On Wed, 17 Oct 2001 peff-loganalat_private wrote in words of tamed electrons: [ much thoughtful step-by-step analysis ] > - logs are processed, alarms found > - admin reviews logs through direct connection between workstation and > log box (presumably ssh or ssl) Our NFR SLR will raise an alert window on an admin's screen if an alarm condition is matched... And the connection between the admin's console and the logbox is authenticated and encrypted. If you are routing logs from a machine that can run the agent software, the transmission of messages from the host to the logbox can also be encrypted. > And in fact, imagine > you have a NIDS logging to the log box. It detects somebody Back > Orificing your workstation. But the admin never sees the log because the > Back Orificing attacker is able to intercept the logs not as they are > logged but as they are being reviewed (so they are correctly logged, but > nobody reads them). If the attackers can compromise the admin workstation, you've pretty much lost already, in terms of actively catching the attack. This is a very-bad-case scenario... It's not "worst case" because you do have the logs archived and secured on the logbox. After lockdown and cleanup, you can review the logs for forensic evidence. In the case of the NFR SLR, the attacker would need physical access to the logbox to compromise the logs stored there. And without an admin password, she would have to do it with a sledgehammer or a Very Large Magnet. Apologies if this plug was too shameless, Nick :^) -- #include<stdio.h> /* SigMask 0.4 (sig.c) 20000913 PUBLIC DOMAIN "Compile Me" */ int main(c,v)char *v;{return !c?putchar(*v-1)&&main /* Make: cc -o sig sig.c */ (0,v+1):main(0,"Ojdl!Wbshjti!=obwAogs/ofu?!OGS!Tfojps!Tpguxbsf!Fohjoffs\v\1");} --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Thu Oct 18 2001 - 07:54:00 PDT