On Tuesday, September 23, 2014 2:19:16 PM UTC-4, Michael Starks wrote: > > On 2014-09-23 13:05, Eric Johnfelt wrote: > > couldn't stand to let it be. I had to update the broken one with a more > complicated broken one. :) > > Ahahaha... that sounds familiar... :)
> I think people assumed it worked, but when I looked at it, I realized > that it never could have. > No doubt, but I always assume first, I'm the one who messed up, I've found that its more productive, less embarrassing and on the upside, you benefit from a more intimate understanding of what you are working on. So, technically, it's still helpful. I am going through the Mac OS X active-response now and I already have a headache... but at least the process is no longer a mystery. > It should, but I think it is better to expect malicious input (or at > least malformed), especially since the OSSEC service runs as SYSTEM. My > opinion is that all AR scripts should stand alone and fail safely even > in undefined threat scenarios. > I figured as much and I agree. > Every time I write something in batch I inevitably say to myself "It > hurts!" and "Why, why why?!" Look at the updated script and the hoop I > had to jump through just to grab the OSSECPATH from the registry. Ugh. > Yep... common experiences, I feel your pain. > I guess the biggest thing to consider with Windows is that there are > multiple versions and they may not all have things like Power Shell. I > think that's why the script was originally written in batch--to serve > the lowest common denominator. Maybe the solution is to use a batch > wrapper that calls Power Shell or something else if it can find it, then > falls back to the hackish methods used currently. > Well, that was jist of my question, is there an accepted "how far back" does the community feel support is needed? Aside from features introduced over time, VBScript goes back to Win9x/Win2K (WinNT4.0 with option pack). So there is a potential there depending on what level of legacy support people want. (Although admittedly... the older an install is... the more likely it needs an OSSEC agent with active-response anyway :} ). I don't wish to harp on Windows though... Mostly, my needs at the moment require protecting our researcher's equipment and those tend to be mostly *nix with a smattering of Windows and Mac OS. But I also have staff equipment that arguably, greatly outnumbers the research machines, and they are Win/Mac. Which brings me to another question... what is the largest number of managed agents you've heard of anyone using? Or more to the point, how scalable is OSSEC? - Eric -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
