Bugtraq mailing list archives
Re: syslog idea
From: bampton () cs utk edu (Howard the Energizer)
Date: Mon, 10 Oct 1994 13:25:01 -0400
In a message posted Monday, October 10 Paul Howell writes:
Fred Blonder writes: > The limitation of Tripwire in this application is that log files are > ALWAYS (well, almost) changing, so if Tripwire raised the alarm on a > logfile, your reaction should be: "So what?". ;-) I thought that tripwire would report if the log file got smaller, an indication that someone is removing records, yes? At least that seems like a reasonable thing to me.
I think the point was that a hacker could replace your 200KB log file that shows his activities with a 201KB (or whatever) one that is garbage (or been edited a bit). Tripwire will miss this. If you have a program that checksums the file up to byte XXXX, compares that to what it was, then checksums it up to its current size (YYYY) which saves that value/size for the next run, you make it harder for the hacker to replace your logs. [I think this has been mentioned in this thread, however] Howard Bampton "The man without love gives no hostages Internet: bampton () cs utk edu to fortune." -- Black Omne
Current thread:
- hmmm..., (continued)
- hmmm... Robert Matthew Barrie (Oct 08)
- Re: Time for moderation? James M Buggar (Oct 08)
- Re: Time for moderation? G.J.W. Hagenaars (Oct 08)
- 3 SMAIL BUGS Aleph One (Oct 07)
- Re: syslog idea Dror Matalon (Oct 07)
- OOOOOOOOOOOPsss..??? Stephen D. Williams (Oct 07)
- Re: OOOOOOOOOOOPsss..??? Bennett Todd (Oct 07)
- earlier posting of users' passwords and credit card numbers Dror Matalon (Oct 07)
- OOOOOOOOOOOPsss..??? Stephen D. Williams (Oct 07)
- Re: syslog idea *Hobbit* (Oct 07)
- Re: syslog idea Paul Howell (Oct 10)
- Re: syslog idea Howard the Energizer (Oct 10)