diff -r 55072a52aaa4 -r 673c04be67e9 etc/decoder.xml
--- a/etc/decoder.xml	Wed Nov 04 20:51:36 2009 -0500
+++ b/etc/decoder.xml	Fri Nov 06 19:53:36 2009 +0000
@@ -70,17 +70,16 @@
 
 <decoder name="pam-host">
   <parent>pam</parent>
   <prematch> rhost</prematch>
   <regex offset="after_prematch">^=(\S+)</regex>
   <order>srcip</order>
 </decoder>
 
-
   
 <!-- SSH decoder.
   -  Will extract username and srcip from the logs.
   -  Only add to the FTS if the login was successful
   -  If the login failed, just extract the username/srcip for correlation
   -  Examples:
   -  sshd[8813]: Accepted password for root from 192.168.10.1 port 1066 ssh2
   -  sshd[2404]: Accepted password for root from 192.168.11.1 port 2011 ssh2
@@ -1499,17 +1498,59 @@
   <fts>name, location, extra_data</fts>
 </decoder>
 
 <decoder name="ossec-alert">
   <program_name>^ossec$</program_name>
   <plugin_decoder>OSSECAlert_Decoder</plugin_decoder>
 </decoder>  
 
+<!-- Agentless Decoder
+  - Will 
+  -->
 
+<decoder name="agentless">
+  <prematch>^\.gentless: Log:</prematch>
+  <type>ossec</type>
+</decoder>
+
+
+<decoder name="agentless-log-feilds">
+  <parent>agentless</parent>
+  <prematch offset="after_parent">^fields=[</prematch>
+  <regex offset="after_parent">^fields=[([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*);([^;]*)] (\S+)</regex>
+  <order>id,srcip, dstip, srcport, dstport, protocol, action, status, extra_data</order>
+</decoder>
+
+<decoder name="agentless-log-id">
+  <parent>agentless</parent>
+  <prematch offset="after_parent">^alert=\d+</prematch>
+  <regex offset="after_parent">^alert=(\d+) (\.*)</regex>
+  <order>id, extra_data</order>
+</decoder>
+  
+  
+
+<!--
+   - Allowed fields:
+   - location - where the log came from (only on FTS)
+   - srcuser  - extracts the source username
+   - dstuser  - extracts the destination (target) username
+   - user     - an alias to dstuser (only one of the two can be used)
+   - srcip    - source ip
+   - dstip    - dst ip
+   - srcport  - source port
+   - dstport  - destination port
+   - protocol - protocol
+   - id       - event id 
+   - url      - url of the event
+   - action   - event action (deny, drop, accept, etc)
+   - status   - event status (success, failure, etc)
+   - extra_data     - Any extra data
+  -->
 
