|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [ISSForum] FlexCheck developement
From: Woah Down (woahdown
yahoo.com)
Date: Tue Jul 05 2005 - 14:22:30 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Zsolt,
The session log file is available for FlexChecks, but what is shown here appears to be limited to what the sensor portion of Internet Scanner is standardly coded to provide in the logs. Those lines you refer to are for the most part dictated by the FlexCheck engine in the sensor, reporting that to the Controller in a fashion such as this:
2005-07-05 13:44:28.281 Start FlexCheck engine scanning target='x.x.x.x'
# 2005-07-05 13:44:28.296 FlexCheck 'ICQ Server Check' run on x.x.x.x
x.x.x.x: Vulnerable to the 'ICQ Server Check' FlexCheck
FlexCheck Engine executed 1 FlexChecks on x.x.x.x in 47 milliseconds, status 0x0
If that is what you are looking for, the FlexCheck engine can accomplish this based on the found vuln condition. I do not see anything that plainly states in the logs the not vuln condition, and based on the logs, it seems the lack of the vulnerable statement suggests the not vuln condition.
Example:
2005-07-05 15:09:34.671 Start FlexCheck engine scanning target='x.x.x.x'
# 2005-07-05 15:09:34.687 FlexCheck 'ICQ Check Fail' run on x.x.x.x
The 'ICQ Check Fail' FlexCheck failed on host x.x.x.x
# 2005-07-05 15:09:34.687 FlexCheck 'ICQ Check Positive' run on x.x.x.x.
x.x.x.x: Vulnerable to the 'ICQ Check Positive' FlexCheck
# 2005-07-05 15:09:34.703 FlexCheck 'ICQ Check Negative' run on x.x.x.x
The 'ICQ Check Negative' FlexCheck finished on host x.x.x.x with code 0x0
FlexCheck Engine executed 3 FlexChecks on x.x.x.x in 15 milliseconds, status 0x0
*******************
Turning up tracing all the way up to 1000 in the Sensor Properties for the FlexCheck engine will get you get the maximum from the FlexCheck log file (located in the scanner_1\flexcheck directory) for the scans the custom checks are run against. This will provide a lot of internal data of how Internet Scanner is running the custom check, but it likely will not provide what I *believe* you are looking for, which is an "all in one" method to tell as your check was run what was vulnerable and more importantly what was found not to be vulnerable.
Based on "CustomTest.exe" usage, it appears that the sensor is capable of reporting multiple states in the logs, but the custom check will have to be written in such a way to make use of this capability. It also appears that as is the case with other checks, the not vuln condition is implied by the lack of the vuln condition. I do not believe that the output detail you are looking for as is the case with a lot of internally shipped ISS checks will become evident in the session logs outside of what is populated in the "Info" section in the check creation window.
"Sztano, Zsolt (GE Consumer Finance)" <zsolt.sztanoge.com> wrote:
Hi,
I am wondering if logging to the Internet Scanner's session logfile (by
default under directory: c:\program
files\iss\isssensors\scanner_1\logs\) available from custom flexcheck.
I found that only the result and scanning time is being put to the
logfile, but while it can only parse 3 states of result (vulnerable, not
vulnerable, error) it is a quite few set of information provided after
the scanning.
If you have any solutions, workarounds or ideas for detailed logging of
the flexcheck please do not hesitate to share with me. Since I am
scanning a quite number of assets (~ 4000, ~20000 IP's) weekly, neither
I would like to put the scanning logs to separate files by ip (separate
files for each scanning thread) nor to the windows registry.
Thanks,
Zsolt
_______________________________________________
ISSForum mailing list
ISSForumiss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforumiss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
---------------------------------
Yahoo! Sports
Rekindle the Rivalries. Sign up for Fantasy Football
_______________________________________________
ISSForum mailing list
ISSForumiss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforumiss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]