I wasn't initially, but that's where the discussion is taking me. I was thinking of collecting local logs from a Linux box and analyze them to determine if its been compromised or not. I understand a hybrid approach should be taken, including pattern detection to capture known malware/backdoors and a behavioral analysis to tag any abnormal behavior.
Michael mentioned a very true and good point that theoretically logs and behavior of a compromised system cannot be trusted. Other folks, also pointed that a data exfilteration usually follows a compromise and can be considered as a shared pattern for majority of attacks (I want to add command/control traffic myself). Friends, is that a good summary of a high level approach? Cheers, Ali . --------------------------------------------- Sent from my BlackBerry device -----Original Message----- From: Benji <[email protected]> Date: Tue, 17 Jul 2012 00:31:12 To: <[email protected]> Cc: <[email protected]> Subject: Re: [Full-disclosure] Linux - Indicators of compromise SO you're talking about making a baseline? On Mon, Jul 16, 2012 at 7:52 PM, Ali Varshovi <[email protected]> wrote: > Hello everybody and thank you for your useful comments. > > Now I'm thinking that we need a comparison base or normal behavior profile to > be able to detect any deviations or abnormal/suspicious activity. While some > known patterns of behaviors are useful to detect malware or backdoors we > still need that normal profile to detect 0-day or APT style intrusions. Isn't > that the same idea from early days of intrusion detection research (anomaly > detection approach)? Or maybe I'm off track. > > Thoughts? > > ------Original Message------ > To: [email protected] > Subject: Linux - Indicators of compromise > Sent: Jul 14, 2012 8:46 AM > > Greetings FD, > > Does anyone have any guidelines/useful material on analysis logs of a Linux > machine to detect signs of compromise? The data collection piece is not a > challenge as a lot of useful information can be captured using commands and > some scripts. I'm wondering if there is any systematic approach to analyze > the collected logs? Most of the materials I've seen are more aligned to > malware and rootkit detection which is not the only concern apparently. > > Thanks, > > Ali > . > --------------------------------------------- > Sent from my BlackBerry device > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
