From: Bit Twister (BitTwister@localhost.localdomain)
From: Bit Twister <BitTwister@localhost.localdomain> Date: Mon, 21 Apr 2003 00:33:34 GMT
On Sun, 20 Apr 2003 23:16:03 GMT, notbob wrote:
> I once began reading an article on using cvs as an IDS. I've since
> lost it. Do you have any leads where I might find it?
Why sure,http://www.google.com cvs ids group:*linux* in the search box
Results 1 - 10 of about 87,400. Search took 0.19 seconds.
What a question :) Your turn, what color am I thinking about?
> Also, what's your opinion of snare?
Could not say. Never looked at the source code.
The conversation was about the fact that you cannot use
tools running on a cracked box to figure out that your cracked.
Snare is a loadable module. IE you can unload it, and load your
own copy. In the end it boils down to the human. Look at the talent
in operations and what can happen.
You crack a box, and install a rootkit which knocks down the
interfaces, installs malware code which erases the outage
information and brings the interfaces backup. Malware appends
to current logs instead of opening new logs.
Now operations think they had glich and all looks good. Logs on the
box do not show they went down. Shucks, musta been a router card.
They open a ticket for network.
Network checks the cards sometime during the next day . Not a problem
Shucks I do not even trust my own firewall. I have xconsole
tailing -f back to the top of my screen on the inside box
and a tail -f /var/log/messages to yet another terminal.
I have a separate browser account. When I logout .bash_logout
removes everything and tars in a new copy.