I have previously piped syslog traffic through the serial port and captured it using a simple terminal emulation package - the terminal emulator didn't offer any opportunity for the attached system to get at previously logged information. Clearly, an intruder could stop the flow of further traffic, but that's the case with all these solutions. But even that solution, which is very similar to piping the info to a printer (without the reams of paper) seems unnecessary when it should be possible to adequately secure the syslog server. It can include basic packet filtering rules that only allow traffic destined for the syslogd (and no other traffic) from the monitored systems, indeed, it could even require that interactive access is only facilitated via a separate network. If only syslog traffic is allowed through, then the risk will be that there is an exploit on the syslogd code (such as a buffer overflow) but you can disable stack execution and chroot syslogd (assuming unix) to minimize the impact of these vulnerabilities. To prevent an 'exploited' syslogd amending stored logs then you may be able to set them to be append only (dependent upon the filesystem being used) and/or you could have a higher privilege daemon copying the logs to somewhere outside the chrooted area on a regular basis. Does anybody know of an application that is optimized for copying sequentially increasing files? -----Original Message----- From: Alejandro Rusell [mailto:arusellat_private] Sent: 06 November 2002 14:41 To: Gino Pietro Guidi; Tom Perrine; paulat_private Cc: msconzoat_private; forensicsat_private Subject: RE: Remote Syslogd Hello all, My .02 in the message. Regards, Alejandro > -----Mensaje original----- > De: Gino Pietro Guidi [mailto:gguidiat_private] > Enviado el: Martes, 05 de Noviembre de 2002 12:31 a.m. > Para: 'Tom Perrine'; paulat_private > CC: msconzoat_private; forensicsat_private > Asunto: RE: Remote Syslogd > > > I have recently came across an article that described secure logging > using snort. Basically snort was configured to dump the > contents of all > syslog packets sent to a fake ip. Then that ip was set up as > the loghost > ip on the remote hosts. This configuration is vulnerable to attacks trying to fill the log's repository. By the way, the sniffer / snort has to be able to cope with all the traffic. Even when the syslog traffic is small, unless you use a different network to manage logs, the current core networks in most enterprises are at least 100Mbps, not to say Gigabit. What if the attacker fills the network at cable speed? > With this configuration, in theory, > you wouldn't > be able to hack into it provided the snort box had no ip's on ANY > interface and simply listened. It was interesting but I haven't gotten > around to trying it yet. It sounds pretty strong to me though. I think > it was in Linux Journal that I read about it. I could > probably find the > reference if anyone is interested... > This one is true. > Gino Guidi > gguidiat_private > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Nov 06 2002 - 18:03:24 PST