On Mon, 09 Feb 2004, Tina Bird wrote: > here's a broad overview: > > http://www.linuxjournal.com/modules.php?op=modload&name=NS-lj-issues/issue92&file=5476s2 > > basically, you pick a "fake" IP address for the apparent address of the > DMZ logserver. all boxes in the DMZ get a static ARP entry for a fake MAC > addr to go with the fake IP address. then you put an interface with no IP > address in promiscuous mode and collect anything destined for UDP/514 on > the apparent loghost. > > you can use tcpdump or snort or whatever you like to reassemble the syslog > data out of the packets. i think JP vossen has info on how to use snort > for this on his web site, but i'm having trouble tracking it down > anywhere... If you do this, you might want to also use a one-way patch-cable that allows packets to only flow from the DMZ _to_ your log server. That way you don't even have to use a "fake" IP address for the log host. The advantage is that there is no way to compromise that system. [okay, there is, if someone would manage to exploit the syslog daemon and ... - let's not go there]. This is also the way you can setup your NIDS, just attach it to the same cable! Info about how to build such a one-way patch-cable you find on snort.org: http://www.snort.org/docs/tap/ -raffy -- Raffael Marty, CISSP raffael.marty@private Senior Security Engineer Content Team @ ArcSight Inc. 1309 South Mary Ave. Sunnyvale, CA 94087 (408) 328 5562 _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Feb 09 2004 - 18:49:43 PST