> >chapter 5.2.
> >------------
> >
> >"Also, without any sequence indication, messages may be recorded and
> >replayed. An attacker may record a set of messages that indicate normal
> >activity of a machine. At a later time, that attacker may remove that
> >machine from the network and resend the Syslog messages to the
> >collector. The administrators would find nothing unusual in the
> >received messages and their receipt would again indicate normal activity
> >of the machine."
> >
> >Since anyone can send anything, no sequence information would prevent them
> >doing that, though if the first seqno is generated randomly the attacker may
> >not know its value at least as long as she can't sniff it off the network. I
> >think this paragraph should be removed. Sequence information would be
> >helpful in reordering messages, but nothing else. (of course if extended
> >with cryptographical tools, sequence numbers can prevent replay attacks, but
> >not in this case)
>
> The purpose of the entire section 5 is to bring to light the security
> concerns of the current Syslog protocol. This particular section shows
> another potential problem since there is no sequence information built
> into the protocol. I hope that people who use the current Syslog protocol
> have a clue about this, but I think that this needs to be documented to
> make this ID complete. It may also be used by the authors of future IDs
> as they may choose to propose mechanisms that will address this concern.
> (..and I hope that they do. :-) As you note, unprotected sequence numbers
> as well as unprotected timestamps will not prevent replaying as those may
> be easily modified.
>
Sorry for my late answer.
I do agree here that the fact, that syslog protocol doesn't include sequence
numbers should be documented, but the example itself has not much to do with
this fact. Replaying log messages with the current protocol could be
achieved with sequence numbers added. The first paragraph of 5.2 is fine, it
states that a problem exists (no sequence numbers), and it can result in
reordered messages. The second paragraph has little new to say.
IF messages can be sent without authentication and integrity protection,
normal activity of a computer can be simulated (by sending recorded log
events) when the computer itself is turned off, regardless if sequence
numbers are there, or not.
Maybe this should be moved to the malicious exploitation part of section
5.1.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
url: http://www.balabit.hu/pgpkey.txt
PGP signature
