[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-opsec-logging-caps-03

To: Roland Dobbins <rdobbins@cisco.com>
Subject: Re: draft-ietf-opsec-logging-caps-03
From: Warren Kumari <warren@kumari.net>
Date: Tue, 3 Jul 2007 14:52:48 -0400
Cc: opsec@ops.ietf.org
In-reply-to: <B837D671-A8AA-4C7B-B483-1EF90EDD0780@cisco.com>
References: <4684203D.5080402@juniper.net> <005e01c7bd7f$010d17c0$4c1ba788@familyroom> <02DD2A11-F531-4A78-89AE-BBF65630AE73@kumari.net> <B837D671-A8AA-4C7B-B483-1EF90EDD0780@cisco.com>


On Jul 3, 2007, at 12:55 PM, Roland Dobbins wrote:

On Jul 3, 2007, at 11:39 PM, Warren Kumari wrote:
One possible concern with rate-limiting syslog / SNMP / whateveris that people will then try and generate non-critical events thatcause alerts to be generated in the hope that they can then slip amore nefarious event in and have it also be caught by the rate-limiter.
Possible, but hard to accomplish without inside knowledge (which iscertainly a possibility, of course).

Yup -- very true, although I did see it happen once -- It was afailed attempt to brute force TACACS. There were ACLs configured on adevice with the "logging" keyword that caused the device to log allACLs hits and a (not so bright) employee that had read-only access tothe syslog server -- he noticed that if he did "ping -f" (which hecould easily explain as a diagnostic process that had gone awry orsomething) to a device behind the ACL the device would be so busylogging ACL hits that it wouldn't log failed login attempts. What he*didn't* check first (I did mention that he wasn't so bright) waswhether failed logins usually showed up in this syslog server.....

I had configured syslog-ng to only forward a very small subset oflogs to the server that he was looking at (the logs were for use by aNOC tool that watched the logs for interface flaps, ACL hits and oneor two other similar issues)...

The TACACS server logged somewhere between 8,000 - 9,000 failedlogins before I reacted to the alerts that it was generating, butlooking through the aggregated syslog I only saw around 2,000attempts, so I guess that his trick did work to some extent :-)

What would be great would be, if there were a rate-limiter itwould prioritize high severity messages over lower severity ones(whee! QoS for logs!).
How about multiple rate-limiters for each individual log-type, aswell as for each severity/informational level?

That would be be work, although I am concerned that the overheadmight overtax the device's processor...

My main comment is that, for local logs, the oldest, least importantmessages are dropped before old important messages....

-----------------------------------------------------------------------
Roland Dobbins <rdobbins@cisco.com> // 408.527.6376 voice

       Culture eats strategy for breakfast.

               -- Ford Motor Company


--
Curse the dark, or light a match. You decide, it's your dark.
                -- Valdis Kletnieks

References:
- draft-ietf-opsec-logging-caps-03
  - From: Ron Bonica <rbonica@juniper.net>
- RE: draft-ietf-opsec-logging-caps-03
  - From: "patrick cain" <pcain@coopercain.com>
- Re: draft-ietf-opsec-logging-caps-03
  - From: Warren Kumari <warren@kumari.net>
- Re: draft-ietf-opsec-logging-caps-03
  - From: Roland Dobbins <rdobbins@cisco.com>

Prev by Date: Re: draft-ietf-opsec-logging-caps-03
Next by Date: Re: draft-ietf-opsec-logging-caps-03
Previous by thread: Re: draft-ietf-opsec-logging-caps-03
Next by thread: Re: draft-ietf-opsec-logging-caps-03
Index(es):
- Date
- Thread