On Tue, 14 Jun 2011 13:50:36 +0100 Alexander Clouter wrote: > What does parsing offline buy you security wise > that a live system cannot? Privilege separation/dropping is straight > forward in the case of tcpdump/libpcap and input validation is > approximately /[a-z0-9_.]+/i and would be a problem in both the live and > offline case. > I meant a seperate permanently offline machine, any exploit/attack has almost nowhere to go. The point is, parsing online is not best practice. > Another method is to physically decouple the collector from the parser. > Although traffic/cpu intensive, syslog'ing the output to another box > live and having it parsed (say via a syslog-ng pipe() destination) as it > appears would be perfectly feasible. Yep and a one way cable as per snort.org would be best practice giving realtime functionality and be safe though your parser and so logging could potentially still be attacked or damaged/prevented. Though an attacker would likely struggle to know he succeeded.