Hosting Provided By

RE: Remote Syslogd

From: Gino Pietro Guidi <gguidi(at)hiddentiger.net>
Date: Wed Nov 06 2002 - 20:11:05 EST

I don't think that you would have to arp for the IP if your switches support a "sniffer port". In foundry it is called a mirror-monitor port and in cisco I think it is called a span port but the concept is the same. You configure the switch to forward all traffic from a set of ports to another port. Depending on the number of hosts on that switch you may want to put your logger on gig and the rest on 100mb. This part of it I have used extensively on Cisco's and foundry's for use with snort as a standard ids. If your switch doesn't support this capability then you may have a problem...

Gino

-----Original Message-----
From: James Lee Bell [mailto:nuclear-cowboy@cox.net] Sent: Wednesday, November 06, 2002 8:38 AM To: Gino Pietro Guidi; forensics@securityfocus.com Subject: Re: Remote Syslogd

I remember reading something about this as well. The (unvoiced) question

I had then, as now, is what does this rig do to actual network traffic? Specifically, won't something along the way end up generating ICMP-host unreachables at some point for every log packet to the phantom logging host? Thinking this through, you know that the following hardware config isn't going to get packets pushed out the "correct" interface (where the snort box is hiding) without something ARPing for the phantom

ip, a default gateway pointing inside (unlikely), or the phantom ip being some internal network that "int dev" is advertising as such.

|
ext dev

   |
   +-- Snort
   |
int dev

Do you need help?

In any of these cases, at some point "int dev" is going to be generating

ICMP-"something" unreachables for every single syslog packet. Or am I missing something?

Gino Pietro Guidi wrote:

>I have recently came across an article that described secure logging
loghost
>ip on the remote hosts. With this configuration, in theory, you
wouldn't
>be able to hack into it provided the snort box had no ip's on ANY

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sat Nov 9 00:11:31 2002

This message: [ Message body ]
Next message: Mark G. Spencer: "Decoding Norton "NPROTECT.LOG""
Previous message: Kevin.M-CTR.Shannon(at)faa.gov: "Re: Win32 Port of TAR"
In reply to: James Lee Bell: "Re: Remote Syslogd"
In reply to Gino Pietro Guidi: "RE: Remote Syslogd"
Next in thread: Luis Bruno: "Re: Remote Syslogd"
Reply: Luis Bruno: "Re: Remote Syslogd"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:41 EDT