[osiris-devel] monitoring host state
Alexei Roudnev
Alexei_Roudnev at exigengroup.com
Tue Jan 6 19:55:50 EST 2004
This means syntax like this:
<Users>
Exclude name("guest")
</Users>
<Services>
Exclude attribute(status)
IncludeAll
</Services>
(May be, later).
But, if you implement
<System>
monitor users
monitor services
</System>
you have not any room for filters.
----- Original Message -----
From: "Alexei Roudnev" <Alexei_Roudnev at exigengroup.com>
To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
Sent: Tuesday, January 06, 2004 4:14 PM
Subject: Re: [osiris-devel] monitoring host state
> Status is suspicious. We have many services, which can be in both, UP and
> DOWN, states; so if I add Services, I'd like to be able to Exclude
> something...
>
> Btw - can we have some kind of Include and Exclude appliable for this
> objects (users, groups, services)?
>
> May be
>
> <Users>
> Exclude user("guest")
> IncludeAll
> </Users>
> <Services>
> Include ...
> Exclude ...
> IncludeAll
> </Services>
>
> At least, if you add new objects which are complex, you should allow
future
> extentions for the better control. For the services, it may be important.
>
> Additionally, I do not want to control service status, but I'd like to
> control command names and arguments for the services.
> Service status is operational object, which reflect current system state,
> not stateful system state.
>
> PS. There is a big set of operational parameters, which can be used inside
> IDS. Service status is one example; listened ports is another; etc etc...
> But it is important to understand, that it is operational parameters, so
> they should have another control rules and control methods.
>
> ----- Original Message -----
> From: "Brian Wotring" <brian at shmoo.com>
> To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
> Sent: Tuesday, January 06, 2004 3:39 PM
> Subject: Re: [osiris-devel] monitoring host state
>
>
> >
> > On Windows, it displays:
> >
> > >> windows kmods (services): name, display_name, status (types
> > >> SERVICE_WIN32)
> >
> > On Jan 6, 2004, at 4:18 PM, Alexei Roudnev wrote:
> >
> > > What is 'services' ? I man - what is scanned?
> > >
> > >
> > >
> > > ----- Original Message -----
> > > From: "Brian Wotring" <brian at shmoo.com>
> > > To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
> > > Sent: Tuesday, January 06, 2004 2:02 PM
> > > Subject: Re: [osiris-devel] monitoring host state
> > >
> > >
> > >>
> > >> You can test these features by adding this to your config:
> > >>
> > >> <System>
> > >> Include users
> > >> Include groups
> > >> Include services
> > >> </System>
> > >>
> > >> And, debug configurations have been added to all of the Visual Studio
> > >> project files.
> > >>
> > >> On Jan 6, 2004, at 2:52 PM, Alexei Roudnev wrote:
> > >>
> > >>> Hmm, NT.. I think I have (yet) 1 NT. I'll try to verify (btw,
virtusl
> > >>> machines can be a good choice for testing).
> > >>>
> > >>> Which version - 3.0?
> > >>>
> > >>> ----- Original Message -----
> > >>> From: "Brian Wotring" <brian at shmoo.com>
> > >>> To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
> > >>> Sent: Tuesday, January 06, 2004 12:46 PM
> > >>> Subject: Re: [osiris-devel] monitoring host state
> > >>>
> > >>>
> > >>>>
> > >>>> I've only tested this on Windows 2000. If you could verify this on
> > >>>> NT
> > >>>> and XP, that would be really helpful.
> > >>>>
> > >>>> On Jan 6, 2004, at 1:39 PM, Alexei Roudnev wrote:
> > >>>>
> > >>>>> Excellent - if it works -:).
> > >>>>>
> > >>>>> Where (which OS) did you tested it already?
> > >>>>>
> > >>>>> ----- Original Message -----
> > >>>>> From: "Brian Wotring" <brian at shmoo.com>
> > >>>>> To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
> > >>>>> Sent: Tuesday, January 06, 2004 6:02 AM
> > >>>>> Subject: Re: [osiris-devel] monitoring host state
> > >>>>>
> > >>>>>
> > >>>>>>
> > >>>>>> The user entry for Windows now contains a list of groups that
user
> > >>>>>> is
> > >>>>>> a
> > >>>>>> member of.
> > >>>>>>
> > >>>>>> On Jan 5, 2004, at 1:05 PM, Alexei_Roudnev wrote:
> > >>>>>>
> > >>>>>>> For Windows, you need to monitor, at least,
> > >>>>>>>
> > >>>>>>> Users, 'Member Of', with names insted of group SID. I can find
a
> > >>>>>>> code,
> > >>>>>>> which allowed to extract such information (I wrote it in past -
> > >>>>>>> user,
> > >>>>>>> list
> > >>>>>>> of groups).
