HackerTrans
TopNewTrendsCommentsPastAskShowJobs

fubar9463

no profile record

comments

fubar9463
·2 yıl önce·discuss
In any case the ROI for correlating SSH logs against network traffic is potentially error prone and may be more noisy than useful (can you differentiate in logs between SSH logins from a private IP and a public one?).

An EDR tool would be much better to look for an attacker’s next steps. But if you’re trying to catch a nation state they probably already have a plan for hiding their tracks.
fubar9463
·2 yıl önce·discuss
You would be sending logs to a log collector (a SIEM) in security terms, and then you could join your firewall logs against your SSH auth logs.

This kind of anomaly detection is possible. Not sure how common it is. I doubt it is common.