RE: [Syslog] delineated datagrams

"Rainer Gerhards" <rgerhards@hq.adiscon.com> Thu, 10 August 2006 03:29 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GB1Ea-0003rg-4s; Wed, 09 Aug 2006 23:29:24 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GB1EY-0003rY-P2 for syslog@ietf.org; Wed, 09 Aug 2006 23:29:22 -0400
Received: from mail.hq.adiscon.com ([84.245.151.34]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GB1EX-0002PX-8O for syslog@ietf.org; Wed, 09 Aug 2006 23:29:22 -0400
Received: from localhost (localhost [127.0.0.1]) by mail.hq.adiscon.com (Postfix) with ESMTP id 7DF9C9C00C; Thu, 10 Aug 2006 05:30:16 +0200 (CEST)
Received: from mail.hq.adiscon.com ([127.0.0.1]) by localhost (mail.grf.adiscon.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 12827-07; Thu, 10 Aug 2006 05:30:12 +0200 (CEST)
Received: from grfint2.intern.adiscon.com (grfint2 [172.19.0.6]) by mail.hq.adiscon.com (Postfix) with ESMTP id D4B1A9C00B; Thu, 10 Aug 2006 05:30:12 +0200 (CEST)
Content-class: urn:content-classes:message
Subject: RE: [Syslog] delineated datagrams
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 10 Aug 2006 05:29:07 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Message-ID: <577465F99B41C842AAFBE9ED71E70ABA174DD8@grfint2.intern.adiscon.com>
In-Reply-To: <1155109610.6312.10.camel@bzorp.balabit>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Syslog] delineated datagrams
Thread-Index: Aca7h9w1dyaL78pkTzasulAD0jYZSwApQJwg
From: Rainer Gerhards <rgerhards@hq.adiscon.com>
To: Balazs Scheidler <bazsi@balabit.hu>, John Calcote <jcalcote@novell.com>
X-Virus-Scanned: by amavisd-new-2.3.3 (20050822) (Debian) at adiscon.com
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4b800b1eab964a31702fa68f1ff0e955
Cc: syslog@ietf.org, Tom Petch <nwnetworks@dial.pipex.com>
X-BeenThere: syslog@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security Issues in Network Event Logging <syslog.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/syslog>
List-Post: <mailto:syslog@lists.ietf.org>
List-Help: <mailto:syslog-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/syslog>, <mailto:syslog-request@lists.ietf.org?subject=subscribe>
Errors-To: syslog-bounces@lists.ietf.org

Bazsi, all,

I am not really able to follow the thread, but let me put in an
important thought.

We *must* allow LF inside the message. If we do not do that, it would
cause problems with -protocol. This issue has been discussed at length,
and there are good reasons for allowing it. So while I vote to use LF
for record delineation, I also say that this means LF MUST be escaped if
present in the actual message (transfer encoding). After being decoded,
LF may be present in MSG.

Maybe this already has been said ;)

Rainer 

> -----Original Message-----
> From: Balazs Scheidler [mailto:bazsi@balabit.hu] 
> Sent: Wednesday, August 09, 2006 1:47 AM
> To: John Calcote
> Cc: syslog@ietf.org; 'Tom Petch'
> Subject: RE: [Syslog] delineated datagrams
> 
> On Tue, 2006-08-08 at 13:44 -0600, John Calcote wrote:
> > Chris,
> > 
> > While I agree with you in principle that both forms of 
> delineation are
> > nice to have for interop, I _wish_ we could get rid of LF - that so
> > limits the sort of data that can be sent in the message. My two
> > cents...
> 
> The message you send are _already_ limited as most syslog daemons
> replace "\n" character with something else as it would clobber the
> message file when it is written to disk. 
> 
> In fact leaving the CR LF characters in the message could be 
> a security
> risk as that way messages can be "hidden", for instance if a daemon
> writes the following message:
> 
> This is a foo message, bar=<data supplied by external entity>
> 
> Then the value for "bar" might contain CR, putting the cursor to the
> beginning of the line on a usual VT100 compatible terminal, 
> and the rest
> of can pose as a regular log message, overwriting the previous one on
> the screen.
> 
> Of course this can be worked around by using some form of 
> escaping while
> data is written to files, but again the LF character does not remain
> intact.
> 
> syslog-ng for instance replaces CR and LF characters in the 
> message with
> a space as it comes in. I rarely heard any complaints about this
> behaviour. And another fact is syslog/RAW also uses LF line 
> terminators
> when multiple messages are delivered in a single BEEP frame.
> 
> -- 
> Bazsi
> 
> 
> _______________________________________________
> Syslog mailing list
> Syslog@lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/syslog
> 

_______________________________________________
Syslog mailing list
Syslog@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/syslog