Attacking Log analysis tools

Log Analysis (i.e. LIDS - Log-Based Intrusion Detection) can be a very powerful tool to complement NIDS/HIDS and improve network security. I pointed out some of its benefits in the following articles: Log analysis for intrusion detection and Log analysis using OSSEC.

However, like any other technology, when not done properly, it can add new security vulnerabilities and end up causing more harm than good.

The purpose of this article is to point out some vulnerabilities that I found on open source log analysis tools aimed to stop brute force scans against SSH and ftp services. Since these tools also perform active response (automatically blocking the offending IP address), they would be good examples. However, any tool that parse logs can be equally vulnerable.