RE: [logs] Re: Reliably detecting things like the SQL worm....

From: Rainer Gerhards (rgerhardsat_private)
Date: Mon Jan 27 2003 - 12:47:03 PST

  • Next message: Nate Campi: "Re: [logs] Re: Reliably detecting things like the SQL worm...."

    > > Rather, I'd say that you need to stay on top of security; 
    > anybody who 
    > > had any MS-SQL servers anywhere approaching visible from 
    > the internet 
    > > wasn't paying attention to basics.
    > I completely agree on that count - I was thinking more about the 
    > consequences of when someone inadvertently releases a worm inside the 
    > firewall (laptop, VPN, etc.). Being able to react quickly is key and 
    > that's much easier if you use some sort of QoS so your 
    > control requests 
    > get handled ahead of worm traffic (syslog should also be above normal 
    > priority but below the control channel). It sounds like what happened 
    > to BofA was a case of the ATM VLAN getting nailed because it shared 
    > physical connections with a separate VLAN which was getting the worm 
    > traffic.
    I agree that laptop and VPN can - and unfortunately is often - the
    weakest point in defense. I know it sholdn't be. But honestly - how
    often do you see machines more or less unprotected dialing out to the
    Internet. The same machines, that are at least occasionally connected to
    the internal net. Again, this should not happen. But in reality it is...
    The QoS is an interesting point. But back to my question: DID syslog
    work under attack or not? Any experience or samples on that? I mean
    real-world ones...
    LogAnalysis mailing list

    This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 14:26:18 PST