So what does an attack look like?
Two common attack signatures are:
- Repeated actions
- su several times with incorrect passwordd
- several attempts to log in as a trusted user
- Several suspicious actions
- If several suspicious actions come from an ip, domain, or user it
may be an attack.
- Suspicious actions
- Incorrect password entered for su or login
- Connection to unused port
- Connection to several ports in a short amount of time
- (and tons more)
