Re: More Syslog Questions

["Marcus J. Ranum" <mjr () ranum com>]

Nathaniel Hall wrote:
> Server 1 receives all syslog messages and (using IPTables with DNAT) sends
> the messages to any IP address since Server 2 is listening in promiscuous
> mode it should pick up all of the messages.

The honeynet guys do something very much like this (I think they are
using snort to collect the messages, though) Works great.

It's a big bummer that USB and firewire treat mass storage devices
as block devices only. A couple years ago I was looking into how hard
it'd be to have a host offer up a hard disk over USB/firewire to another
host, so you could provide a secure 'append only' medium. You could
do fun stuff like trap rename to mean "queue this file for writing to CDROM
and delete it when you're done" and prevent any other operations than
create and append. It'd still be possible to do this, except you'd have to
interpret filesystem ops, and that'd be really really ugly if you used a
filesystem much more complicated than FAT-32. Dunno if there'd be a
market for it, either.  I guess you could make an append-only fileserver
running smb chrooted and ip-fw to guard the stack, but the idea of a
firewire block device interface is attractive to me. Probably a market of
about 5 users for something like this, since it hasn't got a Java interface
and all. ;)

mjr.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards