Hello all, My .02 in the message. Regards, Alejandro > -----Mensaje original----- > De: Gino Pietro Guidi [mailto:gguidiat_private] > Enviado el: Martes, 05 de Noviembre de 2002 12:31 a.m. > Para: 'Tom Perrine'; paulat_private > CC: msconzoat_private; forensicsat_private > Asunto: RE: Remote Syslogd > > > I have recently came across an article that described secure logging > using snort. Basically snort was configured to dump the > contents of all > syslog packets sent to a fake ip. Then that ip was set up as > the loghost > ip on the remote hosts. This configuration is vulnerable to attacks trying to fill the log's repository. By the way, the sniffer / snort has to be able to cope with all the traffic. Even when the syslog traffic is small, unless you use a different network to manage logs, the current core networks in most enterprises are at least 100Mbps, not to say Gigabit. What if the attacker fills the network at cable speed? > With this configuration, in theory, > you wouldn't > be able to hack into it provided the snort box had no ip's on ANY > interface and simply listened. It was interesting but I haven't gotten > around to trying it yet. It sounds pretty strong to me though. I think > it was in Linux Journal that I read about it. I could > probably find the > reference if anyone is interested... > This one is true. > Gino Guidi > gguidiat_private > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 08:54:10 PST