Re: [logs] Syslog payload format

From: Darren Reed (avalonat_private)
Date: Thu Dec 19 2002 - 18:41:07 PST

  • Next message: Darren Reed: "Re: [logs] Syslog payload format"

    In some mail from Kyle R. Hofmann, sie said:
    > 
    > On Thu, 19 Dec 2002 13:32:20 -0500, "Marcus J. Ranum" wrote:
    > > >Maybe this is good, maybe it's bad, but it gets away from
    > > >varargs and is hopefully clear about relationship between type and
    > > >object data.
    > > 
    > > Typing log data's a problem I think it's best to ignore.
    > > Systems aren't going to always have the best information
    > > and if they can't type it right we need to give them a
    > > chance to send something else - whatever they have. Which
    > > means that a lot of this stuff is going to get promoted
    > > to strings eventually.
    > 
    > No, I think the logical outcome of that is that everything is made binary.
    > I'm sure we can all recall exploits where a sure-fire way of discovering if
    > you'd been attacked was whether or not you saw a particular string of binary
    > garbage (the payload) in your log.  We need to account for the possibility
    > that log data will have \0's liberally inserted.
    
    I'm with you on this.  I suppose it makes ASN.1 seem more likely and
    perhaps harder to resist if faced with it, but how many buffer overflows,
    etc, are because of problems with string handling ?  Unless we are all
    using a "safe" language like Java, where you'd just write serialise
    methods for the log objects, it just seems like we're asking for trouble.
    
    I suppose there have been similar problems with ASN.1 and SNMP so if
    we were to avoid strings on the grounds of security, so too we should
    try and avoid ASN.1 (which is less than trivial to parse or generate.)
    
    > So we want an interface more like:
    > 
    > event_new(&evt);
    > event_tag(&evt, "TAG", data, data_length);
    > event_send(&evt);
    > event_del(&evt);
    
    And make "evt" be a "void *" ? >:)
    
    > For just a plain string I think you'll see people do add_tag(&evt, "TAG",
    > string, strlen(string));.  That should be discouraged, especially if
    > string is somehow derived from user input.
    
    Why ?  Maybe it is necssary to return a value from event_tag() and
    have it "fail" if the "TAG" arg contains bad data ?
    
    Where I was coming from with building up an array of things was it is
    not a big deal to change one element if you are doing something like
    emitting a log record per iteration when walking through a list or
    an array.  I do take Marcus's comment about exposing internal data
    types though.
    
    > I think the four things that I've listed there are the minimum, unless we
    > want to use a single variadic function call (which strikes me as inelegant
    > and perhaps not portable to languages not derived from or related to C,
    > especially strongly-typed languages).  Of course we need other functions for
    > convienience and speed, but does anyone have any better proposals for a
    > minimum workable set of functions?  Also, what other helper functions do we
    > need?
    
    On the topic of helped functions, an analogue to openlog() is one.
    
    Something I would like to remind people about, here, is that the
    transmission of data may not look anything like the storing of it
    in log files.  Both have completely different purposes so there
    should be no reason to make their content the same (?).  Hence the
    protocol data need not be "grep'able".
    
    Darren
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Dec 20 2002 - 20:10:05 PST