From owner-freebsd-security@FreeBSD.ORG Sun Dec 7 12:45:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17C1416A4CE for ; Sun, 7 Dec 2003 12:45:22 -0800 (PST) Received: from mx7.roble.com (mx7.roble.com [206.40.34.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 872B043F93 for ; Sun, 7 Dec 2003 12:45:21 -0800 (PST) (envelope-from marquis@roble.com) Date: Sun, 7 Dec 2003 12:45:21 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20031207200130.C4B1216A4E0@hub.freebsd.org> References: <20031207200130.C4B1216A4E0@hub.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20031207204521.195E9DAC92@mx7.roble.com> Subject: Re: possible compromise or just misreading logs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Dec 2003 20:45:22 -0000 > Second, what are people using for intrusion detection? This is something I > have thought about but never really thought I needed until now. No production environment should be without Tripwire (1.3 is my favorite version). With the right wrapper script and off-line backups it's impossible to compromise a system without being detected. Nothing beats the relief you'll feel when tripwire gives your system a clean bill of health after after finding some suspicious logs. -- Roger Marquis Roble Systems Consulting http://www.roble.com/