5.
Development of Detectors and Handlers
5.1 Detector Development
The javadoc documentation for the network monitoring environment can be found here.
There are three main types of detectors: regular expression based, filter based, and history based. Examples of regular expression based detectors include the SyslogEventDetector and the SnortEventDetector. These detectors use a regular expression to match parts of a log file and fill in the fields in an event. A filter based detector would simply filter events based on some characteristic. An example of a filter based detector would be the FileSBitChangedEventDetector. This detector is triggered by FileChangedEvents, if the file is changed and the change involves a sbit change a FileSBitChangedEvent is produced. A history based detector looks at previous information available in the database. An example of a history based detector is the FileChangedEventDetector. This detector compares the file's signature (which is in the signature database) to a new signature, if the file has changed a FileChangedEvent will be produced.
The events generated by the detectors should be logable into the database. To log them into the database use the DatabaseEventHandler.
The events should implement the following methods if you wish to log data other than the data logged by the Event class.
public String getColumnNames()
This method should return a String that contains the database column name declarations.
public String getFieldNames()
This method should return a String that contains just the field names (not the whole declaration like getColumnNames()).
public String getFieldValues()
This method should return a String that contains just the field values that will be logged to the database. They should be separated by commas.
To make your detectors modifiable three methods with prototypes as listed here must be created.
public static String[] getParamList()
getParamList should return an array of strings. Each string will be the description of what the user should enter as the parameter to pass to the detector.
public static Object[] translateParameters(String[] inputarray) throws Exception
translateParameters takes the user input parameters as an array of strings. It should convert these to the types that will be needed by the detector.
public synchronized void modifyDetector (Object[] object) throws Exception
modifyDetector takes in the array of objects that translateParameters returns. It should do the actual modification to the detector.
5.2 Handler Development
The handlers default action is to send the events generated by a detector to subscribers. The default handler being used is the network.manager.EventHandler. This handler only sends the events generated by the detector it is associated with to the subscribers. There exists another type of handler, a network.manager.DatabaseEventHandler. This handler not only sends the generated events to the subscribers, but also logs the event into the database. The event must
5.3 Agent Level API
5.4 Current Detector Overview
This section will contain a subsection for each of the detectors that can be currently used. It will include their functionality, what trigger file additions need to be made, what system requirements they have, etc.
----------------------------------------------------------------------
AbnormalRootLoginEventDetector.java
The AbnormalRootLoginEventDetector generates events when there is a root login from a host other than the hosts specified in the list which is specified by the ROOT_LOGIN_HOSTFILE.
----------------------------------------------------------------------
AgentAliveEventDetector.java
The AgentAliveEventDetector periodically checks the number of threads present in a process. If the number decreases a detector is down and a recovery handler will be signaled.
----------------------------------------------------------------------
BlacklistEventDetector.java
BlacklistEventDetector is triggered by PortscanEvents. It blacklists hosts that are portscanning the network.
----------------------------------------------------------------------
CERTAdvisoryEventDetector.java
The CERTAdvisoryEventDetector connects to the CERT website. It downloads the current alerts and attempts to find port numbers that are vulnerable. If it does find them it generates an event that contains the port number and the url of the web page where the port number was found.
----------------------------------------------------------------------
CPUMonitorEventDetector.java
The CPUMonitorEventDetector is triggered by the CPUTimerEvent. It generates an event for each of the processes that are currently running. The event contains the relevant info that the Unix ps command would give.
----------------------------------------------------------------------
CPUTimerEventDetector.java
This detector is not triggered by any other detectors. It runs similarly to the TimerEventDetector: it sleeps for a certain amount of time then generates an event.
----------------------------------------------------------------------
CheckSignatureEventDetector.java
This detector is triggered by a NewSignatureEvent. It compares the NewSignature to the file signature present in the Signature database.
----------------------------------------------------------------------
DaemonDeletedEventDetector.java
This detector is triggered by the DeletedProcessEvent. It checks to see if the process that was deleted was a Daemon by comparing its name to a given list.
----------------------------------------------------------------------
DeletedProcessEventDetector.java
This detector is triggered by a ProcessMonitoringEvent. It keeps a record of all of the running processes and compares the currently running processes to these. If a process is removed an event will be generated.
