Flux RSS

Wednesday 27 May 2009

New Syslog RFCs

Par pollux | Wednesday 27 May 2009 à 21:31 | Security

Several new RFCs for syslog have been issued in March:

So what are the improvements since the previous RFC (3614), especially in RFC5424 [1]:

  1. In section 5.1, "Minimum Required Transport Mapping":
    All implementations of this specification MUST support a TLS-based transport as described in RFC5425.
    Yay ! So they discovered TLS, that's great. Especially since RFC 5425 supports certificates authentication (section 4.2.1), certificate path validation, fingerprints, etc.
  2. Improved timestamps (Section 6.2.3) with supports for milliseconds, time zones, UTC offsets
  3. Section 6.3 describes structured data (name-value pairs)
  4. Section 7: Structured Data IDs
    This allows using an enterprise ID (registered to the IANA) for the structured data elements

However, nothing really useful on reliability (resending events, making sure they were delivered, etc.) except the very poor (and useless) section 8.5, which only acknowledges the lack of support :/ Well, Prelude IDS can do that pretty good.

Also, nothing on taxonomy, though it may be improved with structured data. However, it would require a good definition of events, formats etc, and given the current state of CEE, which is quite dead (3 mails on the list so far this year), it won't improve .. There is something to be done here.

Notes

[1] Some of the features (like TLS) are already present in good implementations of syslog (like rsyslog).

2 comments | no trackback

Wednesday 20 May 2009

New GPG Key

Par pollux | Wednesday 20 May 2009 à 10:15 | General

Partly because of the latest theoretical attack against the SHA-1 digest algorithm (details), I created a new GPG key:

sec   4096R/F1393998 2009-05-10
uid                  Pierre Chifflier <chifflier@gmail.com>
uid                  Pierre Chifflier <chifflier@inl.fr>
uid                  Pierre Chifflier <pollux@debian.org>
uid                  pollux <pollux@wzdftpd.net>
uid                  Pierre Chifflier <chifflier@cpe.fr>

It's signed with my old key 0x8D5F40CB, uploaded to keyservers, and will replace my old key.

no comment | no trackback

Sunday 3 May 2009

libnetfilter-{queue,log} bindings release

Par pollux | Sunday 3 May 2009 à 22:30 | General

I just released nfqueue-bindings 0.2 and nflog-bindings 0.1. Despite the difference of versions, functions are almost the same :)

Here is a short diff since previous version:

Add af_family argument to bind operations (allow IPv6 binds)
Add notes on set_queue_maxlen requiring a kernel >= 2.6.20
bugfix: use queue number when creating queue
bugfix: really link Perl binding to Perl library 
Fix cmake warning

Get them on nfqueue-bindings and nflog-bindings.

no comment | no trackback