Firewall Wizards mailing list archives
Re: WORM file system for logging
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Thu, 06 Aug 1998 10:19:20 -0400
Perhaps if you can tell us your requirements, we can suggest something that'd match more closely.Well, the idea was simply to have a tamper proof syslog (apart from overrunning).
As far as I can tell, the easiest way to do that is to have a system that can read from the network and can't talk to it, then simply pull the syslog traffic off the wire and record it. You could build something like that fairly easily with a sniffer or an NFR that had the transmit lead on its network cable cut. That's a good way of securing it, but it does make it a pain to network manage. :) Hook a serial line up and strap it over to another system so you can tip/kermit in.
Anything but the WORM file system that we came up with has time windows in which the data could be modified after it has been received.
Even the WORM does, really, if you're not willing to trust the platform it's running on. [...]
of the huge amount of information we will not be bale to concentrate everything, the 15 loghosts will act as filters that gather everything and pass on only the hot stuff.
Again, I don't want to sound like I'm doing a plug, but that's another thing NFR was designed to do. :) Collect and reduce locally, forward selected data and alerts centrally. The 2.0 release has all that stuff in it... In the interest of fairness, you can cobble together a similar system using tcpdump, grep, awk, perl, tpage, and sendmail, and it'll work in a manner of speaking.
How many sessions can a multisession CD handle?
Mine stops working after 5 but it could be a software problem in the driver -- I don't know the standard. :( One problem I've seen is that the good CD burning software is windows-based and it's all drag-and-droppy. I know there is some stuff for BSD/Linux but I think it doesn't look like a filesystem as far as its semantics. That's a tough problem to get around. Peter Honeyman's group at University of Michigan did a lot of work with a file store (kind of an NFRoid type thing) based on CDROM and they had pretty bad bandwidth problems, if I recall correctly. A more workable model (based on my experience) is to batch stuff to hard disk and periodically write to CD.
Is there a CD writer Software out there that runs from the commandline (On AIX and Solaris)?
I'd also be interested in knowing about such a beast if there is one. mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- WORM file system for logging Andreas Siegert (Aug 03)
- Re: WORM file system for logging Marcus J. Ranum (Aug 03)
- Re: WORM file system for logging Carlos Bachmaier (Aug 03)
- Re: WORM file system for logging Rick Smith (Aug 03)
- RE: WORM file system for logging Andrew J. Luca (Aug 05)
- RE: WORM file system for logging Marcus J. Ranum (Aug 05)
- Re: WORM file system for logging Andreas Siegert (Aug 06)
- Re: WORM file system for logging Marcus J. Ranum (Aug 06)
- Re: WORM file system for logging Adam Shostack (Aug 06)
- Re: WORM file system for logging Joseph S. D. Yao (Aug 06)
- Re: WORM file system for logging Bobo Rajec (Aug 07)
- Re: WORM file system for logging Doug Hughes (Aug 07)
- RE: WORM file system for logging Marcus J. Ranum (Aug 05)
- <Possible follow-ups>
- RE: WORM file system for logging Resino, Robert G. (Aug 03)
- Re: WORM file system for logging Andreas Siegert (Aug 04)
- Re: WORM file system for logging Paul McNabb (Aug 06)
- RE: WORM file system for logging Andrew J. Luca (Aug 07)
- Re: WORM file system for logging Andreas Siegert (Aug 07)