[lug] writeable CD curiosity

D. Stimits stimits at comcast.net
Thu Feb 12 16:43:37 MST 2004 

John Hernandez wrote:

> D. Stimits wrote:
>
> > Dean Brissinger wrote:
> >
> >> Is there a reason _not_ to push the logs to another host through some
> >> secure means?  (Second NIC, ssh, etc.)
> >>
> >
> > Yes. First, a bridge has no IP address. You can add this, but it makes
> > the machine easier to break. Second, this machine runs 24/7, and no
> > others do. Going to another machine still leaves hard drives, and adds
> > more cost. I'd love to have a solid state machine that is read only,
> > aside from something like a CD-R or CD-RW logging tool.
>
>
>
> Have you considered connecting an old line printer?  To save paper, you
> could filter out 'normal' messages, and print only anomolies.
> _______________________________________________

Interesting idea, this is sort of the idea, but wanted electronically 
searchable and easily archived for a very large set of logs. One of the 
concepts I am thinking of is the ability to save and cross reference 
logs over a long period of time, when perhaps the logs will never be 
used. CD is ideal for storage and search (and a CD-R or CD-RW is very 
inexpensive).

A lot of this though is just my twisted mind thinking it might be 
interesting, like that guy that made a RAID array of floppies. I was 
considering, after my bridge /var/ hard drive died, what I'd need to go 
to a purely solid-state bridge. If no logging were required, then I 
could go with one of those distros (or custom build) that runs entirely 
on a CD without any hard drive at all. Logging though is important, so 
then there is a ram disk (also a recent topic) that could be used. On 
the other hand, inexpensive small devices don't have gigabytes of ram, 
so the idea of snort logs and system logs able to make detailed reports 
goes away...a larger writeable medium is needed. Preferably something 
that if power fails, logs are preserved. It is true that a CD-R or CD-RW 
drive is less reliable than a hard drive, but if the main purpose of the 
  CD-R is to archive logs, then pushing logs to it becomes a reasonable 
solution (remember that a bridge has no IP address, and you can't push 
it to a remote machine by network unless you add a significant 
vulnerability: an IP address on the bridge NIC or a 3rd NIC). Pushing to 
another machine also drastically increases both setup and resource 
requirements, for starters, you need a whole new machine, and then that 
machine must be set up for the job!

Well as long as I might be pushing logs onto a CD-R, it seemed 
interesting to make some oddball hybrid, where a psuedo-RAID system is 
built...if power dies, the logs are restored (which might include 
PostgreSQL database or other non-flat-files, for cross-referencing, 
searching, and active security adaptation) via CD. If the CD gets full, 
you pop another CD in (I expect 1 CD can go a long time before filling 
up with logs even if some extra log details are on). Make it like a 
walking ring buffer, and say perhaps only the most recent 600 MB are 
saved...pop the new CD in on time, you don't lose anything, pop it in 
late, and you keep the most recent data. Typically if you had a 
suspected break-in on a machine the bridge supports, you would not care 
about more than the last 600 MB of logs anyway...you'd just pop the CD-R 
out, pop in a new one, and go analyze the saved CD-R; meanwhile, the ram 
disk logs would attempt to put as much of current unsaved data onto the 
new replacement CD-R, to save data that may have been left off the 
original CD-R during the time the CD is popped out and a new one put 
back in. It's sort of a hybrid of RAID and incremental filesystem with 
journaling, not necessarily using any existing filesystem.

So imagine a small minitower box. It might have a serial port only for 
access, or maybe also a USB port, although it could have an integrated 
VGA adapter. Think simplified and inexpensive. It has 2 ethernet RJ-45 
ports, acting as a bridge; optionally a 3rd RJ-45 for control that is 
isolated from the bridge. You pop this bridge in at any time between 
outside world and a switch, boot it with the non-RW CD that is the setup 
you wish for, and a CD-R that will log things. An incident occurs, you 
pop out a CD-R, pop in a new one. Analyze it from another machine. Or if 
the 3rd RJ-45 is there, connect to it and use a 2nd machine to analyze 
directly, the mini-tower box could have a light weight web server in it 
and other custom tools that know how to analyze and present data 
correlations of snort logs and iptables logs. Total cost, maybe $200, 
depending on options. I envision it understanding ARP, ICMP, tcp, udp, 
broadcast, DHCP, routing, and more, and able to provide fast summaries.

D. Stimits, stimits AT comcast DOT net

More information about the LUG mailing list