> "brian" == brian <brian @
> brian> Information is delivered to the internal system via the
> brian> "syslog" protocol. You configure the syslog daemon on the
> Ah. I read it as "write it to a file" ie: "NFS". :-)
> In any case, I just had this great idea. I need a Silent 700 for the
> console on my firewall! I'll just hire some undergrad to run the
> stuff through an OCR on an inside system and then parse the longs
One of the better ideas to come to me out of reading of Cliff Stohl's
(sp?) book "The Cuckoo's Egg" (again, my memory seems unusually porous
this morning, anyway, the book on tracking down the German computer
cracker) was his use of non-invasive/non-traceable logging tools. He
had the output of the log and console routed to an off line printer to
capture the event log of the intruder's presence.
A similar trick is to route the output of the syslog daemon to a
serial port and connect that port to another computer not on the
network or on a completely secured network. The secured computer has
a one-way inbound pipe that is unalterable from the outside. The
computer can be set to monitor one or more hosts for log entries and
have any and all necessary log analysis tools set up to examine the
logs for attack signatures. A final step is to have the computer send
e-mail to an administrator or call a pager on recognizing danger.
With the advent of fairly powerful PCs and inexpensive implementations
of Unix or Unix-like systems (i.e., Linux or FreeBSD), a full scale
log monitor is possible for under $3,000, including the purchase of
several large disks to hold all the drivel that fills modern log files.
Independent Consultant/Wannabe Net Guru/Sometime System Administrator
"You kenw the job was dangerous when you took it..." - SuperChicken.