[Dshield] Syslog Server Software

Jon R. Kibler Jon.Kibler at aset.com
Thu Mar 16 14:16:21 GMT 2006


Valdis.Kletnieks at vt.edu wrote:
> What happens if the attacker does:
> 
> for i in `seq 1 10000`; do logger -d -p local7.info "Yo! D00dz!"; done;
> <command that generates log messages he'd rather not have seen>

Most versions of syslog that I am familiar with do rate limited logging of non-unique messages or messages from a given source... thus, working around the above problem for the most part. 

Also, someone would have to had compromised a system first to be able to run logger -- meaning that the 'interesting' information would have already been logged. If the attacker was internal, and a legit user of the system, the fact that they generated so much garbage would be an immediate red flag.

Another point, too: You have to scale appropriately. The original poster said he had less than 2 dozens systems. In my experience, a dot matrix printer can handle 25 to 50 rather loaded servers, and up to a couple hundred lightly loaded systems. A single printer could never handle, for example, an entire university campus.

I never said the idea was perfect -- any security can be defeated, especially with inside knowledge -- but, I believe what I recommend is far better than the default.

Finally, I should add that in my experience, I have seen logs (and entire systems) wiped, but the central hard copy log has almost always contained enough information to figure out what happened. 

Jon Kibler
-- 
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.



More information about the list mailing list