Find the answer to your Linux question:
Results 1 to 4 of 4
I have read the man page for syslog. I was wondering if there was some way to use syslog as an intrusion dedection system, logging unauthorized attempts to access my ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2004
    Posts
    53

    Slackware and syslog?


    I have read the man page for syslog. I was wondering if there was some way to use syslog as an intrusion dedection system, logging unauthorized attempts to access my system. The man page seems to be for a piece of c code that is compiled along with the kernel. Since I have yet to build my own kernel (which I should probably do since I installed 9.1 without realizing 10 came out?) I don't think I know what the options were that it was compiled with. Right? Any info would be greatly appreciated.

  2. #2
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    If you are going to do IDS logging properly using syslog, then you would setup a syslogd (man syslogd) that you could log to over the network (ie, remotely). Any IDS application would then send messages to the remote syslogd rather than the local one. The advantage of doing this is if the attacker has root on the local box they can just wipe / "adjust" the logged syslog entries.

    My guess is you were looking at "man syslog", which gives details of logging to syslog with applications you may write yourself in C.

    Syslog is not an IDS system, it is merly a log facility enabling a varity of applications to log to a central place on a system. You would have IDS programs that log to syslog.

    IDS is such a massive topic, here would proberly be the place to go for more general info and to see what software is around:
    http://www.google.com/search?hl=en&i...=Google+Search

    Jason

  3. #3
    Linux Guru sarumont's Avatar
    Join Date
    Apr 2003
    Location
    /dev/urandom
    Posts
    3,682
    Snort is a popular IDS. I'm not sure about it's ability to log to a remote syslog daemon, but I'm sure it can.
    "Time is an illusion. Lunchtime, doubly so."
    ~Douglas Adams, The Hitchhiker's Guide to the Galaxy

  4. #4
    Just Joined!
    Join Date
    Jul 2004
    Posts
    53
    Thanks for the information.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •