RE: BSM Audit Records

From: Small, Jim (jim.small_at_eds.com)
Date: 05/20/03

  • Next message: Small, Jim: "RE: BSM Audit Records"
    To: focus-sun@securityfocus.com
    Date: Tue, 20 May 2003 15:34:03 -0400
    
    

    Darren,

    I know about the docs.sun.com reference. Specifically, just like you said,
    it covers the terminal ID:
    For device numbers:
    32-bit applications: 4-byte device number, 4-bytes unused
    64-bit applications: 8-byte device number, 4-bytes unused

    For port numbers in the Solaris 7 release or earlier releases:
    32-bit applications: 4-byte port number, 4-byte IP address
    64-bit applications: 8-byte port number, 4-byte IP address

    For port numbers in the Solaris 8 or 9 releases:
    32-bit with IPV4: 4-byte port number, 4-byte IP type, 4-byte IP address
    32-bit with IPV6: 4-byte port number, 4-byte IP type, 16-byte IP address
    64-bit with IPV4: 8-byte port number, 4-byte IP type, 4-byte IP address
    64-bit with IPV6: 8-byte port number, 4-byte IP type, 16-byte IP address

    This doesn't completely clear things up for me though. Perhaps an example
    would be better. If I am parsing login/logout (lo) records in my "short"
    form, I might see something like this (truncated for clarity):
    +ftp access for root from 8197 21 host1.dom1.com on Wed 07 May 2003...
    +login - local for root from 0 0 192.168.128.95 on Mon 12 May 2003...
    +login - telnet for root from 419 23 192.168.145.35 on Mon 12 May 2003...
    +login - ssh for root from 0 1447 host1.dom1.com on Tue 20 May 2003...

    Here we have 4 types of access:
    ftp, dtlogin, telnet, and ssh (All on Solaris 9 12/02)

    If I do a file on ftp, dtlogin, telnet, and ssh, I can determine that they
    are all 32bit apps:
    ELF 32-bit MSB executable SPARC Version 1, dynamically linked, [not]
    stripped

    Therefore, all of these except for dtlogin should be giving me a 4-byte port
    number, and 4-byte IP type, and a 4-byte IP address.

    The 4-byte IP is obvious.
    I don't know what the 4-byte IP type is.
    I'm not sure what the 4-byte port number is. Is this 2 bytes for the local
    port and 2 bytes for the remote port? How does praudit interpret this?

    Now dtlogin, since you are logging in via the console, I'm not sure what you
    should expect and you get 0 0.

    For the other 3, I connected to the Solaris 9 box and using netstat detected
    the ports on the local and remote end.
    For ftp, 8197 21, I'm not sure how to parse this. Is 21 the local port? If
    so, then what's 8197? It does not correspond with the remote port. I tried
    converting the numbers to hex and then adding/removing digits to see if some
    combination would yield the remote port number, but no dice.

    For telnet, 419 23, it's the same story. 23 could be the local port, but
    what is 419? Also, this is not consistent with the documentation which
    states a 4-byte port number, especially because see below with ssh.

    For ssh, 0 1447, 1447 is the remote port, and 22 is the local. This seems
    to contradict the logic displayed by telnet and ftp earlier. So I don't
    know how I should interpret the port numbers.

    Is there more documentation somewhere or an example program? Is this just a
    problem with using praudit?

    Any advice or pointers would be greatly appreciated.

    Heck Darren, I'm in the Detroit Area Sun Technologies User Group, let me
    know who maintains BSM/auditd and maybe my local Sun friends can get them to
    speak at our group!

    Thanks,
       <> Jim


  • Next message: Small, Jim: "RE: BSM Audit Records"

    Relevant Pages

    • Re: Cannot telnet to port 25 from Windows 2003 SBS server to itself
      ... which is I cannot connect from the server on port 25 and send ... I am having this problem on two sbs installations I've done recently. ... those applications to send e-mail, ... Connecting To localhost...Could not open connection to the host, ...
      (microsoft.public.windows.server.sbs)
    • Setting Up RS-232 Ports for Data Logging
      ... RS-232 port. ... Each application listens on its own port and, ... both applications are trying to ... What I want is all the serial data, ...
      (Ubuntu)
    • Re: CA Sells Ingres!
      ... Actually Mainwin is a product fron mainsoft corp which helps port VC++ ... applications onto popular versions of Unix & Linux. ...
      (comp.databases.ingres)
    • Re: What Smalltalk product/implementation would you use, and why?
      ... I try to stay relativelive current with the NC versions so I am aware of how hard it would be to port applications from VA to VW. ... The first application I wanted to port, a graphics application that was running too slow under VA, I ported to Dolphin because it was a Windows app, and the native widgets are identicle to those in the users' other applications. ...
      (comp.lang.smalltalk)
    • Re: SMTP and Port 25
      ... We have many applications in Delphi 6 and 7 and when sending E-Mail, we use Indy's SMTP component. ... Lately we have had to unblocked port 25 on the Exchange server in order to make the applications work. ... You could put a SSH server on the exchange box and then add a SSH tunnel component and simply tunnel the port 25 traffic. ...
      (borland.public.delphi.thirdpartytools.general)