Knowing what to look for in your logs

If you believe a system has been compromised, what you should look for certain events in that system's logs (whether it's on Linux, Unix, or Windows) 1 Users added, deleted, or modified. On Linux systems, your logs show useradd, userdel, or usermod being run when users are added, deleted, or modified. On Windows systems, the creation or deletion of user accounts shows up in the Security event log in the Event Viewer application. i Password changes on system accounts. On Linux systems, password...

Httpinspect a preprocessor for HTTP

With Snort 2.1, the http_decode preprocessor gave way to the http_inspect preprocessor. If you use Snort 2.0, use http_decode. If you use Snort 2.1 (or later), use http_inspect. We recommend installing and using the http_inspect preprocessor. Using http_inspect normalizes all packets containing different forms of HTTP communication into a state that Snort can easily compare and scan through its rules. A huge amount of Web traffic crosses the Net, and many attacks rely on the HTTP protocol as...