Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Re: IDS: intruder clues
From: Lance Spitzner (lancespitzner.net)
Date: Tue Apr 25 2000 - 13:08:06 CDT

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
On Mon, 24 Apr 2000, Meritt, Jim wrote:

> If a corporation/organization/whatever has NOT implemented an IDS, what do
> you (the reader specifically) look for/at during after-the-event intrusion
> detection?
> I'm looking for individual responses other than real-time clues (the system
> isn't even connected to the network any more) and the multitude of log files
> (a system may, or may not, have varied logging enabled)

I have several papers explaining what black-hats did to my honeypots,
and how I reviewed the systems after-the-event for information. You will
most likely find "Know Your Enemy:III" most helpful.