Re: [logs] Syslog payload format

From: marc (marcat_private)
Date: Thu Dec 19 2002 - 05:15:48 PST

  • Next message: Marcus J. Ranum: "Re: [logs] Syslog payload format"

    >    Instead of using backslashes or carets to handle special characters,
    >    you could use URL-style encoding with a percent sign followed by two
    >    hex characters.
    
    Also a reasonable choice. But my objective was to make it readable as
    well as simple - and I know I prefer reading something like
    
      event="invalid login" username="max^Hrc" request="please^M^Jhelp"
    to
      event="invalid login" username="max%08rc" request="please%0d%0ahelp"
    
    >    It's slightly simpler, and (even better) there's lots of C and Perl code
    >    around to handle encode/decode already.
    
    Not really a problem, as I have already implemented it :-) See
    idsa-??.?/lib/escape.c. The code is LGPL.
    
    But these are minor issues. I have a stronger position on
    internationalisation - I don't think it belongs in a syslog parser -
    for the people who like the ISO model, something like that goes into
    the presentation or application layer, and presumably logging would be
    something lower level. And as somebody whose first language isn't English
    I am allowed to dis internationalisation ;-)
    
    For a similar reason I am hesitant to support a simplified version of
    XML, as there will be people who'll inevitably use a full XML parser
    ("why not", thinks the programmer, "my implementation language is fully XML
    *enabled*") which will create an entire new class of desynchronisation
    attacks, with the fancy log storage/attack correlation engine not being
    able to tell that <host>ben&amp;jerry<host>, <host>ben&jerry</host>,
    <host>ben%26jerry</host>, <host>ben&38;jerry</host> (+ the N unicode
    permutations) are all the same.
    
    regards
    
    marc
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:29:22 PST