23 Mar
2004
23 Mar
'04
3:16 a.m.
On Wed, Mar 24, 2004, James Riden thus spake:
else. The truly paranoid will use a listen-only ethernet cable.
Indeed. The Honeynet folks, besides having a hardened syslog server, also sniff syslog traffic off the wire as part of the Snort setup, so there's simply no point of entry to the syslog data from the compromised network. Other equally paranoid types have proposed various solutions of dumping to write-only media, such as cdr or a plain ol' paper printer. Anyway, if you're sufficiently motivated there are plenty of failsafe methods to ensure the logs aren't compromised (though internal compromise is still theoretically possible). Regards, Ed Hintz ed(a)hintz.org