From owner-freebsd-security  Fri Apr 20 11:14:27 2001
Delivered-To: freebsd-security@freebsd.org
Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44])
	by hub.freebsd.org (Postfix) with ESMTP id F145A37B423
	for <freebsd-security@FreeBSD.ORG>; Fri, 20 Apr 2001 11:14:24 -0700 (PDT)
	(envelope-from Cy.Schubert@uumail.gov.bc.ca)
Received: (from daemon@localhost)
	by point.osg.gov.bc.ca (8.8.7/8.8.8) id LAA17562;
	Fri, 20 Apr 2001 11:14:23 -0700
Received: from passer.osg.gov.bc.ca(142.32.110.29)
 via SMTP by point.osg.gov.bc.ca, id smtpda17560; Fri Apr 20 11:14:12 2001
Received: (from uucp@localhost)
	by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3KIE6p05737;
	Fri, 20 Apr 2001 11:14:06 -0700 (PDT)
Message-Id: <200104201814.f3KIE6p05737@passer.osg.gov.bc.ca>
Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca"
 via SMTP by localhost.osg.gov.bc.ca, id smtpdBA5732; Fri Apr 20 11:13:21 2001
X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4
Reply-To: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>
X-Sender: cyschubert
To: nate@yogotech.com (Nate Williams)
Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	Raoul Schroeder <memphis_ms@gmx.net>,
	Kris Kennaway <kris@obsecurity.org>,
	fukuda shinichi <fukuda@alles.ad.jp>, freebsd-security@FreeBSD.ORG
Subject: Re: unknown process 
In-reply-to: Your message of "Fri, 20 Apr 2001 10:43:13 MDT."
             <15072.26401.630643.257226@nomad.yogotech.com> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Fri, 20 Apr 2001 11:13:21 -0700
From: Cy Schubert <cschuber@uumail.gov.bc.ca>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <15072.26401.630643.257226@nomad.yogotech.com>, Nate 
Williams writes
:
> > > > Take your system off the net and check it for signs of intrusion.
> > > >
> > > > Kris
> > > 
> > > Just a quick question: How does one check for signs of intrusion. The Fre
> eBSD
> > > handbook does not really talk a lot about this.
> > > Is there a good documentation about this?
> > 
> > Install an IDS immediately after installation, then use it.  This is 
> > not a 100% solution but IMO one of the better solutions in your toolkit.
> 
> Unfortunately, the most common IDS out there require your machine be
> more 'open' than necessary.
> 
> (ie; you leave the system open, and it closes them down with firewall
> entries, rather than just leaving the non-used ports closed down.)

Actually, the IDS I had in mind was Tripwire.


Regards,                         Phone:  (250)387-8437
Cy Schubert                        Fax:  (250)387-5766
Team Leader, Sun/Alpha Team   Internet:  Cy.Schubert@osg.gov.bc.ca
Open Systems Group, ITSD, ISTA
Province of BC            




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message