----------------------------------------------------------------------
DiskFullEventDetector.java
The DiskFullEventDetector generates events when the disk usage exceeds the thresholds specified in the DISK_USAGE_FILE. The file has a tuple for each of the file systems where disk usage will be monitored. The first argument indicates the mount point and the second specifies the upper limit for disk usage as a percent.
----------------------------------------------------------------------
DummyEventDetector.java
This detector is triggered by a TimerEvent. It can take no action. It is a dummy event that can be used as a template for detector development or as a generic detector (event generator) for testing.
----------------------------------------------------------------------
EventDetector.java
This is the generic detector that all other detectors derive from.
----------------------------------------------------------------------
FailureEventDetector.java
The FailureEventDetector generates events when the agent being monitored does not report its status as up in a specified time period, or if it reports the status of some of its detectors as down.
----------------------------------------------------------------------
FileAddedEventDetector.java
This detector is triggered by CheckSignatureEvents. It checks to see if the reason that the signature differs from the one in the database is because the file is new.
----------------------------------------------------------------------
FileChangedEventDetector.java
This detector is triggered by CheckSignatureEvents. It generates an event if any of the files being monitored have changed from the signature database.
----------------------------------------------------------------------
FileConsistencyEventDetector.java
This detector is triggered by TimerEvents. It hashes all the files in /usr/bin. It does this periodically waiting for a change. If there is a change an event is generated.
----------------------------------------------------------------------
FileDeletedEventDetector.java
This detector is triggered by CheckSignatureEvents. It generates an event if a file being monitored has been deleted.
----------------------------------------------------------------------
FileLastChangedEventDetector.java
This detector works similarly to the FileChangedEventDetector except it uses the last signature, which may or may not be the signature present in the signature database.
----------------------------------------------------------------------
FileSBitChangedEventDetector.java
This detector is triggered by FileLastChangedEventDetector. If the sbit has changed from whatever the last signature of a file being monitored an event is generated.
----------------------------------------------------------------------
FileSystemFullEventDetector.java
This detector is triggered by the network.events.SyslogEvent. If a message is placed in the syslog file indicating a partition is full this detector will generate a FileSystemFullEvent.
----------------------------------------------------------------------
FtpEventDetector.java
This detector is triggered by network.events.SyslogEvent. It generates events if ftp logins occur.
----------------------------------------------------------------------
IPEEventDetector.java
The IPEEventDetector (IPE is the abbreviated form of Illegal Process/Program Execution) generates events when a program is running that should not be. A list of programs that should not be ran can be stored in the IPE_FILE. The file can have entries indicating a list of programs that need to be checked for a particular user, list of users for a specific program, and all user/programs.
----------------------------------------------------------------------
IllegitimateRootPresenceEventDetector.java
This detector is triggered by network.events.NewRootProcessEvent. When it is triggered it checks the output of the who -q command to see if root is currently a user. If root is not currently a user then a IllegitimateRootPresenceEvent is generated.
----------------------------------------------------------------------
InvalidUserAlarmEventDetector.java
This detector is triggered by network.events.LoginEvent. It checks a LoginEvent to see if the initiating user's name is on the valid user's list.
----------------------------------------------------------------------
LocalUserSwitchEventDetector.java
This detector is triggered by network.events.LoginEvent. The detector generates an event if a user uses ssh to switch to a different user account locally.
----------------------------------------------------------------------
LoginEventDetector.java
This detector is triggered by: network.events.XDMEvent, network.events.SshSftpEvent, network.events.TelnetEvent, network.events.RLoginEvent, network.events.RSHEvent, and network.events.FtpEvent. It generates an event when a user logs in using XDM, SSH, SFTP, telnet, rlogin, rsh, or ftp.
----------------------------------------------------------------------
LoginFromBlacklistEventDetector.java
This detector is triggered by network.events.OutsideDomainLoginEvent. This detector checks to see if the login was initiated by one of the hosts in the BlacklistEvent table in the database. If the login was a LoginFromBlacklistEvent is generated.
----------------------------------------------------------------------
MarkFailEventDetector.java
The MarkFailEventDetector generates events if the syslog daemon fails to put a MARK message into the messages file (/var/adm/messages) once every 20 minutes. This indicates that nothing is being logged into the messages file or that the syslog daemon has been started without MARK messages being turned on.
----------------------------------------------------------------------
MigrationEventDetector.java
This detector is a bootstrap detector (similar to the TimerEventDetector). It is not triggered by other events, rather it is used to periodically trigger detectors that depend on it. Currently it is being used to trigger the NewSignatureEventDetector.
