[lug] logs

D. Stimits stimits at idcomm.com
Mon Jul 30 12:28:30 MDT 2001 

John Hernandez wrote:
> 
> "D. Stimits" wrote:
> > Sending logs via email to a machine that is
> > completely isolated from the breached machine is a way to do that
> > (separate machines with no direct interface).
> >
> > D. Stimits, stimits at idcomm.com
> 
> The problem with e-mail as an alternative to UDP logging is that by the time your cron job fires up to e-mail the logs, the intruder has already covered his tracks.  A combination of the two techniques, where logs are e-mailed to a remote account by the UDP loghost, may be the best defense.

Yes, but I'm not talking about doing this by cron, though that would be
good for a few minutes...say have it email the latest 5 minutes of log
each 5 minutes (sounds like a pain though). On the other hand, if you
have some other condition trigger this, such as any login by root, it
becomes more useful. What would be nice is if "suspicious conditions"
could be defined that would trigger this; I suppose some logging
packages could do this now, but I don't know of any in particular. On
the other hand, it still doesn't satisfy me to have an unprotected
machine directly connected to a breached firewall as the backup. One
almost has to log directly to a CD-R. Even the "honeypot" machines that
are out there to intentionally lure crackers have resulted in the
hidden/protected monitor machines being taken over after the machines
used as a lure were taken over. There is a possibility of setting up two
machines to use a pair of network cards for distributed shared memory,
which I hear is extremely difficult to breach the second machine even if
the first goes, but I don't know the theory behind that, and it was
listed as "extremely expensive and difficult to create". It is simply
counterintuitive to me that someone who breaches a well-setup firewall
can't get into the next machine in the demilitarized zone, which isn't
even a firewall.

D. Stimits, stimits at idcomm.com

> 
> >
> > >
> > > I must have misunderstood what you were saying...
> > >
> > > Sean
> > > --
> > >  Let's just say that your monkeys aren't quite typing Shakespeare.
> > >    -- Sean Reifschneider, speaking about Quicken support, 2001
> > > Sean Reifschneider, Inimitably Superfluous <jafo at tummy.com>
> > > tummy.com - Linux Consulting since 1995. Qmail, KRUD, Firewalls, Python
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> 
> --
> 
>   - John Hernandez - Network Engineer - 303-497-6392 -
>  |  National Oceanic and Atmospheric Administration   |
>  |  Mailstop R/OM12. 325 Broadway, Boulder, CO 80305  |
>   ----------------------------------------------------
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list