(Lets leave out the OSI model layer naming scheme for simplicity's sake)
If you didn't take any measures to protect your box, possible "evidence" of a *network based attack* can be found in the system logs, and the logs of applications running at the time of the attack. They're in /var/log by default.
If you did add chkrootkit, from chkrootkit.org, tripwire,Aide or Samhain (see freshmeat.net), or are using a package management tool that uses GPG signatures or MD5-sums, it can scan your filesystems and report for *filesystem data alterations* that could be the evidence of an attack.
If you did add a firewall (ipf, ipfwadm, ipchains or netfilter/iptables), and set up the rules to dissallow access for certain types of traffic/packet flags set, and added logging, then their logging of *network traffic* is in /var/log too.
If you did add some IDS capability like Snort (snort.org) (don't use portsentry) it can filter and report on what kind of *network traffic anomalies* has happened.
|