[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ossec-dev] Re: Understanding EventInfo datastructure

To: ossec-dev@xxxxxxxxxxxxxxxx
Subject: [ossec-dev] Re: Understanding EventInfo datastructure
From: "Daniel Cid" <dcid@xxxxxxxxx>
Date: Sat, 28 Jul 2007 00:20:22 -0300
Content-disposition: inline
Content-transfer-encoding: 7bit

Hi Sebastien,

As always, inline...

On 7/26/07, Sebastien Tricaud <sebastien.tricaud@xxxxxxxxx> wrote:
>
> I am willing to do it, before doing it I should finish with 1.2 and then
> move on

That's good. We are releasing version 1.3 very soon (sometime next
week, I hope),
but it should be easy to merge...

>
> However sometime you can get the source user. Which means there is a
> need for srcuser and dstuser. In that case user means dst, which will
> confuse anyone reading the datastructure unless you know it ;-) are you
> ok to get patches for this ?

I am always ok for patches :) I also don't like this usage of
user/dstuser, but I don't
like either srcuser/dstuser ... Basically, the way I like to think is
user X on device Z,
user A on device B, etc. The problem with dstuser started with sudo/su
where you can
have user X becoming Y on device Z.... Anyway, I am open to
suggestions and patches
to make it more clear.

>
> Good! it is fixed now right ? in 1.3 only ? why not releasing a last 1.2
> with prelude support and this fixed ?

The port information on sshd? Nope :) We are currently on "locked" mode while
we prepare for the version 1.3 (going to beta 2).  So, the prelude
support will not be included on the version 1.3  too (unless you can
finish it in a few hours :)).
However, since we have very frequently releases, we can do a 1.4 very soon with
prelude support and a few more things. What do you say?

> I know, however I am talking about the protocol. Because it is sshd, the
> protocol used can only be ssh right ? then we can add this information
> in the protocol section.

True, that should be easy to do :) Btw, on prelude do you guys track
application
protocols, like httpd, sshd or in your protocol fields you only use
tcp/udp/icmp/etc?

> Yes it helped, thank you very much for you effort in this project which
> considers also the windows platform and gives a good tool for anyone
> running a regular computer ;)
>
>
> Sebastien.

Thanks :) Hope it helped.

Daniel B. Cid
dcid ( at ) ossec.net

Follow-Ups:
- [ossec-dev] Re: Understanding EventInfo datastructure
  - From: Sebastien Tricaud

References:
- [ossec-dev] Understanding EventInfo datastructure
  - From: Sebastien Tricaud
- [ossec-dev] Re: Understanding EventInfo datastructure
  - From: Daniel Cid
- [ossec-dev] Re: Understanding EventInfo datastructure
  - From: Sebastien Tricaud

Prev by Date: [ossec-dev] Re: bug(s) in active response?
Next by Date: [ossec-dev] Re: Understanding EventInfo datastructure
Previous by thread: [ossec-dev] Re: Understanding EventInfo datastructure
Next by thread: [ossec-dev] Re: Understanding EventInfo datastructure
Index(es):
- Date
- Thread

OSSEC home | Main Index | Thread Index

OSSEC project: www.ossec.net.
Mailling list information: http://www.ossec.net/en/mailing_lists.html.