'[ossec-dev] Re: src/dst user patch'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ossec-dev
Subject:    [ossec-dev] Re: src/dst user patch
From:       Sebastien Tricaud <sebastien.tricaud () wengo ! com>
Date:       2007-08-12 14:17:04
Message-ID: 46BF1660.9050105 () wengo ! com
[Download RAW message or body]


Daniel Cid wrote:
> Hi Sebastien,
>   
Hello Daniel,

> Sorry for taking so long to reply, I was quite busy with the release of 1.3.
>   

I understand! Moreover I was in holidays. By the way, congratulations
for 1.3!

> Anyway, your patched worked fine and it clarifies the internal structures of
> ossec a bit, but I am afraid that it can make it more confusing for the users
> writing rules and using ossec (which were used with the user field). It will
> also break backwards compatibility with previous versions...
>   

That's right. But since it provides clarification, I think this change
is worth doing.

Why not going into 2.0 release with all stuff you would like to see
merged but breaking backward compatibility ?

If this is a path taken, that would be good to consider IDMEF [1] and
add elements in the datastructure that could complete the IDMEF message.
This would bring OSSEC to a standardized IDS regarding IDMEF (and ease
my work with prelude ;)).

> I am still struggling where this is the best option for both the code standpoint
> and for the final user.
>
> Anyone has other suggestions? If you didn't follow this thread, currently we
> have "user" and "dstuser" on ossec. User is used all the time and "dstuser"
> is only used with sudo and su. The proposed patch changes user to be "srcuser"
> (internally) and on the rules/decoders, user becomes dstuser (as in target
> user).
>   

Why not writing scripts which perform the backward compatibility ?

> *btw, how is the prelude work going? Do you asked me for cvs access? I thought
> so , but I can't record.. If yes, let me know and I will create an
> account for you.
>   

The work is done on 1.2. I asked the CVS access just to port the patch
to the state-of-the-art sources; A guest account is enough for what I
need to do.



Thanks,
Sebastien.


[1] http://tools.ietf.org/rfc/rfc4765.txt



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic