[Dshield] Syslog Server Software
Jon R. Kibler
Jon.Kibler at aset.com
Thu Mar 16 14:16:21 GMT 2006
Valdis.Kletnieks at vt.edu wrote:
> What happens if the attacker does:
> for i in `seq 1 10000`; do logger -d -p local7.info "Yo! D00dz!"; done;
> <command that generates log messages he'd rather not have seen>
Most versions of syslog that I am familiar with do rate limited logging of non-unique messages or messages from a given source... thus, working around the above problem for the most part.
Also, someone would have to had compromised a system first to be able to run logger -- meaning that the 'interesting' information would have already been logged. If the attacker was internal, and a legit user of the system, the fact that they generated so much garbage would be an immediate red flag.
Another point, too: You have to scale appropriately. The original poster said he had less than 2 dozens systems. In my experience, a dot matrix printer can handle 25 to 50 rather loaded servers, and up to a couple hundred lightly loaded systems. A single printer could never handle, for example, an entire university campus.
I never said the idea was perfect -- any security can be defeated, especially with inside knowledge -- but, I believe what I recommend is far better than the default.
Finally, I should add that in my experience, I have seen logs (and entire systems) wiped, but the central hard copy log has almost always contained enough information to figure out what happened.
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list