The Syslog standard is used for logging event messages from network devices and endpoints, as shown in the figure. The standard allows for a system-neutral means of transmitting, storing, and analyzing messages. Many types of devices from many different vendors can use Syslog to send log entries to central servers that run a Syslog daemon. This centralization of log collection helps to make security monitoring practical. Servers that run Syslog typically listen on UDP port 514.
They attack Syslog servers that contain the information that could lead to detection of the exploit. Hackers may attempt to block the tractor of data from Syslog clients to servers, tamper with or destroy log data, or tamper with the software that creates and transmits log messages. The next generation (ng) Syslog implementation, known as Syslog-ng, offers enhancements that can help prevent some of the exploits that target Syslog.
Search the internet for more information about Syslog-ng..
This can serve to obfuscate traces of ongoing exploits.
DNS is now used by many types of malware. Some varieties of malware use DNS to communicate with command-and-control (CnC) servers and to exfiltrate data in traffic disguised as normal DNS queries. Various types of encoding, such as Base64, 8-bit binary, and Hex can be used to camouflage the data and evade basic data loss prevention (DLP) measures.
The exfiltrated data is the encoded text shown in the box. The threat actor collects this encoded data, decodes and combines it, and now has access to an entire data file, such as a username/password database.
HTTP and HTTPS
HTTP iFrame Injection Exploit
An arrow goes from the client pc to a server in a cloud: the client browser creates a symmetric key and sends it to the server. Next section: web server decrypts the symmetric key using it’s private key. An arrow goes from the cloud server to the p c:web server uses the symmetric key to encrypt the page and sends it to the client. At the bottom: the client browser uses the symmetric key to decrypt the page and display the information to the user.
SMTP sends data from a host to a mail server and between mail servers. Like DNS and HTTP, it is a common protocol to see leaving the network. Because there is so much SMTP traffic, it is not always monitored.
Email Protocol Threats
Note: This site might be blocked by your institution’s firewall.
A number of tools exist for crafting tunnels. Search the internet for Ping Tunnel to explore one such tool.