Re: Question about logging

[Ryan Barnett <RCBarnett () hushmail com>]

In-Reply-To: <EF42E5D3-08B5-11D7-B946-0050E4590550 () flyingwithouta net>

> Hello,
>
> I am just getting my feet wet on some of the concepts in honeypots and 
> intrusion detection. I was wondering if someone can point me in the 
> direction of additional information on setting up logging. I am not 
> understanding how a logging server can be available to copy logs to 
> (via syslogd or some third party Windows tool) and yet not be 
> vulnerable once the honeypot is compromised.
>
> one solution I have come across involves disabling every service on a 
> box except syslogd, except this still seems like it would be 
> vulnerable, especially if the intruder was just trying to flood the 
> log. And I'm not an SME on firewalls, so perhaps I am missing something.

You are correct in identifying this Catch-22 - You need to send your 
logging data to a remote host to protect them, but how do you then protect 
your remote host???  If you send Syslogs to a remote host - the attacker 
can attack this host as well.  Many a Honeypotter has run into this 
before, either with the attacker sending massive amounts of bogus data to 
fill up the remote-syslog host or to try and compromise the syslog-host 
altogether.  Depending on your GOAL for your honeypot, this is not 
entirely a BAD thing.  Here is a snippet from the Honeynet Project's 
Whitepaper describing this issue:

"More advanced blackhats will attempt to compromise the remote syslog 
server in an attempt to cover their tracks. This is exactly what we want 
to occur. The syslog server is normally a far more secured system. This 
means for a blackhat to successfully take control of such a system they 
will have to use more advanced techniques, which we will capture and learn 
from. If the syslog server is compromised, we have lost nothing. Yes, the 
blackhat can gain control of the system and wipe the logs. However, do not 
forget, our IDS sensor that is on the network passively captured and 
recorded all of the logging activity that happened on the network. In 
reality, the IDS system acts as a second remote log system, as it 
passively captured all the network data."

In this passage, the Honeynet Project not only describes the added 
information which could be gained by having an attacker target your remote 
syslog system, but the also tells you how to have a "passive" backup for 
your syslog host - the Network IDS system.  Since Syslog will send it's 
data out in clear text, a properly placed Sniffer could capture this 
data.  Another similar technique is to specify a Non-Existent Remote 
Syslog host on your honeypot.  This way, the honeypot syslog data is sent 
out on the wire to a non-existent host and the NIDS can pick it up.  This 
way you can still get the data and the attacker does not have a target.

Hope this helps.

############################
Ryan C. Barnett
Senior Security Engineer
SANS: GCFA, GCIH, GCUX, GSEC
############################