Carl Johnson on 24 Feb 2012 22:14:06 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Hacked server - recovery

dd if-jp_brain of-plug_list


Sent from my Motorola DynaTAC 8000x

JP Vossen <> wrote:

>> Date: Fri, 24 Feb 2012 10:45:04 -0500
>> From: Fred Stluka<>
>> Is there any advantage of fcheck over tripwire?
>Pros and cons.  IMO, fcheck is a *heck* of a lot easier and faster to 
>set up so it removes a lot of the "that's a time-consuming, tedious
>so I'll do it later" inertia.  OTOH, it is arguably less secure than 
>some alternatives.  In theory I agree, but in practice, having
>(fcheck) is hugely better than having nothing (I'll install Osiris Real
>Soon Now).
>Please go read the 3 slides in my preso, they have a bit more info like
>> Also, logcheck over logwatch?
>The goal is the same.  I haven't used logwatch, but I *think* the way
>works is to look for stuff it knows and report that.  Can anyone
>correct me?
>Having said that, logcheck will blacklist known good stuff and tell you
>about the rest, while I think logwatch will only tell you about its 
>whitelist.  Think about that for a sec, because in this context a 
>blacklist is good and a whitelist is bad.
>Logcheck (, on the other hand, is the 
>application of a concept that I also call "logcheck" for lack of a 
>better name.  My introduction to the concept was from Marcus Ranum and 
>Fred Avolio's '' for TIS Gauntlet, way back when.  See 
>also my old Windows port of this: 
>  And I've yammered
>about this before: 
>The concept is simple.  Given some data (e.g., a log file):
>1.1) Remove stuff you know you don't care about
>1.2) Look for things you know you do care about, but then remove things
>you don't care about (false positives)
>You then get output in two parts:
>2,1) Stuff you don't know about
>2.2) Stuff that is known to be bad
>Over time, you "tune" the #x.1 "stuff you know you don't care about" 
>list so you end up with only "known bad" output...until something novel
>happens or upstream changes or adds log messages.
>Do you see how simple yet awesome that is?  I can't say it's "self 
>tuning" since--hey, you have to write the egrep regular expressions 
>yourself, though if you 'grep' for stuff you can already do that and 
>there are lots of examples.  You never have to audit it to see what it 
>might be missing, it just evolves with your environment very
>and seamlessly.
>The tricky part for doing this for a growing log file is to not miss 
>anything and no do repeats and there is a 'logtail' tool for that. 
>a lot easier to do on a flat file after a complex build or other
>process has completed.  I do this a *lot* and it's great.  There's a 
>trivial 'egrep' implementation in my Windows logcheck port above.
>I'd do a PLUG preso on this, but it's only about 10-20 mins...  I've 
>also wanted to do a wikipedia article on it, I just never get to that.
>JP Vossen, CISSP            |:::======|
>My Account, My Opinions     |=========|
>"Microsoft Tax" = the additional hardware & yearly fees for the add-on
>software required to protect Windows from its own poorly designed and
>implemented self, while the overhead incidentally flattens Moore's Law.
>Philadelphia Linux Users Group         --       
>Announcements -
>General Discussion  --  

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --