> Get an IDS/IPS/monitoring system, put it in, keep it current, and watch > the logs! Don't laugh, but I've found attacks and residue from syslog > processing, event log processing, ntop, netflow monitoring, and even > mrtg back in the day. So, anything you can find, monitor and measure > effectively for normal (and thus abnormal) behavior is a bonus.
As I mentioned in previous email, I'm in favor of granting admin rights to the users at large, and supporting them this way. So I respectfully disagree with most of what John said... ;-) But this point about IDS/IPS and logs ... I truly support. My first such experience was in 2002. We bought a Sonicwall perimeter firewall, and it came with an evaluation of "Deep Packet Inspection." During the eval period, it identified all sorts of interesting things, but the most compelling one was: On yahoo's home page, yahoo.com, there was a virus-infected .gif or .jpg, which was literally attacking every single person who ever looks at yahoo. They simply got past yahoo's (possibly nonexistent?) security somehow, posting a paid ad with infected content. Now THAT is the sort of thing to really creep you out. Dirty, dirty, bad, bad internet. _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
