On Wed, 6 Nov 2002, Alejandro Rusell wrote: > This configuration is vulnerable to attacks trying to fill the log's repository. > > By the way, the sniffer / snort has to be able to cope with all the > traffic. Even when the syslog traffic is small, unless you use a > different network to manage logs, the current core networks in most > enterprises are at least 100Mbps, not to say Gigabit. What if the > attacker fills the network at cable speed? If the attacker fills the network at cable speed, your syslogs aren't going to matter much anyway. You have larger problems. A printer certainly won't keep up with that. Planning for the edge conditions can get sticky fast. There's always some way around something you create, always some way to disable your alarms. Plan for the majority, plan -some- for the edges, but insure against the edges that you can't easily plan for. Ben ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 18:01:58 PST