----------------------------------------------------------------------
MultipleAccountSwitchEventDetector.java
The MultipleAccountSwitchEventDetector generates events when a user switches to more than one account from the same person/terminal/session. It flags all of the possible user names that could have been involved in the switching.
----------------------------------------------------------------------
MultipleLoginFailureFromSameLocationEventDetector.java
The MultipleLoginFailureFromSameLocationEventDetector generates events if there are more than five failed login attempts over a period of five minutes.
----------------------------------------------------------------------
MultipleUserLoginFailureEventDetector.java
The MultipleUserLoginFailureEventDetector generates events if there are five failed login attempts within five minutes for one user's account name.
----------------------------------------------------------------------
NewProcessEventDetector.java
This detector is triggered by network.events.ProcessMonitoringEvent. As ProcessMonitoringEvent generates lists of processes, this detector compares the running processes to a list of processes in the database. If the process is not in the database the process is considered new and the detector generates a NewProcessEvent.
----------------------------------------------------------------------
NewRootProcessEventDetector.java
This detector is triggered by network.events.NewProcessEvent. This detector takes the new processes and checks to see if the user id of the process owner is 0. If the user id is 0 then the process is a root process and a NewRootProcessEvent is generated.
----------------------------------------------------------------------
OutsideAndLocalLoginEventDetector.java
This detector is triggered by network.events.OutsideDomainLoginEvent.
----------------------------------------------------------------------
OutsideDomainLoginEventDetector.java
The OutsideDomainLoginEventDetector generates events if a login comes from a machine in a domain other than the one specified (currently cs.umn.edu). The Event contains the IP address of the source which originated the connection.
----------------------------------------------------------------------
PartitionFullEventDetector.java
This detector is triggered by network.events.SyslogEvent. It generates an event if any of the disk partitions are full.
----------------------------------------------------------------------
ProcessMonitoringEventDetector.java
This detector is triggered by CPUTimerEvent. It uses the ps command to generate events for all of the currently running processes.
----------------------------------------------------------------------
RLoginEventDetector.java
This detector is triggered by network.events.SyslogEvent. It generates an event if there was a RLogin.
---------------------------------------------------------------------
RSHEventDetector.java
This detector is triggered by network.events.SyslogEvent. It generates an event if there is a RSH login.
----------------------------------------------------------------------
RecoveryHandlerDetector.java
This detector is triggered by network.events.FailureEvent. It aids in the agent recovery process.
----------------------------------------------------------------------
RemoteLoginEventDetector.java
This detector is triggered by network.events.LoginEvent. If the login that generated the LoginEvent was remote then this detector will generate a RemoteLoginEvent.
----------------------------------------------------------------------
RunawayProcessEventDetector.java
The RunawayProcessEventDetector generates events if there is a process that has been running too long. Currently this is defined to be one day. There is an ignore list specified in RUNAWAY_PROCESS_IGNORE_FILE which can contain the list of processes that are expected to have a run time which exceeds the specified time.
----------------------------------------------------------------------
SMSAgentAliveEventDetector.java
This detector checks the status of the SMS Agent. If it discovers that the SMS Agent is down a recovery handler is alerted.
----------------------------------------------------------------------
SMSFailureEventDetector.java
This detector generates an event if the SMS Agent has not reported in some specified amount of time.
----------------------------------------------------------------------
SMSRecoveryHandlerDetector.java
This detector handles SMS Agent recovery.
----------------------------------------------------------------------
SnortEventDetector.java
This detector turns each entry in the snort log file into an event.
----------------------------------------------------------------------
SnortRuleEventDetector.java
This detector dynamically adds rules to the snort rules file.
----------------------------------------------------------------------
SyslogEventDetector.java
This detector monitors the syslog file. Its events trigger several other detectors.
----------------------------------------------------------------------
TimerEventDetector.java
This is another bootstrap event detector. It generates a TimerEvent periodically.
----------------------------------------------------------------------
UserSwitchToRootEventDetector.java
The UserSwitchToRootEventDetector generates events when there is a user switch during the login process from a normal user to root.
----------------------------------------------------------------------
XDMEventDetector.java
This detector is triggered by the network.events.SyslogEvent. If the syslog file contains an entry showing an X display manager login then this detector generates an XDMEvent.
----------------------------------------------------------------------
