Re: [logs] syslog/tcp (selp)

From: Bennett Todd (betat_private)
Date: Thu Jan 09 2003 - 13:36:16 PST

  • Next message: Mikael Olsson: "Re: [logs] syslog/tcp (selp)"

    That protocol could work, but another thought just occurred to me.
    If we allow MSGs that include CRLFs within them, we're also
    accepting that outputting these records in a straight text file is a
    lossy operation; and that in turn means that it's easy to send a
    message that "forges" a log entry in the file.
    Maybe we can drop this, on the reasoning that if people are wanting
    to send MSGs containing CRLFs, they probably don't want anything
    like syslog at all?
    Either we should abandon this line, stick with the simplest possible
    protocol, and totally outlaw CRs and LFs within the MSG; or else we
    should note that any implementation that outputs to a normal logfile
    is defective, losing critical framing information and so making it
    easy for attackers to forge log entries.

    _______________________________________________ LogAnalysis mailing list LogAnalysisat_private

    This archive was generated by hypermail 2b30 : Thu Jan 09 2003 - 15:30:38 PST