Re: Question about logging

[Floydman <floydian_99 () yahoo com>]

Hi.  First of all, you have to remember that your honeypot machines are by 
definition "vulnerable", while you'd want to spend more time on securing 
you log storing server.  Second, from what I can remember of Lance's 
papers, (if you have enough machines) you don't really care about your log 
server, since all the traffic on the network is being sniffed.  So the 
single fact of sending your logs to your log server means that they will 
also be captured by the sniffing machine.  So at this  point, you don't 
really have to worry about the log server (or if it gets hacked, it just 
becomes part of your honeynet), since all your log is on an IP-less 
sniffing PC.

Hope it helps

Floydman

At 07:59 PM 05/12/2002, TJ O'Grady wrote:
> Hello,
>
> I am just getting my feet wet on some of the concepts in honeypots and 
> intrusion detection. I was wondering if someone can point me in the 
> direction of additional information on setting up logging. I am not 
> understanding how a logging server can be available to copy logs to (via 
> syslogd or some third party Windows tool) and yet not be vulnerable once 
> the honeypot is compromised.
>
> one solution I have come across involves disabling every service on a box 
> except syslogd, except this still seems like it would be vulnerable, 
> especially if the intruder was just trying to flood the log. And I'm not 
> an SME on firewalls, so perhaps I am missing something.
>
> Anyway, while I wouldn't expect an entire explanation in an email for such 
> a broad subject, if anyone has thoughts on good sources I would appreciate 
> it. I am not opposed to amazon.com links, I can get most texts at the 
> local library with a wait.
>
> Thanks,
> TJ O'Grady
>
> _____________________________________________________________________
> Envie de discuter en "live" avec vos amis ? Télécharger MSN Messenger
> http://www.ifrance.com/_reloc/m la 1ère messagerie instantanée de France