LISTSERV - HP3000-L Archives

HP3000-L Archives

March 2004, Week 3

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L March 2004, Week 3

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Intrusion Detection for MPE
From:	"Johnson, Tracy" <[log in to unmask]>
Reply To:	Johnson, Tracy
Date:	Thu, 18 Mar 2004 09:40:31 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (64 lines)

(Presuming one has Security/3000 configured correctly)

SEC LISTLOG OPVIOLATION

Is a fairly decent daily routine.

Sample below:  (User IDs changed to protect identity.)

Violat:16MAR04  4:32PM 365 XXXXX,UUUU.AAAAA           BAD SESSION NAME
Violat:16MAR04  4:46PM 220 SSSSS,UUUU.AAAAA           EXPIRED SECURITY/3000 PASSWORD
Violat:16MAR04  4:47PM 220 SSSSS,UUUU.AAAAA           EXPIRED SECURITY/3000 PASSWORD
Violat:16MAR04  4:47PM 220 SSSSS,UUUU.AAAAA           BAD PASSWORD
...
Violat:17MAR04 10:19AM 297 SSSSS,UUUU.AAAAA           BAD PASSWORD
Violat:17MAR04  2:51AM 320 SSSSS,UUUU.AAAAA           TIMEOUT ON PASSWORD
Violat:17MAR04 11:21AM 253 SSSSS,UUUU.AAAAA           BAD PASSWORD
Violat:17MAR04  5:16AM 271 SSSSS,UUUU.AAAAA           BAD PASSWORD
Violat:17MAR04  1:29PM 292 SSSSS,UUUU.AAAAA           BAD PASSWORD
Violat:17MAR04 12:39AM 345 SSSSS,UUUU.AAAAA           BAD TIME
Violat:17MAR04 12:47AM 347 SSSSS,UUUU.AAAAA           BAD TIME
...
Violat:18MAR04  8:16PM 225 ZZZZ,UUUU.AAAAA            BAD SESSION NAME
Violat:18MAR04  8:23AM 262 SSSSS,UUUU.AAAAA           BAD PASSWORD
Violat:18MAR04  8:47AM 274 SSSSS,UUUU.AAAAA           BAD PASSWORD
Violat:18MAR04  9:10AM 276 SSSSS,BBBB.AAAAA           BAD USER
BT


Tracy Johnson
MSI Schaevitz Sensors 

> -----Original Message-----
> From: HP-3000 Systems Discussion [mailto:[log in to unmask]]On
> Behalf Of Greg Stigers
> Sent: Wednesday, March 17, 2004 10:15 PM
> To: [log in to unmask]
> Subject: [HP3000-L] Intrusion Detection for MPE
> 
> 
> What are list members doing to attempt to track intrusion 
> detection on their
> HP 3000s?
> 
> One joke immediately occurs to me, and I may share said joke 
> later, but I am
> serious in my question. I realize that intrusion detection 
> can and should be
> performed elsewhere, with more than one means of so doing. So 
> my question
> assumes an MPE administrator looking for patterns of failed sign-ons
> (inconsistent with those who cannot seem to get their own 
> password right on
> the first try Monday mornings) or intruding connection attempts.
> 
> Greg Stigers, MCSA
> this space for rent
> 
> * To join/leave the list, search archives, change list settings, *
> * etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
> 

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU