Re: Syslog forwarding with IP spoofing

[Kurt Seifried <kseifrie () redhat com>]

I think messages like this may lead to a lot of "buy product X" (which we just had now....). I'd rather the list not 
become a commercial free for all.


-Kurt





> On Aug 1, 2017, at 11:33, Mikhail Utin <mikhailutin () hotmail com> wrote:
>
> Hello,
>
> Indeed, it is our of this list topic.
>
> Options for The Alexander:
>
>  1.  Normal SIEM will work with syslog as it is widely supported format and will know where the log comes from by 
> data source configuration.
>  2.  The "open source tool" is Perl, you can create any log format from any data sources and then send to SIEM.
>  3.  Talk to SIEM tech support. Good vendor will advise. If you do not have SIEM, buy LogRhythm. That should work. 
> Freeware OSSIM I would bet will work with syslog as well.
>  4.  Alexander can email me mikhailutin () hotmail com for details.
>
>
> Mikhail Utin, CISSP
>
>
> ________________________________
> From: Solar Designer <solar () openwall com>
> Sent: Tuesday, August 1, 2017 13:06
> To: Александр Носарев
> Cc: oss-security () lists openwall com
> Subject: Re: [oss-security] Syslog forwarding with IP spoofing
>
> Hi all,
>
> > On Tue, Aug 01, 2017 at 05:27:26PM +0300, Александр Носарев wrote:
> > I need to recive syslog messages, filter them and send them forward to the
> > SIEM.
> >
> > Also HOST field is not represented in syslog, so i need to spoof IP of
> > forwarding
> > packets to bind messages recived by SIEM to it's original source IP.
> >
> > If i will try to add some marks to syslog message, I will need to override
> > parsers for each syslog source type, so it seems like abad idea.
> >
> > Is there any open source tool for that task?
>
> Somehow we almost didn't have this sort of messages - someone seeking an
> open source security tool - sent in here so far.  Do we want them in
> here going forward?  The current list content guidelines do not address
> this possibility, as it certainly wasn't the purpose of the oss-security
> list so far.  Is there another mailing list where the above message
> would have been more appropriate?
>
> http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines
> mailing-lists:oss-security 
> [OSS-Security]<http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines>
> oss-security.openwall.org
> The purpose of the Open Source Security (oss-security) group is to encourage public discussion of security flaws, 
> concepts, and practices in the Open Source community.
>
>
>
> Meanwhile, please feel free to address the actual question about the
> tool.  (I don't know of such a tool.)
>
> Alexander