Thanks for the suggestions yesterday. As usual, there are multiple ways to solve the problem, each of them equally easy! Now on to my next issue... We have a product called Symantic SIM (Security Information Manager) that is on the receiving end of some forwarded messages. I have the keep_hostname(yes) option enabled, and when our SIM gets the message, the originating hostname is in the message. The problem is that is seems like the SIM is detecting that the message is coming from my loghost where Syslog-ng is installed, and tagging every message like it's from that instead of the actual host. We've been over the config with their engineers and our security department, and this is what we got back from Symantec today. "The hostname is available in the message, so it looks like that part is working. The problem is this, the message the SSIM sees is: <TIME> <Syslog Server IP> <Message> The SSIM then puts the syslog server IP as the source and destination of the host. Essentially the message needs to be sent to the SSIM as: <TIME> <Originating device Source IP> <Message> To do this, the message will need to be spoofed." So, I have two questions: 1. Can the messages be spoofed? 2. Does anyone else use this product and would be willing to share configs (of either syslog-ng or SSIM). Thanks, Paul ************************************ This email may contain privileged and/or confidential information that is intended solely for the use of the addressee. If you are not the intended recipient or entity, you are strictly prohibited from disclosing, copying, distributing or using any of the information contained in the transmission. If you received this communication in error, please contact the sender immediately and destroy the material in its entirety, whether electronic or hard copy. This communication may contain nonpublic personal information about consumers subject to the restrictions of the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act. You may not directly or indirectly reuse or disclose such information for any purpose other than to provide the services for which you are receiving the information. There are risks associated with the use of electronic transmission. The sender of this information does not control the method of transmittal or service providers and assumes no duty or obligation for the security, receipt, or third party interception of this transmission. ************************************
On Fri, 2010-01-22 at 09:10 -0500, PAUL WILLIAMSON wrote:
Thanks for the suggestions yesterday. As usual, there are multiple ways to solve the problem, each of them equally easy!
Now on to my next issue...
We have a product called Symantic SIM (Security Information Manager) that is on the receiving end of some forwarded messages. I have the keep_hostname(yes) option enabled, and when our SIM gets the message, the originating hostname is in the message. The problem is that is seems like the SIM is detecting that the message is coming from my loghost where Syslog-ng is installed, and tagging every message like it's from that instead of the actual host. We've been over the config with their engineers and our security department, and this is what we got back from Symantec today.
"The hostname is available in the message, so it looks like that part is working. The problem is this, the message the SSIM sees is:
<TIME> <Syslog Server IP> <Message>
The SSIM then puts the syslog server IP as the source and destination of the host. Essentially the message needs to be sent to the SSIM as:
<TIME> <Originating device Source IP> <Message>
To do this, the message will need to be spoofed."
So, I have two questions:
1. Can the messages be spoofed? 2. Does anyone else use this product and would be willing to share configs (of either syslog-ng or SSIM).
I guess the SIEM is not using the HOST portion of the syslog message as the originating host, but rather its source IP address, which is not the case if you use syslog-ng in between them. If you can use udp between your SIEM, you could perhaps use spoof_source(yes) option on your udp destination, which will also spoof the source IP address of each outgoing message. -- Bazsi
participants (2)
-
Balazs Scheidler
-
PAUL WILLIAMSON