[osiris-devel] monitoring host state
Alexei Roudnev
Alexei_Roudnev at exigengroup.com
Tue Jan 6 19:14:15 EST 2004
Status is suspicious. We have many services, which can be in both, UP and
DOWN, states; so if I add Services, I'd like to be able to Exclude
something...
Btw - can we have some kind of Include and Exclude appliable for this
objects (users, groups, services)?
May be
<Users>
Exclude user("guest")
IncludeAll
</Users>
<Services>
Include ...
Exclude ...
IncludeAll
</Services>
At least, if you add new objects which are complex, you should allow future
extentions for the better control. For the services, it may be important.
Additionally, I do not want to control service status, but I'd like to
control command names and arguments for the services.
Service status is operational object, which reflect current system state,
not stateful system state.
PS. There is a big set of operational parameters, which can be used inside
IDS. Service status is one example; listened ports is another; etc etc...
But it is important to understand, that it is operational parameters, so
they should have another control rules and control methods.
----- Original Message -----
From: "Brian Wotring" <brian at shmoo.com>
To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
Sent: Tuesday, January 06, 2004 3:39 PM
Subject: Re: [osiris-devel] monitoring host state
>
> On Windows, it displays:
>
> >> windows kmods (services): name, display_name, status (types
> >> SERVICE_WIN32)
>
> On Jan 6, 2004, at 4:18 PM, Alexei Roudnev wrote:
>
> > What is 'services' ? I man - what is scanned?
> >
> >
> >
> > ----- Original Message -----
> > From: "Brian Wotring" <brian at shmoo.com>
> > To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
> > Sent: Tuesday, January 06, 2004 2:02 PM
> > Subject: Re: [osiris-devel] monitoring host state
> >
> >
> >>
> >> You can test these features by adding this to your config:
> >>
> >> <System>
> >> Include users
> >> Include groups
> >> Include services
> >> </System>
> >>
> >> And, debug configurations have been added to all of the Visual Studio
> >> project files.
> >>
> >> On Jan 6, 2004, at 2:52 PM, Alexei Roudnev wrote:
> >>
> >>> Hmm, NT.. I think I have (yet) 1 NT. I'll try to verify (btw, virtusl
> >>> machines can be a good choice for testing).
> >>>
> >>> Which version - 3.0?
> >>>
> >>> ----- Original Message -----
> >>> From: "Brian Wotring" <brian at shmoo.com>
> >>> To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
> >>> Sent: Tuesday, January 06, 2004 12:46 PM
> >>> Subject: Re: [osiris-devel] monitoring host state
> >>>
> >>>
> >>>>
> >>>> I've only tested this on Windows 2000. If you could verify this on
> >>>> NT
> >>>> and XP, that would be really helpful.
> >>>>
> >>>> On Jan 6, 2004, at 1:39 PM, Alexei Roudnev wrote:
> >>>>
> >>>>> Excellent - if it works -:).
> >>>>>
> >>>>> Where (which OS) did you tested it already?
> >>>>>
> >>>>> ----- Original Message -----
> >>>>> From: "Brian Wotring" <brian at shmoo.com>
> >>>>> To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
> >>>>> Sent: Tuesday, January 06, 2004 6:02 AM
> >>>>> Subject: Re: [osiris-devel] monitoring host state
> >>>>>
> >>>>>
> >>>>>>
> >>>>>> The user entry for Windows now contains a list of groups that user
> >>>>>> is
> >>>>>> a
> >>>>>> member of.
> >>>>>>
> >>>>>> On Jan 5, 2004, at 1:05 PM, Alexei_Roudnev wrote:
> >>>>>>
> >>>>>>> For Windows, you need to monitor, at least,
> >>>>>>>
> >>>>>>> Users, 'Member Of', with names insted of group SID. I can find a
> >>>>>>> code,
> >>>>>>> which allowed to extract such information (I wrote it in past -
> >>>>>>> user,
> >>>>>>> list
> >>>>>>> of groups).
> >>>>>>>
> >>>>>>> It is not excellent, but works.
> >>>>>>>
> >>>>>>>
> >>>>>>> ----- Original Message -----
> >>>>>>> From: "Brian Wotring" <brian at shmoo.com>
> >>>>>>> To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
> >>>>>>> Sent: Monday, January 05, 2004 11:38 AM
> >>>>>>> Subject: [osiris-devel] monitoring host state
> >>>>>>>
> >>>>>>>
> >>>>>>>>
> >>>>>>>> Here is what we have so far. I'm mostly concerned with the lack
> >>>>>>>> of
> >>>>>>>> any
> >>>>>>>> significant attributes on the Windows side. If anyone knows of
> >>>>>>>> any
> >>>>>>>> way
> >>>>>>>> to expand this, now is the time.
> >>>>>>>>
> >>>>>>>> unix users: name,uid,gid,gecos,home,shell
> >>>>>>>> windows users: name, privs, home, flags, auth_flags
> >>>>>>>>
> >>>>>>>> unix groups: group,gid
> >>>>>>>>
> >>>>>>>> For Windows, only the name. The LOCAL_GROUP_INFO structure
> >>>>>>>> contains
> >>>>>>>> only the name and the comment field. Getting the gid and other
> >>>>>>>> attributes requires using NetGroupEnum(), which I have found to
> >>>>>>>> be
> >>>>>>>> unreliable for listing local group information.
> >>>>>>>>
> >>>>>>>> linux kmods: same as output from lsmod
> >>>>>>>> darwin kexts: same as output from kextstat
> >>>>>>>> windows kmods (services): name, display_name, status (types
> >>>>>>>> SERVICE_WIN32)
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> Brian Wotring ( brian at shmoo.com )
> >>>>>>>> PGP KeyID: 0x9674763D
> >>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> osiris-devel mailing list
> >>>>>>>> osiris-devel at lists.shmoo.com
> >>>>>>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>>>>>>>
> >>>>>>>
> >>>>>>> _______________________________________________
> >>>>>>> osiris-devel mailing list
> >>>>>>> osiris-devel at lists.shmoo.com
> >>>>>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>>>>>>
> >>>>>>>
> >>>>>> --
> >>>>>> Brian Wotring ( brian at shmoo.com )
> >>>>>> PGP KeyID: 0x9674763D
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> osiris-devel mailing list
> >>>>>> osiris-devel at lists.shmoo.com
> >>>>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>>>>>
> >>>>> _______________________________________________
> >>>>> osiris-devel mailing list
> >>>>> osiris-devel at lists.shmoo.com
> >>>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>>>>
> >>>>>
> >>>> --
> >>>> Brian Wotring ( brian at shmoo.com )
> >>>> PGP KeyID: 0x9674763D
> >>>>
> >>>> _______________________________________________
> >>>> osiris-devel mailing list
> >>>> osiris-devel at lists.shmoo.com
> >>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>>>
> >>>
> >>> _______________________________________________
> >>> osiris-devel mailing list
> >>> osiris-devel at lists.shmoo.com
> >>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>>
> >>>
> >> --
> >> Brian Wotring ( brian at shmoo.com )
> >> PGP KeyID: 0x9674763D
> >>
> >> _______________________________________________
> >> osiris-devel mailing list
> >> osiris-devel at lists.shmoo.com
> >> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >>
> > _______________________________________________
> > osiris-devel mailing list
> > osiris-devel at lists.shmoo.com
> > https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >
> >
> --
> Brian Wotring ( brian at shmoo.com )
> PGP KeyID: 0x9674763D
>
> _______________________________________________
> osiris-devel mailing list
> osiris-devel at lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris-devel
>
More information about the osiris-devel
mailing list