Jason Haar on Thu, Apr 03, 2003 at 02:50:05PM +1200: Hi Jason,

Linux's netfilter has the REDIRECT rulesets which could be used to do this as well. I mean, right now we use REDIRECT so that our Squid proxy server can act as a transparent proxy server, so what about syslog-ng? As Squid requires you to enable it - I suppose syslog-ng would still need to be altered to support that option too?

I don't think you would need any special support in syslog-ng, this is basically the same principle as used in setting up ssltunnel or sshd-for- wardings. Personally, I have had no problems either to forward messages to syslog-ng using OpenBSD pf. Realize however, that if implemented like this, you're basically only ob- scuring the service, it is still as reachable as any more "visible" service would be. The good thing is, you can "sudo -u <unpriv> syslog-ng", which then can be bound to localhost:>1024 and make a mapping for the priviledged port 514.

Anyone else tried to do this? The security advantage is that you could enable syslog in your DMZes, point them at a non-existant IP address, and your IDS could pick up those messages as they flow pass it. Any server compromise leads the hackers to believe there is a syslog server - but it's down...

As the mentionned passlogd and snort have shown recently, it is not required to have a listening port of some kind to be exploitable. Grab- bing data from the wire can be vulnerable to similar problems as inter- active services. If you're using udp-based syslog, you could try to get it to work with a read-only ethernet cable .. if it's your IDS at the same time, this would add some real security IMHO. Regards, -- ____ ____ / _/| - > Gregor Binder <gb@(rootnexus.net|sysfive.com)> | / || _\ \ \__ Id: 0xE2F31C4B Fp: 8B8A 5CE3 B79B FBF1 5518 8871 0EFB AFA3 E2F3 1C4B