- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Select (or exclude) AUDIT entries by IP Addres...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2012 08:44 AM
05-09-2012 08:44 AM
Select (or exclude) AUDIT entries by IP Address?
I use VMS's auditing facility to log breakin attempts. However, our network scanner triggers false positives. How can I use the ANA/AUDIT command to exclude the IP address of the network scanner from its output? I perused the criteria available for the IGNORE qualifier, and none of them seem to be the IP address of the remote host. Searching the output for the IP address is not really feasible, as I'm currently only able to handle BRIEF output and it doesn't include the IP address either.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2012 12:01 PM
05-09-2012 12:01 PM
Re: Select (or exclude) AUDIT entries by IP Address?
It depends exactly what your TCPIP stack passes to the auditing system. On mine it logs the 32-bit big-endian IP address as the DECNET id, and /ignore=remote=id=3483948345 works fine.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2012 02:36 PM
05-09-2012 02:36 PM
Re: Select (or exclude) AUDIT entries by IP Address?
That would be handy... but I use HP TCPIP, so I'll bet it's not supported!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-09-2012 03:00 PM
05-09-2012 03:00 PM
Re: Select (or exclude) AUDIT entries by IP Address?
Although ANALYZE is DECnet oriented, you should find most of the network fields populated with something sensible in an IP environment.
/IGNORE and /SELECT for ANALYZE/AUDIT or ACCOUNTING can be useful if you can find the right combination, but that's not always easy. I find it's sometimes easier to use brute force. use /FULL/OUTPUT=file to convert into text, then a short DCL or Perl script to extract or exclude the stuff you want.
Before going down that path, start with a /FULL listing of the smallest subset that you've been able to find. You may find there are things you can key on. For example, Here's a sample breakin audit
Security alarm (SECURITY) and security audit (SECURITY) on NODEA, system id: 3176 Auditable event: Network breakin detection Event time: 16-FEB-2012 10:50:36.86 PID: 21427D7D Process name: TCPIP$FTPC00036 Username: SYSTEM Password: <invalid> Remote node id: 2130706433 Remote node fullname: LOCALHOST Remote username: FTP_7F000001 Status: %LOGIN-F-INVPWD, invalid password
As Richard suggested, the "Remote node id" is a decimal encoded IP address. Check for a pattern in your records. Also look at things like Status, remote username.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2012 07:42 AM
05-10-2012 07:42 AM
Re: Select (or exclude) AUDIT entries by IP Address?
In the version of TCPIP we have, you can actually see the TCP/IP address in the /FULL output; that's not the problem. The problem is that I have a DCL that runs every two minutes, dumping the last two minutes of the audit logs using BRIEF, and BRIEF doesn't contain the IP address. I have to use BRIEF because I have to send the dump to a logging device via the syslog service, and it is impossible to send the output from an entire FULL entry in one message so that all that data is kept together in one entry. If I was able to exclude any incidents involving the IP address of the scanner, they wouldn't get to the logger in the first place, it wouldn't see the "breakin", and it wouldn't page me at 5:30 AM for no reason.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2012 08:02 AM
05-10-2012 08:02 AM
Re: Select (or exclude) AUDIT entries by IP Address?
It sounds like the real problem is that your "network scanner" is trying to "breakin" to your system. Why is your "network scanner" trying to "breakin"? Why not fix your "network scanner" so that it can login successfully?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2012 09:45 AM
05-10-2012 09:45 AM
Re: Select (or exclude) AUDIT entries by IP Address?
Dan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2012 11:06 AM
05-10-2012 11:06 AM
Re: Select (or exclude) AUDIT entries by IP Address?
The point of a network scanner is to find vulnerabilities. I'm not sure why or how I would let it log in. It's basically a script kiddie you run on yourself.
I can't "preprocess" the output from /FULL because the ANALYZE/AUDIT command does not maintain context. There's no way I can reread the last entry. I'm going to have to ask HP how to do this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2012 12:10 PM
05-10-2012 12:10 PM
Re: Select (or exclude) AUDIT entries by IP Address?
Since you are runing a DCL procedure to generate the /BRIEF listing. Modify the procedure to send the output from the /FULL to a file and process that file. Send the "processed" info to the syslog application. Delete the file or re-use it later.
Dan
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-10-2012 02:01 PM
05-10-2012 02:01 PM
Re: Select (or exclude) AUDIT entries by IP Address?
Ah, so what you really want is something to send audit information to Syslog? Rather than using ANALYZE/AUDIT to scrape the journal, what about using an AUDIT Listener to catch the messages as they occur and reformat them into something suitable for Syslog. You can then filter them any way you want.
See the Guide to OpenVMS System Security for details of audit listeners. It's entirely possible that such a beast already exists. Try Google.
Looking back at your current approach
> ANALYZE/AUDIT command does not maintain context
True, but you can maintain context of the last time you dumped records and use that with /SINCE to extract just the new stuff.
>it wouldn't page me at 5:30 AM for no reason.
All that said, I wouldn't have thought a breakin attempt on an OpenVMS system was worth paging. Sure you want to know about it, but it's not something that needs immediate attention. More than likely it's a legitimate user with fat fingers or a memory lapse. Even if it is a real attack, the chances of anyone actually getting in after the system has decided it's a breakin attempt are vanishingly small. Crank up LGI_HID_TIM to make them even smaller.