Continuing the Halloween tradition. Three quick investigation moments from 2002.
February: a successful login from a country I had never visited. Investigation: my friend was travelling and had used my credentials with permission. Lesson: communicate about expected unusual activity.
June: an OpenSSH crash on a host with port 22 exposed. Investigation: the challenge-response vulnerability being exploited. The exploit failed; the crash was the symptom. Lesson: monitor for service crashes; they are leading indicators.
September: P2P UDP traffic from an internal host. Investigation: legitimate file-sharing application a friend had installed. Lesson: not all P2P traffic is Slapper; investigate specifically.
The pattern remains: investigate carefully, distinguish noise from signal, write down the lessons. Have a safe night.