Firewalls: Re: Syslog

Firewalls
(October 1994)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Syslog
From:	jimc @ e-Commerce . Com (Jim Carroll)
Date:	Fri, 7 Oct 94 11:17:02 EDT
To:	z056716 @ uprc . com (LaCoursiere J. D. (Jeff))
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<9410071447 . AA14980 @ cygnus . uprc . com>
References:	<9410071447 . AA14980 @ cygnus . uprc . com>
Reply-to:	jimc @ e-Commerce . Com

LaCoursiere J. D. writes:
> 
> That's not the only danger, though.  By filling *whatever* partition syslog
> is pointed at, the attacker can break in without being logged (at least by
> syslogd :-> )

I had to think about this one for a second.

You mean to say that the attacker can break in without being detected,
if he fills the partition, but not that the attacker can break in by
virtue of the fact that he's filled the partition, i.e., filling the
partition becoming the access enabler, right?

I suppose it would be trivial to cobble something together to monitor
the logfile, and if the size hit a certain threshold, or the partition
free space fell below a certain threshold, then perhaps one could
automatically do something, e.g., zip an email off to the
administrator, page someone, whatever.

-- 
Jim Carroll --  jimc @
 e-Commerce .
 Com
e-Commerce, Inc., 1030 Kamato Road, Suite 201
Mississauga, Ontario, Canada    L4W 4B6
Tel:  +1 905 602 0863    Fax:  +1 905 602 8402

References:

Re: Syslog
From: z056716 @ uprc . com (LaCoursiere J. D. (Jeff))

Indexed By Date	Previous:	Re: Syslog From: z056716 @ uprc . com (LaCoursiere J. D. (Jeff))
Indexed By Date	Next:	NEARNET/BARRNET training/lectures From: djh @ Rational . COM (Doris Harrington)
Indexed By Thread	Previous:	Re: Syslog From: z056716 @ uprc . com (LaCoursiere J. D. (Jeff))
Indexed By Thread	Next:	Re: Syslog From: z056716 @ uprc . com (LaCoursiere J. D. (Jeff))