On 10/20/2013 04:15 AM, Botond Botyanszki wrote: > Hi, > > Thanks for the suggestions regarding the snare format. On one hand you > are right that if would enhance compatibility, on the other hand N/A is > used for all fields so we could also say that the OSSEC snare decoder > isn't perfect either. BTW, a similar case is W3C where the '-' > character (N/A equivalent) is allowed for fields which are undefined.
My current approach is to write the OSSEC Snare decoder to be compatible with real Snare and nxlog snare. It's more imprecise to allow for something like N/A and a numeric in a field, but considering that this is UDP syslog and that can be spoofed in any number of ways anyway, I am not entirely concerned. People worried about that will use the OSSEC agent. > There were several earlier suggestions regarding the snare format > produced by to_syslog_snare() and all that is not forgotten. It's just > that polishing the snare format isn't top priority since it is an old > looser format that the world is moving away from and there are far more > important features which are important to the users of nxlog. > Most of the snare format modifications would be quite trivial though. If > you or someone wants a sponsored development on this, feel free to get in > touch. I understand what you mean about priorities. There are bigger fish to fry. :) I just figured I would at least make a post about it and start to try to contribute to the community in a small way. Maybe I'll contribute a patch at some point, but for the time being, writing a compatible OSSEC decoder is good enough. ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ nxlog-ce-users mailing list nxlog-ce-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/nxlog-ce-users
