[435] in Intrusion Detection Systems
Re: Good logging and real-t
daemon@ATHENA.MIT.EDU (Doug Hughes)
Mon Nov 27 06:08:52 1995
Date: Fri, 24 Nov 1995 15:00:32 -0600 (CST)
From: Doug Hughes <doug@Eng.Auburn.EDU>
To: ids@uow.edu.au
In-Reply-To: <Pine.LNX.3.91.951123190904.3487B-100000@bach.cis.temple.edu>
Reply-To: ids@uow.edu.au
On Thu, 23 Nov 1995, Alexander O. Yuriev wrote:
> On Tue, 21 Nov 1995, Doug Hughes wrote:
>
> > Bypasses are certainly possible. However, the intruder would have to gain
> > access, become root, somehow login to the remote restricted access machine
> > (which by the way has rlogin, telnet, rexec, and shell stuff turned off)
> > kill the program watching the logs (which would certainly make it disappear
> > off the screen) and then restart it, all without the user noticing, and with
> > 5 seconds..
>
> You have just assumed something that you should not assume i.e. that in
> order to bypass your system intruder need to penetrate trusted host. If I
> am an intruder I am can attempt quite successfully perform attack against the
> syslog protocol instead of attempting to take over the trusted system.
>
>
Oh no, I don't make that assumption at all. However, the only known
attack (to me) on syslog is to flood the syslog host with syslog information.
Since the watcher is showing the logs, I think it would difficult not
to notice the program going nuts displaying information of little value
over and over and over again. (to me that spells dead give-away, batten
hatches)
The only other way would be actually pluck syslog packets off the wire.
If you can do this, you're already root, and hopefully would have been
caught via another trap/log.
Certainly it's not perfect, but it's a useful tool.
____________________________________________________________________________
Doug Hughes Engineering Network Services
System/Net Admin Auburn University
doug@eng.auburn.edu
Pro is to Con as progress is to congress
