> Instead of using backslashes or carets to handle special characters,
> you could use URL-style encoding with a percent sign followed by two
> hex characters.
Also a reasonable choice. But my objective was to make it readable as
well as simple - and I know I prefer reading something like
event="invalid login" username="max^Hrc" request="please^M^Jhelp"
to
event="invalid login" username="max%08rc" request="please%0d%0ahelp"
> It's slightly simpler, and (even better) there's lots of C and Perl code
> around to handle encode/decode already.
Not really a problem, as I have already implemented it :-) See
idsa-??.?/lib/escape.c. The code is LGPL.
But these are minor issues. I have a stronger position on
internationalisation - I don't think it belongs in a syslog parser -
for the people who like the ISO model, something like that goes into
the presentation or application layer, and presumably logging would be
something lower level. And as somebody whose first language isn't English
I am allowed to dis internationalisation ;-)
For a similar reason I am hesitant to support a simplified version of
XML, as there will be people who'll inevitably use a full XML parser
("why not", thinks the programmer, "my implementation language is fully XML
*enabled*") which will create an entire new class of desynchronisation
attacks, with the fancy log storage/attack correlation engine not being
able to tell that <host>ben&jerry<host>, <host>ben&jerry</host>,
<host>ben%26jerry</host>, <host>ben&38;jerry</host> (+ the N unicode
permutations) are all the same.
regards
marc
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:29:22 PST