> > >>>>>>>
> > >>>>>>> It is not excellent, but works.
> > >>>>>>>
> > >>>>>>>
> > >>>>>>> ----- Original Message -----
> > >>>>>>> From: "Brian Wotring" <brian at shmoo.com>
> > >>>>>>> To: "Osiris Developers" <osiris-devel at lists.shmoo.com>
> > >>>>>>> Sent: Monday, January 05, 2004 11:38 AM
> > >>>>>>> Subject: [osiris-devel] monitoring host state
> > >>>>>>>
> > >>>>>>>
> > >>>>>>>>
> > >>>>>>>> Here is what we have so far. I'm mostly concerned with the
lack
> > >>>>>>>> of
> > >>>>>>>> any
> > >>>>>>>> significant attributes on the Windows side. If anyone knows of
> > >>>>>>>> any
> > >>>>>>>> way
> > >>>>>>>> to expand this, now is the time.
> > >>>>>>>>
> > >>>>>>>> unix users: name,uid,gid,gecos,home,shell
> > >>>>>>>> windows users: name, privs, home, flags, auth_flags
> > >>>>>>>>
> > >>>>>>>> unix groups: group,gid
> > >>>>>>>>
> > >>>>>>>> For Windows, only the name. The LOCAL_GROUP_INFO structure
> > >>>>>>>> contains
> > >>>>>>>> only the name and the comment field. Getting the gid and other
> > >>>>>>>> attributes requires using NetGroupEnum(), which I have found to
> > >>>>>>>> be
> > >>>>>>>> unreliable for listing local group information.
> > >>>>>>>>
> > >>>>>>>> linux kmods: same as output from lsmod
> > >>>>>>>> darwin kexts: same as output from kextstat
> > >>>>>>>> windows kmods (services): name, display_name, status (types
> > >>>>>>>> SERVICE_WIN32)
> > >>>>>>>>
> > >>>>>>>> --
> > >>>>>>>> Brian Wotring ( brian at shmoo.com )
> > >>>>>>>> PGP KeyID: 0x9674763D
> > >>>>>>>>
> > >>>>>>>> _______________________________________________
> > >>>>>>>> osiris-devel mailing list
> > >>>>>>>> osiris-devel at lists.shmoo.com
> > >>>>>>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> > >>>>>>>>
> > >>>>>>>
> > >>>>>>> _______________________________________________
> > >>>>>>> osiris-devel mailing list
> > >>>>>>> osiris-devel at lists.shmoo.com
> > >>>>>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> > >>>>>>>
> > >>>>>>>
> > >>>>>> --
> > >>>>>> Brian Wotring ( brian at shmoo.com )
> > >>>>>> PGP KeyID: 0x9674763D
> > >>>>>>
> > >>>>>> _______________________________________________
> > >>>>>> osiris-devel mailing list
> > >>>>>> osiris-devel at lists.shmoo.com
> > >>>>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> > >>>>>>
> > >>>>> _______________________________________________
> > >>>>> osiris-devel mailing list
> > >>>>> osiris-devel at lists.shmoo.com
> > >>>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> > >>>>>
> > >>>>>
> > >>>> --
> > >>>> Brian Wotring ( brian at shmoo.com )
> > >>>> PGP KeyID: 0x9674763D
> > >>>>
> > >>>> _______________________________________________
> > >>>> osiris-devel mailing list
> > >>>> osiris-devel at lists.shmoo.com
> > >>>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> > >>>>
> > >>>
> > >>> _______________________________________________
> > >>> osiris-devel mailing list
> > >>> osiris-devel at lists.shmoo.com
> > >>> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> > >>>
> > >>>
> > >> --
> > >> Brian Wotring ( brian at shmoo.com )
> > >> PGP KeyID: 0x9674763D
> > >>
> > >> _______________________________________________
> > >> osiris-devel mailing list
> > >> osiris-devel at lists.shmoo.com
> > >> https://lists.shmoo.com/mailman/listinfo/osiris-devel
> > >>
> > > _______________________________________________
> > > osiris-devel mailing list
> > > osiris-devel at lists.shmoo.com
> > > https://lists.shmoo.com/mailman/listinfo/osiris-devel
> > >
> > >
> > --
> > Brian Wotring ( brian at shmoo.com )
> > PGP KeyID: 0x9674763D
> >
> > _______________________________________________
> > osiris-devel mailing list
> > osiris-devel at lists.shmoo.com
> > https://lists.shmoo.com/mailman/listinfo/osiris-devel
> >
>
> _______________________________________________
> osiris-devel mailing list
> osiris-devel at lists.shmoo.com
> https://lists.shmoo.com/mailman/listinfo/osiris-devel
>
More information about the osiris-devel
mailing list