On Tue, 23 Sep 2014, Eric Johnfelt wrote:
- The regular expression for validating IP's is wrong. Findstr's RegExp
facility is well... just terrible, so [0-9]*\.[0-9]*\.[0-9]*\.[0-9]* is the
best you can do, but its not 100% correct for validating IP addresses
either, but it works for the complete subset of valid addresses.
I ended up just tossing the regex since it's useless for IPv6 addresses.
I wish Windows had a built-in shell util for validating any IP address.
- The method used to choose the null-route is a bit flawed. It doesn't take
into account any combination of multiple IP's or network interfaces; which
is common for people using any kind of virtualization (Virtual Box, VMware,
Virtual PC) or servers with multiple IPs or NICS. Technically, it will
still work, it is just... not fundamentally correct and your mileage may
vary.
Lastly, testing the active-response does not seem to work... at least for
me... I'm still working on that... however I can say the following for
certain. First, when I issue a test, I see the packet received via
wireshark, the agent just doesn't seem to respond. However, when a real
active-response comes in from the manager, the route-null.cmd script
executed; with the fixes mentioned above, the script does work.
I wonder if this is something specific to Windows 2012 as I've got it
working for windows 7. I haven't gotten around to testing with 2012
yet.
I see a few people have replaced the script completely, I am considering
that myself using a powershell or VBScript (both of which have a *much*
better regex facility for validating strings (and IP addresses)) as well as
giving me APIs (particularly WMI) to determine the best IP to null route on
from the available interfaces and local addresses, or just use the internal
firewall to block via NETSH or the ActiveX control for the firewall
facility.
Rather than trying to choose the interface IP I found it simpler to just
set the gateway to either 0.0.0.0 or :: whichever applies.
Anyhow, the point is, you can fix the bundled script or replace it;
replacing will give you access to better AND more functionality, IMHO.
Either way fixed or replaced, when it works... its a beautiful thing.
Indeed.
Antonio Querubin
e-mail: [email protected]
xmpp: [email protected]
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