 <!-- Zeus decoder.
   - Will extract the severity and the srcip/username when available.
   - Examples:
   - [08/Aug/2006:22:32:12 +0100] WARN:admin:Authentication failure, url=/index.cgi, host=xx.yy.com, user=admin
   - [10/Dec/2006:16:59:26 +0000] INFO:Zeus Admin Server running
   -->
 <decoder name="zeus">
diff -r 55072a52aaa4 -r 673c04be67e9 etc/rules/agentless_rules.xml
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/etc/rules/agentless_rules.xml	Fri Nov 06 19:53:36 2009 +0000
@@ -0,0 +1,100 @@
+<!-- @(#) $Id: $
+  -  Example of local rules for OSSEC.
+  -
+  -  Copyright (C) 2009 Trend Micro Inc.
+  -  All rights reserved.
+  -
+  -  This program is a free software; you can redistribute it
+  -  and/or modify it under the terms of the GNU General Public
+  -  License (version 3) as published by the FSF - Free Software
+  -  Foundation.
+  -
+  -  License details: http://www.ossec.net/en/licensing.html
+  -->
+
+
+<!-- Modify it at your will. -->
+
+<group name="agentless,">
+  <rule id="10000" level="0">
+    <decoded_as>agentless</decoded_as> 
+    <description>Agentless Logged Messages.</description>
+  </rule>
+  <rule id="10001" level="1">
+    <if_sid>10000</if_sid>
+    <id>1</id>
+    <description>Agentless: None</description>
+  </rule>
+  <rule id="10002" level="2">
+    <if_sid>10000</if_sid>
+    <id>1</id>
+    <description>Agentless: System low priority notification</description>
+  </rule>
+  <rule id="10003" level="3">
+    <if_sid>10000</if_sid>
+    <id>3</id>
+    <description>Agentless: Successful/Authorized events</description>
+  </rule>
+  <rule id="10004" level="4">
+    <if_sid>10000</if_sid>
+    <id>4</id>
+    <description>Agentless: System low priority error</description>
+  </rule>
+  <rule id="10005" level="5">
+    <if_sid>10000</if_sid>
+    <id>5</id>
+    <description>Agentless: User generated error</description>
+  </rule>
+  <rule id="10006" level="6">
+    <if_sid>10000</if_sid>
+    <id>6</id>
+    <description>Agentless: Low relevance attack</description>
+  </rule>
+  <rule id="10007" level="7">
+    <if_sid>10000</if_sid>
+    <id>7</id>
+    <description>Agentless: "Bad word" matching. They include words like "bad", "error", etc.</description>
+  </rule>
+  <rule id="10008" level="8">
+    <if_sid>10000</if_sid>
+    <id>8</id>
+    <description>Agentless: First time seen - Include first time seen events.</description>
+  </rule>
+  <rule id="10009" level="9">
+    <if_sid>10000</if_sid>
+    <id>9</id>
+    <description>Agentless: Error from invalid source</description>
+  </rule>
+  <rule id="10010" level="10">
+    <if_sid>10000</if_sid>
+    <id>10</id>
+    <description>Agentless: Multiple user generated errors</description>
+  </rule>
+  <rule id="10011" level="11">
+    <if_sid>10000</if_sid>
+    <id>11</id>
+    <description>Agentless: Integrity checking warning</description>
+  </rule>
+  <rule id="10012" level="12">
+    <if_sid>10000</if_sid>
+    <id>12</id>
+    <description>Agentless: High importancy event</description>
+  </rule>
+  <rule id="10013" level="13">
+    <if_sid>10000</if_sid>
+    <id>13</id>
+    <description>Agentless: Unusual error (high importance)</description>
+  </rule>
+  <rule id="10014" level="14">
+    <if_sid>10000</if_sid>
+    <id>14</id>
+    <description>Agentless: High importance security event</description>
+  </rule>
+  <rule id="10015" level="15">
+    <if_sid>10000</if_sid>
+    <id>15</id>
+    <description>Agentless: Severe attack</description>
+  </rule>
+</group> <!-- AGENTLESS -->
+
+<!-- EOF -->
diff -r 55072a52aaa4 -r 673c04be67e9 etc/rules/ossec_rules.xml
--- a/etc/rules/ossec_rules.xml	Wed Nov 04 20:51:36 2009 -0500
+++ b/etc/rules/ossec_rules.xml	Fri Nov 06 19:53:36 2009 +0000
@@ -153,16 +153,23 @@
 
   <rule id="555" level="7">
     <if_sid>500</if_sid>
     <match>^ossec: agentless: </match>
     <description>Integrity checksum for agentless device changed.</description>
     <group>syscheck,agentless</group>
   </rule>
 
