Re: [logs] Problems/Questions on PEO

From: Devin Kowatch (devinkat_private)
Date: Mon Apr 01 2002 - 12:12:11 PST

  • Next message: Devin Kowatch: "Re: [logs] Problems/Questions on PEO"

    On Sun, Mar 31, 2002 at 01:25:24AM -0500, Sweth Chandramouli wrote:
    > On Fri, Mar 29, 2002 at 12:24:16PM -0800, Devin Kowatch wrote:
    > > protocol).  In this situation it's basically impossible for the attacker
    > > to insert a message before the attack on A.  So we should get good,
    > > verifiable logs of the attack.  However, because it's impossible to 
    > > determine where the bad messages started, if an attacker inserts a bogus 
    > > message into the channel between A and L _after_ time t then all the log 
    > > entries are invalidated for the entire logging session. This will include
    > > the log entries that show the source and method used to gain accesss.  
    > 	Let's say that at some time "r", A is assumed to be safe
    > (i.e. uncompromised).  At some subsequent time "s", a hacker gains
    > privilege on A and logs of this event are (we hope) generated.  One copy
    > of those log entries should be going to the local logfile, and the hash
    > should be updated; another copy of those log entries is sent to L, where
    > another PEO hash is updated as well.  (K-Ai, the hash on A at any time
    > i, is used to determine the integrity of logs GENERATED ON A; K-Li, the
    > hash on L at any time i, is used to determine the integrity of logs
    > RECEIVED ON L.)
    
    You are right here, I was assuming (without realizing it) that the
    machine A would be generating the hash, and sending it to the log server L.  
    And that L would not be keeping it's own hash.  There are still
    problems when the machine that is attacked is not logging to a remote
    log server (as in the case of the central log server).
    
    thanks,
    -- 
    Devin Kowatch
    devinkat_private
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 14:11:27 PST