[Intrusions] real-time forensic monitoring?

[Smith, Donald]

If they are like most ISP they have a AAA (tacacs, radius ...) server.
Get access to that server/logs it should show who logged in from where
AND what commands they performed.
If you can get a system configured to capture the AAA stuff off the wire
in case someone is cleaning the logs.


Donald.Smith at qwest.com GCIA
1st & 2nd rule of security. 
While(access_required = 1) provideaccess(); else denyaccess();

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Rich Adamson
> Sent: Monday, October 18, 2004 6:52 AM
> To: intrusions
> Subject: [Intrusions] real-time forensic monitoring?
> 
> 
> 
> Got a location where we believe an isp ex-employee is 
> accessing/reading 
> private email, and that employee might be obtaining current passwords
> (etc) from existing employees. We're going to use snort to monitor for
> several very specific rules (specific to this need) to help 
> detect the 
> access, but we're not sure as yet how access is being obtained. We
> also would like (as a secondary approach) to trigger other 
> linux system 
> audit functions (eg, logins, etc) to gather forensic evidence in this
> case.
> 
> We've not yet seen or been into their systems (but will be 
> shortly), so 
> not sure how they are configured or what might be available to aid in 
> this discovery process. We're about 90% sure their email system is
> based on linux though.
> 
> Before heading to their site (clandestinely, under contract signed by
> their president), any suggestions from anyone that has had to 
> play this 
> real-time role as to additional evidence-gathering mechanisms 
> that should
> best be addressed during a first visit?
> 
> On-list or off-list suggestions would be appreciated.
> 
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
> 
>