[rsyslog] UDP source forging.

[Rainer Gerhards]

On Sun, 2009-03-01 at 23:56 -0800, david at lang.hm wrote:
> On Fri, 27 Feb 2009, david at lang.hm wrote:
> 
> > On Thu, 26 Feb 2009, david at lang.hm wrote:
> >
> >> 
> >> this works for reopening the socket each time, but if I uncomment the bind
> >> the sendto fails  (error 22, invalid input)
> >> 
> >> I haven't yet figured out what I'm missing on the bind that's causing this
> >
> > a little more testing and I find that the bind succeeds, but no traffic goes 
> > out unless the source IP exists somewhere on the box (it can be bound to 
> > lo:0, but it needs to exist)
> >
> > so the non-local-bind approach may not work :-(
> >
> > it's just hit midnight here, so I'm going to call it a night and try again 
> > tomorrow.
> 
> I abandoned this approach and spent the weekend learning how to do raw 
> sockets. I found a library that makes it not that bad to do (at least for 
> the IPv4 that I've done so far, IPv6 adds some wrinkles)
> 
> the one thing thats not clear to me at this point is how to find the 
> original source IP of the message. Is that available in a variable inside 
> UDPSend, or is it something that I will have to get earlier in the process 
> and then pass explicitly to UDPSend?

Actually, output modules do not receive access to the full message
object. This was originally done for security reasons (do not pass more
than needed). All they can receive is the strings that are passed to
them. So the module would need to be modified so that a second string
(like ommail) is passed and that string needs to be defined as the
to-be-spoofed IP (what also enables to rewrite the source IP).

>From all the discussion, it may make sense to start with a different
output plugin that may later be merged back into the original one...

Rainer
> 
> David Lang
> _______________________________________________
> rsyslog mailing list
> http://lists.adiscon.net/mailman/listinfo/rsyslog
> http://www.rsyslog.com