Chris Petersen wrote: > A friend of mine (who introduced me to SEC) just sent over a link to a > rather interesting/disturbing article that details methods of > attacking log analysis tools like SEC: > > http://www.ossec.net/en/attacking-loganalysis.html > > I suspect a lot could be fixed by updating the patterns that we use > (given that SEC has the power of perlre behind id). It's also a good > reason to use strict matching and anchoring to the start *and* end of > log strings.
An interesting paper indeed and I fully agree with the message it conveys. In order to provide a similar example for SEC, avoid using $1, $2 and other special variables in command line, unless you are certain about their content. If possible, use the 'pipe' action for passing potentially dangerous data to external commands forked from SEC. Also, write your regular expressions with care, so that known content will be assigned to variables. br, risto > > -Chris > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's challenge > Build the coolest Linux based applications with Moblin SDK & win great prizes > Grand prize is a trip for two to an Open Source event anywhere in the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/ > _______________________________________________ > Simple-evcorr-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users > ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Simple-evcorr-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users
