[syslog-ng] syslog-ng stops listen to UDP after "nmap -sU"?
Kent =?iso-8859-1?q?Engstr=F6m?=
kent@unit.liu.se
17 Feb 2000 19:15:23 +0100
Today, I installed syslog-ng 1.3.15 on Solaris 7. I have the following very
simple config file (I am still evaluating syslog-ng):
options { use_fqdn(yes); };
source syslog_udp {
udp(ip(xxx.yyy.zzz.www) port(514));
};
source syslog_internal {
internal();
};
destination syslog_file {
file("/somepath/logs/$YEAR-$MONTH-$DAY-$HOST-$FACILITY");
};
log { source(syslog_udp); source(syslog_internal); destination(syslog_file); };
xxx.yyy.zzz.www is a virtual IP-address that is assigned to whatever server
that is currently providing syslog service to the rest of the internal network.
Everything worked fine until I decided to portscan the syslog server.
When I did a UDP scan, syslog-ng stopped logging. This is what happens:
*) I start syslog-ng
*) I connect to our mail server, and see how the connection is logged in
the file /somepath/logs/2000-02-17-mailserver.our.domain-mail
*) I run netstat -a and observe the line
xxx.yyy.zzz.www.514 Idle
*) I execute "nmap -p 514 -sU xxx.yyy.zzz.www" on a Linux box
*) I run netstat -a and observe that there is no longer any entry for port 514.
*) The syslog-ng process is still running, though.
*) I connect to our mail server again. The connection is not logged
by syslog-ng. In fact, nothing seems to be logged at all.
The packet that is sent by nmap during an "-sU scan" is a UDP packet
with zero bytes of data.
Obviously, this could be an easy way for a cracker do disable a loghost
in preparation for an attack on another host.
Can anybody repeat this?
--
Kent Engström, Linköping University Incident Response Team
kent@unit.liu.se abuse@liu.se
+46 13 28 1744
UNIT, Linköping University; SE-581 83 LINKÖPING; SWEDEN