[prev in list] [next in list] [prev in thread] [next in thread]
List: ossec-dev
Subject: [ossec-dev] Re: src/dst user patch
From: Sebastien Tricaud <sebastien.tricaud () wengo ! com>
Date: 2007-08-12 14:17:04
Message-ID: 46BF1660.9050105 () wengo ! com
[Download RAW message or body]
Daniel Cid wrote:
> Hi Sebastien,
>
Hello Daniel,
> Sorry for taking so long to reply, I was quite busy with the release of 1.3.
>
I understand! Moreover I was in holidays. By the way, congratulations
for 1.3!
> Anyway, your patched worked fine and it clarifies the internal structures of
> ossec a bit, but I am afraid that it can make it more confusing for the users
> writing rules and using ossec (which were used with the user field). It will
> also break backwards compatibility with previous versions...
>
That's right. But since it provides clarification, I think this change
is worth doing.
Why not going into 2.0 release with all stuff you would like to see
merged but breaking backward compatibility ?
If this is a path taken, that would be good to consider IDMEF [1] and
add elements in the datastructure that could complete the IDMEF message.
This would bring OSSEC to a standardized IDS regarding IDMEF (and ease
my work with prelude ;)).
> I am still struggling where this is the best option for both the code standpoint
> and for the final user.
>
> Anyone has other suggestions? If you didn't follow this thread, currently we
> have "user" and "dstuser" on ossec. User is used all the time and "dstuser"
> is only used with sudo and su. The proposed patch changes user to be "srcuser"
> (internally) and on the rules/decoders, user becomes dstuser (as in target
> user).
>
Why not writing scripts which perform the backward compatibility ?
> *btw, how is the prelude work going? Do you asked me for cvs access? I thought
> so , but I can't record.. If yes, let me know and I will create an
> account for you.
>
The work is done on 1.2. I asked the CVS access just to port the patch
to the state-of-the-art sources; A guest account is enough for what I
need to do.
Thanks,
Sebastien.
[1] http://tools.ietf.org/rfc/rfc4765.txt
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic