LogAnalysis
[logs] Passive syslog monitoring Jan 29 2008 11:00PM
ron dilley (ron dilley gmail com) (1 replies)
Re: [logs] Passive syslog monitoring Jan 30 2008 12:06AM
Mordechai T. Abzug (morty frakir org) (1 replies)
Re: [logs] Passive syslog monitoring Jan 30 2008 12:25AM
ron dilley (ron dilley gmail com)
Morty,

No argument there.

I built the first version to monitor a DMZ where I was unable to get the
system administrators and network administrators to send their log data to a
central repository. I put a box with lots of disk in the DMZ and always had
the logs that I needed. When I was finally able to get them to see the
advantage of having all the data in one place, I had the firewall rules they
used to send the data to their internal log servers removed and had them
point their clients to a silent drop rule while all logs were sucked off the
wire.

Later, I implemented a log analysis appliance that wanted logs to come from
the clients directly. This did not work for me as I had a well established
central logging infrastructure so I modified psmd to suck the traffic
destined for loghost off the wire and forward them to the appliance as
though they had come directly from the clients.

Ron

On Jan 29, 2008 4:06 PM, Mordechai T. Abzug <morty (at) frakir (dot) org [email concealed]> wrote:

> On Tue, Jan 29, 2008 at 03:00:17PM -0800, ron dilley wrote:
>
> > I have just posted an update to the Passive Syslog Monitoring Daemon
> > ( http://sourceforge.net/projects/psmd).
>
> That sounds cool. But what's the point? The risk of running a daemon
> is not because your OS has an open socket, it's because you're
> processing untrusted data. Most security checklists say to disable
> open sockets, but only because they equate open sockets with
> processing untrusted data. A passively listening daemon is still
> processing untrusted data.
>
> - Morty
>
Morty,<br><br>No argument there.<br><br>I built the first version to monitor a DMZ where I was unable to get the system administrators and network administrators to send their log data to a central repository.  I put a box with lots of disk in the DMZ and always had the logs that I needed.  When I was finally able to get them to see the advantage of having all the data in one place, I had the firewall rules they used to send the data to their internal log servers removed and had them point their clients to a silent drop rule while all logs were sucked off the wire.<br>
<br>Later, I implemented a log analysis appliance that wanted logs to come from the clients directly.  This did not work for me as I had a well established central logging infrastructure so I modified psmd to suck the traffic destined for loghost off the wire and forward them to the appliance as though they had come directly from the clients.<br>
<br>Ron<br><br><div class="gmail_quote">On Jan 29, 2008 4:06 PM, Mordechai T. Abzug <<a href="mailto:morty (at) frakir (dot) org [email concealed]">morty (at) frakir (dot) org [email concealed]</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="Ih2E3d">On Tue, Jan 29, 2008 at 03:00:17PM -0800, ron dilley wrote:<br><br>> I have just posted an update to the Passive Syslog Monitoring Daemon<br>> ( <a href="http://sourceforge.net/projects/psmd" target="_blank">http://sourceforge.net/projects/psmd</a>).<br>
<br></div>That sounds cool.  But what's the point?  The risk of running a daemon<br>is not because your OS has an open socket, it's because you're<br>processing untrusted data.  Most security checklists say to disable<br>
open sockets, but only because they equate open sockets with<br>processing untrusted data.  A passively listening daemon is still<br>processing untrusted data.<br><br>- Morty<br></blockquote></div><br>
_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus