[rsyslog] UDP source forging.
david at lang.hm
david at lang.hm
Tue Mar 3 13:01:29 CET 2009
On Mon, 2 Mar 2009, david at lang.hm wrote:
> On Thu, 26 Feb 2009, Rainer Gerhards wrote:
>
>> Actually, output modules do not receive access to the full message
>> object. This was originally done for security reasons (do not pass more
>> than needed). All they can receive is the strings that are passed to
>> them. So the module would need to be modified so that a second string
>> (like ommail) is passed and that string needs to be defined as the
>> to-be-spoofed IP (what also enables to rewrite the source IP).
>
> I will look into this.
I haven't had time to figure this out yet.
>>> From all the discussion, it may make sense to start with a different
>> output plugin that may later be merged back into the original one...
>
> Ok, I won't try to have it do everything and just concentrate on doing the
> forging.
attached is a diff that turns the UDP forwarding into forging, currently
with a fixed from address of 1.1.1.1 port 2
I also needed to modify the makefile to add
LIBS = /usr/lib/libnet.a
for it to compile
in my research, I learned that syslog-ng uses this same library for their
forging.
so far I have avoided looking at the syslog-ng code (I wanted to
understand what was happening on my own, and I also avoid any potential
license issues until I can check on them)
David Lang
More information about the rsyslog
mailing list