Balazs Scheidler wrote:
>
>
> I do agree here that the fact, that syslog protocol doesn't include sequence
> numbers should be documented, but the example itself has not much to do with
> this fact. Replaying log messages with the current protocol could be
> achieved with sequence numbers added. The first paragraph of 5.2 is fine, it
> states that a problem exists (no sequence numbers), and it can result in
> reordered messages. The second paragraph has little new to say.
>
> IF messages can be sent without authentication and integrity protection,
> normal activity of a computer can be simulated (by sending recorded log
> events) when the computer itself is turned off, regardless if sequence
> numbers are there, or not.
>
> Maybe this should be moved to the malicious exploitation part of section
> 5.1.
This is not necessarily so,
If the sequence is of non predictable ids chained to the previous by the
use
of a one way hash and a inital shared secret, an eavesdroper will not
need
more than just capture syslog traffic, modify the contents and replay
it.
this of course is suceptible to other attacks, i.e. if access to the
system generating the log traffic is possible.
-ivan
--
"Understanding. A cerebral secretion that enables one having it to know
a house from a horse by the roof on the house,
It's nature and laws have been exhaustively expounded by Locke,
who rode a house, and Kant, who lived in a horse." - Ambrose Bierce
==================[ CORE Seguridad de la Informacion S.A. ]=========
Iv�n Arce
Presidente
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
email : [EMAIL PROTECTED]
http://www.core-sdi.com
Pte. Juan D. Peron 315 Piso 4 UF 17
1038 Capital Federal
Buenos Aires, Argentina. Tel/Fax : +(54-11) 4331-5402
Casilla de Correos 877 (1000) Correo Central
=====================================================================
--- For a personal reply use [EMAIL PROTECTED]
