(Presuming one has Security/3000 configured correctly)
SEC LISTLOG OPVIOLATION
Is a fairly decent daily routine.
Sample below: (User IDs changed to protect identity.)
Violat:16MAR04 4:32PM 365 XXXXX,UUUU.AAAAA BAD SESSION NAME
Violat:16MAR04 4:46PM 220 SSSSS,UUUU.AAAAA EXPIRED SECURITY/3000 PASSWORD
Violat:16MAR04 4:47PM 220 SSSSS,UUUU.AAAAA EXPIRED SECURITY/3000 PASSWORD
Violat:16MAR04 4:47PM 220 SSSSS,UUUU.AAAAA BAD PASSWORD
...
Violat:17MAR04 10:19AM 297 SSSSS,UUUU.AAAAA BAD PASSWORD
Violat:17MAR04 2:51AM 320 SSSSS,UUUU.AAAAA TIMEOUT ON PASSWORD
Violat:17MAR04 11:21AM 253 SSSSS,UUUU.AAAAA BAD PASSWORD
Violat:17MAR04 5:16AM 271 SSSSS,UUUU.AAAAA BAD PASSWORD
Violat:17MAR04 1:29PM 292 SSSSS,UUUU.AAAAA BAD PASSWORD
Violat:17MAR04 12:39AM 345 SSSSS,UUUU.AAAAA BAD TIME
Violat:17MAR04 12:47AM 347 SSSSS,UUUU.AAAAA BAD TIME
...
Violat:18MAR04 8:16PM 225 ZZZZ,UUUU.AAAAA BAD SESSION NAME
Violat:18MAR04 8:23AM 262 SSSSS,UUUU.AAAAA BAD PASSWORD
Violat:18MAR04 8:47AM 274 SSSSS,UUUU.AAAAA BAD PASSWORD
Violat:18MAR04 9:10AM 276 SSSSS,BBBB.AAAAA BAD USER
BT
Tracy Johnson
MSI Schaevitz Sensors
> -----Original Message-----
> From: HP-3000 Systems Discussion [mailto:[log in to unmask]]On
> Behalf Of Greg Stigers
> Sent: Wednesday, March 17, 2004 10:15 PM
> To: [log in to unmask]
> Subject: [HP3000-L] Intrusion Detection for MPE
>
>
> What are list members doing to attempt to track intrusion
> detection on their
> HP 3000s?
>
> One joke immediately occurs to me, and I may share said joke
> later, but I am
> serious in my question. I realize that intrusion detection
> can and should be
> performed elsewhere, with more than one means of so doing. So
> my question
> assumes an MPE administrator looking for patterns of failed sign-ons
> (inconsistent with those who cannot seem to get their own
> password right on
> the first try Monday mornings) or intruding connection attempts.
>
> Greg Stigers, MCSA
> this space for rent
>
> * To join/leave the list, search archives, change list settings, *
> * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
>
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|