RE: Remote Syslogd

I have recently came across an article that described secure logging using snort. Basically snort was configured to dump the contents of all syslog packets sent to a fake ip. Then that ip was set up as the loghost ip on the remote hosts. With this configuration, in theory, you wouldn't be able to hack into it provided the snort box had no ip's on ANY interface and simply listened. It was interesting but I haven't gotten around to trying it yet. It sounds pretty strong to me though. I think it was in Linux Journal that I read about it. I could probably find the reference if anyone is interested...

Gino Guidi
gguidi@hiddentiger.net

-----Original Message-----
From: Tom Perrine [mailto:tep@sdsc.edu] Sent: Friday, November 01, 2002 10:22 AM To: paul@timmins.net
Cc: msconzo@shamu.tamu.edu; forensics@securityfocus.com Subject: Re: Remote Syslogd

>>>>> On 30 Oct 2002 11:18:04 -0500, Paul Timmins <paul@timmins.net>
said:

    PT> Another option I've employed at one point is to direct security logs to

    PT> /dev/lp0 and throw a dot matrix printer with a continuous feed of paper

    PT> on the parallel port (I did this on Linux, I'm sure it works on other

    PT> OSs).
    PT> Once they get into the machine, there's no way they can delete the logs.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

    PT> I mean, they can move the paper back a line or two with the epson

    PT> control sequences and try to print over it, but combined with a remote

    PT> logging server, you have evidence that is likely alot easier to prove

    PT> wasn't tampered with (IANAL).
    PT> My $0.02.
    PT> -Paul

We used to do that. Way back when, e.g. 1994, we hooked up a DecWriter III (LA-120) to log all system logs that hit our loghost, to paper. As the volume picked up, we started only logging the authentication stuff. By 1996 or so, the volume was going through a box of fanfold or worse every shift.

I've often wanted to build a box that did the functional equivalent with a CD-burner, e.g. burn log records to CD (or DVD?) in real time.

-- 
Tom E. Perrine  | San Diego Supercomputer Center 
http://www.sdsc.edu/~tep/     | 

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com