

• Next message: §»¤: "IDS: Special Pub 800-12 -- An Introduction to Computer Security: The NIST Handbook"
• Previous message: Philippe Bourgeois: "Re: IDS: intruder clues"
• In reply to: Meritt, Jim: "IDS: intruder clues"
• Reply: Lance Spitzner: "Re: IDS: intruder clues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------
On Mon, 24 Apr 2000, Meritt, Jim wrote:

> If a corporation/organization/whatever has NOT implemented an IDS, what do
> you (the reader specifically) look for/at during after-the-event intrusion
> detection?
>
> I'm looking for individual responses other than real-time clues (the system
> isn't even connected to the network any more) and the multitude of log files
> (a system may, or may not, have varied logging enabled)

I have several papers explaining what black-hats did to my honeypots,
and how I reviewed the systems after-the-event for information. You will
most likely find "Know Your Enemy:III" most helpful.

http://www.enteract.com/~lspitz/enemy3.html

Lance

• Next message: §»¤: "IDS: Special Pub 800-12 -- An Introduction to Computer Security: The NIST Handbook"
• Previous message: Philippe Bourgeois: "Re: IDS: intruder clues"
• In reply to: Meritt, Jim: "IDS: intruder clues"
• Reply: Lance Spitzner: "Re: IDS: intruder clues"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]