+  <rule id="556" level="0">
+    <if_sid>500</if_sid>
+    <match>^agentless: Log:</match>
+    <description>Agentless log event.</description>
+    <group>agentless</group>
+  </rule>
+
   <!-- Hostinfo rules -->  
   <rule id="580" level="8">
     <category>ossec</category>
     <decoded_as>hostinfo_modified</decoded_as>
     <description>Host information changed.</description>
     <group>hostinfo,</group>
   </rule>
   
diff -r 55072a52aaa4 -r 673c04be67e9 etc/templates/config/rules.template
--- a/etc/templates/config/rules.template	Wed Nov 04 20:51:36 2009 -0500
+++ b/etc/templates/config/rules.template	Fri Nov 06 19:53:36 2009 +0000
@@ -44,11 +44,12 @@
     <include>trend-osce_rules.xml</include>
     <!-- <include>policy_rules.xml</include> -->
     <include>zeus_rules.xml</include>
     <include>solaris_bsm_rules.xml</include>
     <include>vmware_rules.xml</include>
     <include>ms_dhcp_rules.xml</include>
     <include>asterisk_rules.xml</include>
     <include>ossec_rules.xml</include>
+    <include>agentless_rules.xml</include>
     <include>attack_rules.xml</include>
     <include>local_rules.xml</include>
   </rules>  
diff -r 55072a52aaa4 -r 673c04be67e9 src/agentlessd/scripts/nmap_policy
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/src/agentlessd/scripts/nmap_policy	Fri Nov 06 19:53:36 2009 +0000
@@ -0,0 +1,59 @@
+#!/usr/bin/env python
+
+from subprocess import Popen, PIPE, STDOUT
+from xml.etree.ElementTree import parse, tostring, fromstring
+from optparse import OptionParser
+import sys
+    
+def main():
+    usage = "usage: %prog [options] [Networks to Scan]"
+    parser = OptionParser(usage=usage)
+    parser.add_option('-b', '--badports', dest="badports", default="23,107,21", help="List of ports to scan for that are not allowed in policy Format is the same as nmap [U:53,111,137,T:21-25,80,139,8080]")
+    parser.add_option("-n", '--network', dest="network", help="Networking to scan for policy violations.  Format is the same as nmap [10.0.0.0/24]")
+    parser.add_option("-d", '--debug', dest='debug', action="store_true", help="Enable debuging")
+    (options, args) = parser.parse_args()
+    if options.badports:
+        badPorts = options.badports
+    else: 
+        badPorts = "T:23,107,21"
+    if options.network: 
+        cmd = "nmap -p %s -oX - %s"%(badPorts, options.network)
+    elif args: 
+        cmd = "nmap -p %s -oX - %s"%(badPorts, " ".join(args))
+    else:
+        parser.error("Networks to scan is required.")
+    print "INFO: Starting"
+    print "INFO: running `%s` command"%(cmd)
+    p = Popen(cmd, shell=True, stdin=PIPE, stdout=PIPE, stderr=STDOUT, close_fds=True)
+    data = p.stdout.read()
+    if options.debug:
+        print data
+    print "INFO: completed `%s` command"%(cmd)
+    root = fromstring(data)
+    for aHost in root.findall("./host"):
+        for i in aHost.findall("./address"):
+            if "addrtype" in i.keys() and i.get("addrtype") == 'ipv4':
+                ipad = i.get("addr", None)
+            if "addrtype" in i.keys() and i.get("addrtype") == 'mac':
+                macad = i.get("addr", None)
+                macvendor = i.get("vendor", None)
+            else: 
+                macad = ""
+                macvendor = ""
+        
+        listofbad = {}
+        for i in aHost.findall("./ports/port"):
+            if i.find("./state") != None and i.find("./state").get("state") == "open":
+                if 'portid' in i.keys():
+                    if i.find("./service") != None:
+                        listofbad[i.get("portid")] = i.find("./service").get("name", None)
+                    else:
+                        listofbad[i.get("portid")] = "Unknown"
+                
+        for i in listofbad:
+            print "LOG: alert=11 Policy violation port %s (%s) is open on host %s (%s %s)"%(i,listofbad[i], ipad, macad, macvendor)
+    print "INFO: Ending"
+   
+if __name__ == '__main__':
+    main()
+