On 11/29/16 11:31 AM, Randy Bush wrote: > why do folk block syslog/514? because spoofing syslog entries is a thing. in general I don't let member of the general public emit junk into my logs except of course spammers who are quite well represented albeit indirectly, as is the case here. > who can come up with the first exploit based on a tricky entry? it's a fairly narrow surface area on the syslog reciver given the emitter is the routers syslogd so for example something like
http://www.rsyslog.com/remote-syslog-pri-vulnerability/ is under the control of the syslogd not the sender. 128 characters is of somewhat limited value in syslog spoofing as you have to flap you bgp session in order to emit a new line. do you think reciver operation should be more tightly specified in some way? thanks joel > randy > > _______________________________________________ > Idr mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/idr >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ GROW mailing list [email protected] https://www.ietf.org/mailman/listinfo/grow
