network.detectors
Class IPEEventDetector

java.lang.Object
  network.detectors.EventDetector
      network.detectors.IPEEventDetector

All Implemented Interfaces:

java.lang.Runnable, java.io.Serializable

public class IPEEventDetector

extends EventDetector

implements java.io.Serializable

IPE stands for IllegalProcessExecution. This detector finds processes that have specific names, being run by specific (or any) users. These users and programs are specified in the $NETMON/config/ipepolicyfile. The detector is triggered by a NewProcessEvent.

Here's an example config file:

user = * : program = bnc, eggdrop, eggDrop, crack, john, sniffit, dsniff user = johnsond : program = mozilla

See Also:

Serialized Form

Field Summary

Fields inherited from class network.detectors.EventDetector

agentURN, cred, dbModule, eventIDGenerator, eventTable, host, localTriggeringEvents, remoteTriggeringEvents, reportTable

Constructor Summary

IPEEventDetector(ConfigObject configObj)
The default constructor.

IPEEventDetector(java.lang.String policyFile, ConfigObject configObj)
Constructor that takes a path to a policy file.

Method Summary

java.util.Vector	generateEvent(Event triggeredEvent) This method will generate an IPEEvent if a currently-running process matches the username and args of a program specified in the IPE policy file.
java.lang.String	getGeneratingEventClassName() Returns the fully-qualified classname of the event that this detector may generate.
static java.lang.String[]	getParamList() Returns array of strings containing all the parameters that can be used as input to modify this detector.
void	modifyDetector(java.lang.Object object) Allows modification of this detector.
static void	parseIllegalProgramNamesFile(java.lang.String policyFile, java.util.Vector policyTable) Parses an IPE policy file and puts the config info into a vector.
static java.lang.Object[]	translateParameters(java.lang.String[] inputarray) This function takes an array of strings from GUI which contains input and converts them to array of objects and returns.

Methods inherited from class network.detectors.EventDetector

getAlarmLevel, getAlertLevel, getLocalTriggeringEventClassNames, getRemoteTriggeringEventClassNames, getSynchronizer, InitializeFields, modifyDetector, populatePatterns, printRunningThreads, run, setAgentURN, setAlarmLevel, setAlertLevel, setDB, setEventIDGenerator, setEventTable, setLocalTriggeringEvents, setRemoteTriggeringEvents, setReportTable, stopDetector, switchOffPrintRunningThreads

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

IPEEventDetector

public IPEEventDetector(ConfigObject configObj)
                 throws java.lang.Exception

The default constructor. Merely calls the other constructor with the default policy file (taken from AdminClient).

IPEEventDetector

public IPEEventDetector(java.lang.String policyFile,
                        ConfigObject configObj)
                 throws java.lang.Exception

Constructor that takes a path to a policy file. See example at top.

Parameters:

policyFile - path to policy file.

Method Detail

parseIllegalProgramNamesFile

public static void parseIllegalProgramNamesFile(java.lang.String policyFile,
                                                java.util.Vector policyTable)
                                         throws java.lang.Exception

Parses an IPE policy file and puts the config info into a vector.

Parameters:

policyFile - path to the IPE policy file to be parsed.

policyTable - a vector to fill with the config info.

Returns:

Throws:

java.lang.Exception

getParamList

public static java.lang.String[] getParamList()

Returns array of strings containing all the parameters that can be used as input to modify this detector. Each entry in the array corresponds to one parameter with structure " : ".

Returns:

parameterList, an array of Strings indicating parameters and their types

translateParameters

public static java.lang.Object[] translateParameters(java.lang.String[] inputarray)
                                              throws java.lang.Exception

This function takes an array of strings from GUI which contains input and converts them to array of objects and returns.

Parameters:

inputarray - an array of strings that contains user inputs.

Returns:

objArray an array of objects converted from the array of strings got from user.

Throws:

java.lang.Exception

modifyDetector

public void modifyDetector(java.lang.Object object)

Allows modification of this detector. The Object passed must be a Pattern Object, which contains a action and a vector of items on which the action will operate. If the action is 1, the elements in the vector will be added to the IPE policy. If the action is 2, the elements in the vector will be deleted from the IPE policy. If the action is 3, all the rules in the IPE policy will be deleted. If the action is 4, the elements in the vector will replace the rules in the IPE policy.

Parameters:

object - a network.PatternObject containing data and action.

Returns:

See Also:

network.PatternObject

getGeneratingEventClassName

public java.lang.String getGeneratingEventClassName()

Returns the fully-qualified classname of the event that this detector may generate.

Specified by:

getGeneratingEventClassName in class EventDetector

Returns:

the fully-qualified classname of the event that this detector may generate.

generateEvent

public java.util.Vector generateEvent(Event triggeredEvent)

This method will generate an IPEEvent if a currently-running process matches the username and args of a program specified in the IPE policy file. It must be triggered by a NewProcessEvent.

Specified by:

generateEvent in class EventDetector

Parameters:

triggeredEvent - the event that triggered the detector.

Returns:

a vector of IPEEvents.