RE: [logs] Logging in the DMZ (fwd)

• Previous message: Michael Batchelder: "[logs] RE: Logging in the DMZ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

take a look at the explanation of how Sebek dumps logs to the
network and how they are captured, it's pretty similar to what
you're describing I think.

t 

>-----Original Message-----
>From: 
>loganalysis-bounces+toby.kohlenberg=intel.com@private 
>[mailto:loganalysis-bounces+toby.kohlenberg=intel.com@private
oo.com] On Behalf Of Tina Bird
>Sent: Monday, February 09, 2004 6:52 PM
>To: Raffael Marty
>Cc: loganalysis@private
>Subject: Re: [logs] Logging in the DMZ (fwd)
>
>
>On Mon, 9 Feb 2004, Raffael Marty wrote:
>
>> If you do this, you might want to also use a one-way patch-cable that
>> allows packets to only flow from the DMZ _to_ your log 
>server. That way
>> you don't even have to use a "fake" IP address for the log host. The
>> advantage is that there is no way to compromise that system. [okay,
>> there is, if someone would manage to exploit the syslog 
>daemon and ... -
>> let's not go there]. This is also the way you can setup your 
>NIDS, just
>> attach it to the same cable!
>
>you can do this >also<, but it doesn't eliminate the need for 
>the apparent
>IP address.  the apparent address is what gets put into the machines on
>the DMZ that will be generating the logs -- it's what gets 
>them onto the
>wire so the stealth server can sniff them.
>
>the stealth server remains invisible no matter what kind of 
>cable you're
>using, because it doesn't need to have an address visible on the DMZ.
>
>sorry i didn't explain it more clearly -- i'm continuing to look for a
>better reference for the idea, and hoping i don't have to write it!
>
>cheers -- tbird
>
>--
>It doesn't have to be our fault to be our responsibility.
>
>                                 -- Paul Robertson
>
>http://www.precision-guesswork.com
>Log Analysis http://www.loganalysis.org
>VPN http://vpn.shmoo.com
>tbird's Security Alerts http://securecomputing.stanford.edu/alert.html
>_______________________________________________
>LogAnalysis mailing list
>LogAnalysis@private
>http://lists.shmoo.com/mailman/listinfo/loganalysis
>
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Rainer Gerhards: "RE: [logs] RE: Logging in the DMZ"
• Previous message: Michael Batchelder: "[logs] RE: Logging in the DMZ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 09 2004 - 22:41:16 PST