Shortcutting other responses- A suspect node that you want to keep live can only be treated in two ways:
1) if you need to know who is behind the shenanigans, you monitor net traffic and isolate/simulate reach and then do what you can to get what you need. 2) assume the worst, don't isolate, monitor spread tactics, perceptually contain and then analyse. Live on-box analysis is useless in every case, and you need to think forensics. Disconnect, dump, analyse- but only after you've got what you really need. Endgame is always close the hole, restore the data, learn from your mistakes that allowed it to happen :) -- NUNQUAM NON PARATUS ☤ INCITATUS ÆTERNUS On Sat, Jul 14, 2012 at 5:46 AM, Ali Varshovi <[email protected]> wrote: > Greetings FD, > > Does anyone have any guidelines/useful material on analysis logs of a Linux > machine to detect signs of compromise? The data collection piece is not a > challenge as a lot of useful information can be captured using commands and > some scripts. I'm wondering if there is any systematic approach to analyze > the collected logs? Most of the materials I've seen are more aligned to > malware and rootkit detection which is not the only concern apparently. > > Thanks, > Ali > . > --------------------------------------------- > Sent from my BlackBerry device > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
