Hosting Provided By

Re: Remote Syslogd

From: James Lee Bell <nuclear-cowboy(at)cox.net>
Date: Wed Nov 06 2002 - 11:37:39 EST

I remember reading something about this as well. The (unvoiced) question I had then, as now, is what does this rig do to actual network traffic? Specifically, won't something along the way end up generating ICMP-host unreachables at some point for every log packet to the phantom logging host? Thinking this through, you know that the following hardware config isn't going to get packets pushed out the "correct" interface (where the snort box is hiding) without something ARPing for the phantom ip, a default gateway pointing inside (unlikely), or the phantom ip being some internal network that "int dev" is advertising as such.

|
ext dev

   |
   +-- Snort
   |
int dev

In any of these cases, at some point "int dev" is going to be generating ICMP-"something" unreachables for every single syslog packet. Or am I missing something?

Gino Pietro Guidi wrote:

>I have recently came across an article that described secure logging

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Fri Nov 8 20:59:19 2002

This message: [ Message body ]
Next message: Kevin.M-CTR.Shannon(at)faa.gov: "Re: Win32 Port of TAR"
Previous message: Ryan Yagatich: "Re: Remote Syslogd"
In reply to Gino Pietro Guidi: "RE: Remote Syslogd"
Next in thread: Gino Pietro Guidi: "RE: Remote Syslogd"
Reply: Gino Pietro Guidi: "RE: Remote Syslogd"
Reply: Luis Bruno: "Re: Remote Syslogd"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:41 EDT

Do you need help?