Re: [Full-disclosure] Linux - Indicators of compromise

[Scott Solmonson <scosol@xxxxxxxxxx>]

Shortcutting other responses-

A suspect node that you want to keep live can only be treated in two ways:

1) if you need to know who is behind the shenanigans, you monitor net
traffic and isolate/simulate reach and then do what you can to get
what you need.

2) assume the worst, don't isolate, monitor spread tactics,
perceptually contain and then analyse.

Live on-box analysis is useless in every case, and you need to think forensics.
Disconnect, dump, analyse- but only after you've got what you really need.

Endgame is always close the hole, restore the data, learn from your
mistakes that allowed it to happen :)

--
NUNQUAM NON PARATUS ☤ INCITATUS ÆTERNUS


On Sat, Jul 14, 2012 at 5:46 AM, Ali Varshovi <ali.varshovi@xxxxxxxxxxx> wrote:
> Greetings FD,
>
> Does anyone have any guidelines/useful material on analysis logs of a Linux 
> machine to detect signs of compromise? The data collection piece is not a 
> challenge as a lot of useful information can be captured using commands and 
> some scripts. I'm wondering if there is any systematic approach to analyze 
> the collected logs? Most of the materials I've seen are more aligned to 
> malware and rootkit detection which is not the only concern apparently.
>
> Thanks,
> Ali
> .
> ---------------------------------------------
> Sent from my BlackBerry device
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/