[syslog-ng]replacing part of prog name with hostname

Noam Meltzer tsnoam@excite.com
Sat, 4 Jan 2003 07:13:00 -0500 (EST)



--EXCITEBOUNDARY_000__b182e97b3aca5c004ebf153575b4fcf1
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

 


 --- On Fri 01/03, Balazs Scheidler  wrote:From: Balazs Scheidler [mailto: bazsi@balabit.hu]To: syslog-ng@lists.balabit.huDate: Fri, 3 Jan 2003 12:13:20 +0100Subject: Re: [syslog-ng]replacing part of prog name with hostnameOn Fri, Jan 03, 2003 at 05:03:03AM -0500, Noam Meltzer wrote:>  I won't expect Sun to change their native syslogd. Their syslogd is> working good in its native environment, and its "harmonic" with other> native syslogd is evry good. For me it doesn't seem like a bug. Just> another mechanism. It is not Solaris's syslogd that has the bug. It's ctld which sends bogusdata in its messages.>
And many other Solaris' internal mechanisms, like a warning that "/var/adm/utmp exists", and then in another line "for more information refer to the manpage of utmp".
and when you have problems with you hd, you get bad warnings then, and when the lpr complains about printing, it also send a two line logs.
This is just a different method of sending the logs.
Solaris counts on you that you will reverse resolve the originating machine, and not to interpeter the data line you get.
I can send you reports of my sniffing to show you that this is not a bug in syslogd of solaris, if you would like me to. (even though i'm sure you have a reachable solaris machine, and already done it yourself)
                    Solaris' syslogd recognize the hostname by doing> reverse-resolution for each packet. And I don't think it's such a bad> idea. The current mechanism of syslog-ng is trying to run some regexp on> the data string (If I understood you correctly). I believe that the> Solaris mechanism is more secure because that way you know for sure that> the originating IP is who it claims to be. (Yes, you can always hijack> (hope i spelled this correct) an IP in the network, but I guess that in> that case you have other trouble). In syslog-ng mechanism, some1 can> inject you fake logs. (I don't know what good it can give an attacker...> but I'm sure that some criminal mind can find what to do with this).in keep_hostname(no) state, syslog-ng does not trust the host name in anyway. but this interacts badly with ctld.

You still haven't answered about my security-question.

Noam

_______________________________________________
Join Excite! - http://www.excite.com
The most personalized portal on the Web!

--EXCITEBOUNDARY_000__b182e97b3aca5c004ebf153575b4fcf1
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit

 


<br><br> --- On Fri 01/03, Balazs Scheidler < bazsi@balabit.hu > wrote:<br>From: Balazs Scheidler [mailto: bazsi@balabit.hu]<br>To: syslog-ng@lists.balabit.hu<br>Date: Fri, 3 Jan 2003 12:13:20 +0100<br>Subject: Re: [syslog-ng]replacing part of prog name with hostname<br><br>On Fri, Jan 03, 2003 at 05:03:03AM -0500, Noam Meltzer wrote:<br>>  I won't expect Sun to change their native syslogd. Their syslogd is<br>> working good in its native environment, and its "harmonic" with other<br>> native syslogd is evry good. For me it doesn't seem like a bug. Just<br>> another mechanism. <br><br>It is not Solaris's syslogd that has the bug. It's ctld which sends bogus<br>data in its messages.<br><br>>
And many other Solaris' internal mechanisms, like a warning that "/var/adm/utmp exists", and then in another line "for more information refer to the manpage of utmp".
and when you have problems with you hd, you get bad warnings then, and when the lpr complains about printing, it also send a two line logs.
This is just a different method of sending the logs.
Solaris counts on you that you will reverse resolve the originating machine, and not to interpeter the data line you get.
I can send you reports of my sniffing to show you that this is not a bug in syslogd of solaris, if you would like me to. (even though i'm sure you have a reachable solaris machine, and already done it yourself)
                    Solaris' syslogd recognize the hostname by doing<br>> reverse-resolution for each packet. And I don't think it's such a bad<br>> idea. The current mechanism of syslog-ng is trying to run some regexp on<br>> the data string (If I understood you correctly). I believe that the<br>> Solaris mechanism is more secure because that way you know for sure that<br>> the originating IP is who it claims to be. (Yes, you can always hijack<br>> (hope i spelled this correct) an IP in the network, but I guess that in<br>> that case you have other trouble). In syslog-ng mechanism, some1 can<br>> inject you fake logs. (I don't know what good it can give an attacker...<br>> but I'm sure that some criminal mind can find what to do with this).<br><br>in keep_hostname(no) state, syslog-ng does not trust the host name in any<br>way. but this interacts badly with ctld.

You still haven't answered about my security-question.

Noam<p><hr><font size=2 face=geneva><b>Join Excite! - <a href=http://www.excite.com target=_blank>http://www.excite.com</a></b><br>The most personalized portal on the Web!</font>

--EXCITEBOUNDARY_000__b182e97b3aca5c004ebf153575b4fcf1--