On 2014-09-23 13:05, Eric Johnfelt wrote:
Don't take my comments as disparaging. Given our networking team
refuses to do *any* active-response from the core down to the edge
devices... even though we have all the tools for it and no policy or
funding from senior leadership, OSSEC really has been a blessing and
also fills some other gaps neatly; I am looking forward to greatly
building out our fledgling install. Right now I am proofing it out and
the active response has been very encouraging.
I know what you mean and I am happy to have constructive feedback. I
knew that the update to this script was less than ideal, but I just
couldn't stand to let it be. I had to update the broken one with a more
complicated broken one. :)
I entered the fray from 2.8 only about a month ago and have little to
no knowledge of historically significant milestones in OSSEC's
development aside from it switching ownership a couple of times and a
number of people on the SANS advisory board having recommended it. I
assumed the route-null.cmd batch worked at some point and maybe fell
by the way side during continued development, but I guess not. :(
I think people assumed it worked, but when I looked at it, I realized
that it never could have.
Although, I am curious, going back to the Regex issue... I'm all for
bounds checking, but is there some other engineering reason why it was
included? I mean, technically, can't the script expect the manager to
send the correct parameters?
It should, but I think it is better to expect malicious input (or at
least malformed), especially since the OSSEC service runs as SYSTEM. My
opinion is that all AR scripts should stand alone and fail safely even
in undefined threat scenarios.
I agree, NT based command scripts can be a challenge, I've seen some
smart people do some really crazy-neat things with them, but it always
seems the code is necessarily overburdened with coding tricks to get
anything done (ie. few approaches seem to be simple and clean).
Every time I write something in batch I inevitably say to myself "It
hurts!" and "Why, why why?!" Look at the updated script and the hoop I
had to jump through just to grab the OSSECPATH from the registry. Ugh.
I have been mulling over getting more involved, if you have any advice
in this regard over whats on the website, I'd like to hear it. I am
already mulling over some local customization that might hopefully be
useful to people with similar setups and constraints.
I guess the biggest thing to consider with Windows is that there are
multiple versions and they may not all have things like Power Shell. I
think that's why the script was originally written in batch--to serve
the lowest common denominator. Maybe the solution is to use a batch
wrapper that calls Power Shell or something else if it can find it, then
falls back to the hackish methods used currently.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
