[Techtalk] Intrusion detection and nat logging...

linda at meridian-ds.com linda at meridian-ds.com
Fri Nov 15 11:48:31 EST 2002

Could someone point me to some tips/starting
points on intrusion detection?

Hi Walt.

While it's a bit of a "Closing the barn door after the horse runs away"
solution, I find tripwire a very valuable tool for detecting an intrusion.
Unfortunately, you find out you've been hacked after the fact.  It doesn't
actually stop anyone, just lets you know when your critical
files/directories have been modified.  We run it on all our systems,
although I've only set one up myself.  I still have to go back and figure
out how to tell it not to report on programs I don't have installed, but
I'm sure that's just a matter of spending some time in the man pages.  The
actual install and get it running was pretty simple.

It does have to be "reset" periodically, because it is a cumulative report.
Our most successful practice seems to be to plan updates, reset the report
the day before, then reset it again after one report with the updates
applied.  Why worry about resetting?  The recent glibc updates generated
4,000+ "warnings" on changed files.  It's very hard to wade through that
many lines looking for one that doesn't "fit" with the rest of the package.

Hope someone else can help with the firewall logging.  I'm interested in
seeing that too.


More information about the Techtalk mailing list