[Dshield] New Client: TinyFirewall / Syslog

Johannes B. Ullrich jullrich at sans.org
Sun Mar 3 18:33:50 GMT 2002

Hash: SHA1

> Could it be possible to imagine a Dshield's syslog server with
> the ability to receive "in real time" syslog reporting messages sent
> directly
> from  various firewalls ? Then the parsing of the various logs' format
> should be handled by this "super" syslog server....  Am i dreaming ?

Syslog is a very problematic protocol and is not intented for use
in the "wild". Syslog sends simple UDP messages, that can be spoofed
and hijacked along the way. Some people describe syslog as an
un-authenticated disk filler.

If you have to send syslog messages across the internet, you should use 
some kind of encrypted channel.

For DShield, syslog would be very challenging to implement. The reason we 
use e-mail for our submission is that it is an extremly rocust protocol. 
Mail servers will automatically queue and retry, you can define multiple 
MX records to spread the load and it is easy to queue the incomming 
messages for orderly processing. 

I can see more support for http/https submissions in the short future. But 
syslog is out of the question (even though it would be great...)

- -- 
- -------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org


More information about the list mailing list