[Intrusions] real-time forensic monitoring?

Roland Green rgreen at plannedbuy.com
Tue Oct 19 01:05:01 GMT 2004 

Rich here is my approach,

Considering that you have email log data which specifies who logged in 
from where (ie IP address) for the past thirty to ninety days, I would 
create a program to import the data and look for anomalies as it relates 
to people who recently started login in from different IP addresses that 
are not consistent with their historys.  Then if that list is too long I 
would create another program to cross reference users to see if the IP 
address that where anomalies stand out across other users.  At this 
point I would interview select users to confirm that they never access 
company mail from XYZ location.  After a few user confirmations, I would 
contact the appropriate ISPs(s) to either have them identify the user of 
the IP address or setup a trap with the authorities in the event they 
are operating out of a public location which grants Internet access to 
the general public.

Depending on the customer setup, you may also have to cross reference 
firewall logs.

All the Best
Green

Rich Adamson wrote:

>Got a location where we believe an isp ex-employee is accessing/reading 
>private email, and that employee might be obtaining current passwords
>(etc) from existing employees. We're going to use snort to monitor for
>several very specific rules (specific to this need) to help detect the 
>access, but we're not sure as yet how access is being obtained. We
>also would like (as a secondary approach) to trigger other linux system 
>audit functions (eg, logins, etc) to gather forensic evidence in this
>case.
>
>We've not yet seen or been into their systems (but will be shortly), so 
>not sure how they are configured or what might be available to aid in 
>this discovery process. We're about 90% sure their email system is
>based on linux though.
>
>Before heading to their site (clandestinely, under contract signed by
>their president), any suggestions from anyone that has had to play this 
>real-time role as to additional evidence-gathering mechanisms that should
>best be addressed during a first visit?
>
>On-list or off-list suggestions would be appreciated.
>
>
>_______________________________________________
>Intrusions mailing list
>Intrusions at lists.sans.org
>http://www.dshield.org/mailman/listinfo/intrusions
>
>  
>

More information about the Intrusions mailing list