Today, I installed syslog-ng 1.3.15 on Solaris 7. I have the following very simple config file (I am still evaluating syslog-ng): options { use_fqdn(yes); }; source syslog_udp { udp(ip(xxx.yyy.zzz.www) port(514)); }; source syslog_internal { internal(); }; destination syslog_file { file("/somepath/logs/$YEAR-$MONTH-$DAY-$HOST-$FACILITY"); }; log { source(syslog_udp); source(syslog_internal); destination(syslog_file); }; xxx.yyy.zzz.www is a virtual IP-address that is assigned to whatever server that is currently providing syslog service to the rest of the internal network. Everything worked fine until I decided to portscan the syslog server. When I did a UDP scan, syslog-ng stopped logging. This is what happens: *) I start syslog-ng *) I connect to our mail server, and see how the connection is logged in the file /somepath/logs/2000-02-17-mailserver.our.domain-mail *) I run netstat -a and observe the line xxx.yyy.zzz.www.514 Idle *) I execute "nmap -p 514 -sU xxx.yyy.zzz.www" on a Linux box *) I run netstat -a and observe that there is no longer any entry for port 514. *) The syslog-ng process is still running, though. *) I connect to our mail server again. The connection is not logged by syslog-ng. In fact, nothing seems to be logged at all. The packet that is sent by nmap during an "-sU scan" is a UDP packet with zero bytes of data. Obviously, this could be an easy way for a cracker do disable a loghost in preparation for an attack on another host. Can anybody repeat this? -- Kent Engström, Linköping University Incident Response Team kent@unit.liu.se abuse@liu.se +46 13 28 1744 UNIT, Linköping University; SE-581 83 LINKÖPING; SWEDEN