Honeypots mailing list archives
Re: Question about logging
From: Ryan Barnett <RCBarnett () hushmail com>
Date: 6 Dec 2002 13:14:27 -0000
In-Reply-To: <EF42E5D3-08B5-11D7-B946-0050E4590550 () flyingwithouta net>
Hello, I am just getting my feet wet on some of the concepts in honeypots and intrusion detection. I was wondering if someone can point me in the direction of additional information on setting up logging. I am not understanding how a logging server can be available to copy logs to (via syslogd or some third party Windows tool) and yet not be vulnerable once the honeypot is compromised. one solution I have come across involves disabling every service on a box except syslogd, except this still seems like it would be vulnerable, especially if the intruder was just trying to flood the log. And I'm not an SME on firewalls, so perhaps I am missing something.
You are correct in identifying this Catch-22 - You need to send your logging data to a remote host to protect them, but how do you then protect your remote host??? If you send Syslogs to a remote host - the attacker can attack this host as well. Many a Honeypotter has run into this before, either with the attacker sending massive amounts of bogus data to fill up the remote-syslog host or to try and compromise the syslog-host altogether. Depending on your GOAL for your honeypot, this is not entirely a BAD thing. Here is a snippet from the Honeynet Project's Whitepaper describing this issue: "More advanced blackhats will attempt to compromise the remote syslog server in an attempt to cover their tracks. This is exactly what we want to occur. The syslog server is normally a far more secured system. This means for a blackhat to successfully take control of such a system they will have to use more advanced techniques, which we will capture and learn from. If the syslog server is compromised, we have lost nothing. Yes, the blackhat can gain control of the system and wipe the logs. However, do not forget, our IDS sensor that is on the network passively captured and recorded all of the logging activity that happened on the network. In reality, the IDS system acts as a second remote log system, as it passively captured all the network data." In this passage, the Honeynet Project not only describes the added information which could be gained by having an attacker target your remote syslog system, but the also tells you how to have a "passive" backup for your syslog host - the Network IDS system. Since Syslog will send it's data out in clear text, a properly placed Sniffer could capture this data. Another similar technique is to specify a Non-Existent Remote Syslog host on your honeypot. This way, the honeypot syslog data is sent out on the wire to a non-existent host and the NIDS can pick it up. This way you can still get the data and the attacker does not have a target. Hope this helps. ############################ Ryan C. Barnett Senior Security Engineer SANS: GCFA, GCIH, GCUX, GSEC ############################
Current thread:
- Question about logging TJ O'Grady (Dec 05)
- Re: Question about logging Valdis . Kletnieks (Dec 05)
- Re: Question about logging Curq (Dec 06)
- Re: Question about logging Floydman (Dec 06)
- <Possible follow-ups>
- Re: Question about logging Ryan Barnett (Dec 06)
- Re: Question about logging Valdis . Kletnieks (Dec 05)