Notes:
WHERE:
Home PC: dial scripts, dial logs
Phone: 800 billing statement (Hopefully your modems are on an 800 number)
Physical: Card Access System, Security Checkpoint Logbook
Modem: TACACS logs, TACACS+ logs, RADUIS logs, RAS logs
Network: Cisco Netflow logs, IDS logs, Firewall Logs, Proxy logs, sniffers, mail logs, DNS logs
Host: syslog TCP-Wrapper entries, login entries (last), .history files!, NT Event Log entries for admin functions and failures, interesting files (programs, source, data, etc…), lsof
MEANING:
Considerations for load balancing (merge logs from load balanced hosts/devices)
Time offsets (clock sync may be off)
Time offsets between software layers (tcp-wrappers vs. utmp entries)
End of event accounting (shell script containing commands marked *after* commands issued within it are marked)
NARROWING THE SEARCH:
Point of entry accounting used to narrow down-stream log searching for interactive activity
Non-interactivity may occurr as well so narrowing down-stream logs is only effective for some things
RELIABILITY:
Threat of trojaned binaries - This is why we correlate!
What we DON’T find is sometimes more interesting than what we DO find
Utmp,wtmp, etc… sometimes truncate names whereas tcpwrappers will not