> > I do agree here that the fact, that syslog protocol doesn't include sequence
> > numbers should be documented, but the example itself has not much to do with
> > this fact. Replaying log messages with the current protocol could be
> > achieved with sequence numbers added. The first paragraph of 5.2 is fine, it
> > states that a problem exists (no sequence numbers), and it can result in
> > reordered messages. The second paragraph has little new to say.
> >
> > IF messages can be sent without authentication and integrity protection,
> > normal activity of a computer can be simulated (by sending recorded log
> > events) when the computer itself is turned off, regardless if sequence
> > numbers are there, or not.
> >
> > Maybe this should be moved to the malicious exploitation part of section
> > 5.1.
>
> This is not necessarily so,
> If the sequence is of non predictable ids chained to the previous by the
> use
> of a one way hash and a inital shared secret, an eavesdroper will not
> need
> more than just capture syslog traffic, modify the contents and replay
> it.
Hi,
That's true, but in one of my earlier messages I stated something like:
"without cryptographic support, simple sequence numbering doesn't fix replay
attacks"
--
Scheidler Balázs BalaBit IT Biztonságtechnikai Kft.
tel/fax: +36-1/217-14-98 1092 Bp. Köztelek u. 4/B
http://www.balabit.hu
