On Thu, 19 Dec 2002 13:32:20 -0500, "Marcus J. Ranum" wrote: > >Maybe this is good, maybe it's bad, but it gets away from > >varargs and is hopefully clear about relationship between type and > >object data. > > Typing log data's a problem I think it's best to ignore. > Systems aren't going to always have the best information > and if they can't type it right we need to give them a > chance to send something else - whatever they have. Which > means that a lot of this stuff is going to get promoted > to strings eventually. No, I think the logical outcome of that is that everything is made binary. I'm sure we can all recall exploits where a sure-fire way of discovering if you'd been attacked was whether or not you saw a particular string of binary garbage (the payload) in your log. We need to account for the possibility that log data will have \0's liberally inserted. So we want an interface more like: event_new(&evt); event_tag(&evt, "TAG", data, data_length); event_send(&evt); event_del(&evt); For just a plain string I think you'll see people do add_tag(&evt, "TAG", string, strlen(string));. That should be discouraged, especially if string is somehow derived from user input. I think the four things that I've listed there are the minimum, unless we want to use a single variadic function call (which strikes me as inelegant and perhaps not portable to languages not derived from or related to C, especially strongly-typed languages). Of course we need other functions for convienience and speed, but does anyone have any better proposals for a minimum workable set of functions? Also, what other helper functions do we need? -- Kyle R. Hofmann <krhat_private> _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:18:42 PST