I have recently came across an article that described secure logging using snort. Basically snort was configured to dump the contents of all syslog packets sent to a fake ip. Then that ip was set up as the loghost ip on the remote hosts. With this configuration, in theory, you wouldn't be able to hack into it provided the snort box had no ip's on ANY interface and simply listened. It was interesting but I haven't gotten around to trying it yet. It sounds pretty strong to me though. I think it was in Linux Journal that I read about it. I could probably find the reference if anyone is interested... Gino Guidi gguidiat_private -----Original Message----- From: Tom Perrine [mailto:tepat_private] Sent: Friday, November 01, 2002 10:22 AM To: paulat_private Cc: msconzoat_private; forensicsat_private Subject: Re: Remote Syslogd >>>>> On 30 Oct 2002 11:18:04 -0500, Paul Timmins <paulat_private> said: PT> Another option I've employed at one point is to direct security logs to PT> /dev/lp0 and throw a dot matrix printer with a continuous feed of paper PT> on the parallel port (I did this on Linux, I'm sure it works on other PT> OSs). PT> Once they get into the machine, there's no way they can delete the logs. PT> I mean, they can move the paper back a line or two with the epson PT> control sequences and try to print over it, but combined with a remote PT> logging server, you have evidence that is likely alot easier to prove PT> wasn't tampered with (IANAL). PT> My $0.02. PT> -Paul We used to do that. Way back when, e.g. 1994, we hooked up a DecWriter III (LA-120) to log all system logs that hit our loghost, to paper. As the volume picked up, we started only logging the authentication stuff. By 1996 or so, the volume was going through a box of fanfold or worse every shift. I've often wanted to build a box that did the functional equivalent with a CD-burner, e.g. burn log records to CD (or DVD?) in real time. -- Tom E. Perrine <tepat_private> | San Diego Supercomputer Center http://www.sdsc.edu/~tep/ | ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 03:25:13 PST