James Lee Bell wrote: > Specifically, won't something along the way end up generating ICMP-host > unreachables at some point for every log packet to the phantom logging > host? The phantom host might just ignore (ie. drop packets silently on the floor) 53/udp traffic. Use a small computer for that purpose. Then, we won't talk about a phantom log host anymore. Another thing to remember is that an attacker that sees @192.168.0.200 in /etc/syslog.conf and can actually ping(1) or traceroute(1) it might not even suspect there is something in the middle collecting packets. Cheers, Luis Bruno ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Nov 09 2002 - 06:33:00 PST