[Dshield] New Client: TinyFirewall / Syslog
Johannes B. Ullrich
jullrich at sans.org
Sun Mar 3 18:33:50 GMT 2002
-----BEGIN PGP SIGNED MESSAGE-----
> Could it be possible to imagine a Dshield's syslog server with
> the ability to receive "in real time" syslog reporting messages sent
> from various firewalls ? Then the parsing of the various logs' format
> should be handled by this "super" syslog server.... Am i dreaming ?
Syslog is a very problematic protocol and is not intented for use
in the "wild". Syslog sends simple UDP messages, that can be spoofed
and hijacked along the way. Some people describe syslog as an
un-authenticated disk filler.
If you have to send syslog messages across the internet, you should use
some kind of encrypted channel.
For DShield, syslog would be very challenging to implement. The reason we
use e-mail for our submission is that it is an extremly rocust protocol.
Mail servers will automatically queue and retry, you can define multiple
MX records to spread the load and it is easy to queue the incomming
messages for orderly processing.
I can see more support for http/https submissions in the short future. But
syslog is out of the question (even though it would be great...)
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
-----END PGP SIGNATURE-----
More information about the list