|
Class Summary |
| AbnormalRootLoginEventDetector |
The AbnormalRootLoginEvent Detector checks to see if there is any root login from a host that is not specified in the $NETMON/config/roothosts files (list of hosts that a root login is permitted from). |
| AgentAliveEventDetector |
The AgentAliveEvent Detector periodically checks to see if detectors in an agent have died by
checking that the number of threads in an agent never decreases. |
| AgentServerLogEventDetector |
|
| AjantaResourceMonitorEventDetector |
|
| AjantaWatcherEventDetector |
|
| Backtrack |
|
| BlacklistEventDetector |
BlacklistEventDetector checks to see if any Snort events are from a blacklisted host. |
| CERTAdvisoryEventDetector |
|
| CheckSignatureEventDetector |
|
| CPUMonitorEventDetector |
The CPUMonitorEvent Detector generates a list of all currently running processes and respective
statistics on a monitored host, using the UNIX `ps' command. |
| CPUTimerEventDetector |
The CPUTimerEvent Detector is a special detector. |
| DaemonDeletedEventDetector |
The DaemonDeletedEventDetector detects if a daemon has been deleted. |
| DeletedProcessEventDetector |
This detector keeps a record of all processes seen on the system, and compares against this record
any process events (network.events.ProcessMonitoringEvent) that occur. |
| DiskFullEventDetector |
This detector watches a number of disk volumes and warns (generates a DiskFullEvent)
if the space used is above X percent. |
| DummyEventDetector |
As the name implies, this is a dummy detector. |
| DynamicUserTrackingEventDetector |
|
| EventDetector |
|
| FailureEventDetector |
The FailureEvent Detector can monitor agents and detectors for failure. |
| FileAddedEventDetector |
|
| FileChangedEventDetector |
|
| FileConsistencyEventDetector |
This detector hashes all files in /usr/bin and recalculates the hashes periodically. |
| FileDeletedEventDetector |
|
| FileLastChangedEventDetector |
|
| FileSBitChangedEventDetector |
Generates FileSBitChangedEvents based on a comparison of the previous permissions and the new permissions. |
| FileSystemFullEventDetector |
This detector watches the syslog file and looks for messages indicating
that a partition is full. |
| FtpAlarmEventDetector |
An FtpAlarm Detector. |
| FtpEventDetector |
This detector extends the SyslogEventDetector and generates
FtpEvents when called. |
| IllegitimateRootPresenceEventDetector |
The IllegitimateRootPresenceEvent Detector is notified of NewRootProcessEvents,
and then checks to see if the root user appears in the output of the 'who -q'
command. |
| InvalidUserAlarmEventDetector |
This detector analyzes ConnectEvents to see if their initiating user's
username is on the validUsers list. |
| IPEEventDetector |
IPE stands for IllegalProcessExecution. |
| LocalUserSwitchEventDetector |
|
| LoginEventDetector |
|
| LoginFromBlacklistEventDetector |
This detector checks to see if a login comes from a blacklisted host. |
| LogoutEventDetector |
|
| MarkFailEventDetector |
Looks for the MARK message in the syslog file. |
| MigrationEventDetector |
|
| MultipleAccountSwitchEventDetector |
|
| MultipleLoginAttemptsEventDetector |
Detects if a user has tried to login a specified number of times in a specified time period. |
| MultipleLoginFailureFromSameLocationEventDetector |
|
| MultipleUserLoginFailureEventDetector |
|
| NewProcessEventDetector |
Check for NewProcess,
We keep a record of all processes seen, and
compare against it to see if new processes
have been created. |
| NewRootProcessEventDetector |
Checks for processes running as 'root'
If found, new event will be generated, and the event handler will take appropriate action, eg: launching further agents to monitor critical resources. |
| NewSignatureEventDetector |
|
| OutsideAndLocalLoginEventDetector |
Detects if the same user has logged in from the local domain and an outside domain at the same time. |
| OutsideDomainLoginEventDetector |
Detects logins from outside the domain. |
| PartitionFullEventDetector |
Detects if any disk partition is full |
| PortscanEventDetector |
|
| ProcessMonitoringEventDetector |
Detects the processes that are currently running. |
| RecoveryHandlerDetector |
|
| RemoteLoginEventDetector |
|
| RemoteUserSwitchEventDetector |
|
| RLoginEventDetector |
Detects logins from the RLogin protocol. |
| RootPresenceEventDetector |
Check for RootPresence, through either legitimate
logins (xdm, or SU), or through new processes
being started as root. |
| RPCAbnormalTrafficEventDetector |
|
| RSHEventDetector |
Detects logins using the RSH protocol
Triggered by default by SyslogEvent
Detects RSH logins by matching RSH in a syslog line |
| RunawayProcessEventDetector |
Detects if a user process has been running for too long. |
| SFtpEventDetector |
Detects SFtp events. |
| SMSAgentAliveEventDetector |
|
| SMSFailureEventDetector |
|
| SMSRecoveryHandlerDetector |
|
| SnortEventDetector |
|
| SshEventDetector |
|
| SshSftpEventDetector |
|
| SUDOEventDetector |
Detects the execution of sudo - a program that allows a user to run a program as another user. |
| SUEventDetector |
|
| SyslogEventDetector |
|
| TelnetEventDetector |
|
| TelnetFtpLoginEventDetector |
|
| TestEventDetector |
As the name implies, this is a test detector. |
| TimerEventDetector |
|
| UserLoginElement |
This class stores the tuple (user, num_attempts, time)
All times are in milliseconds |
| UserPresenceEventDetector |
|
| UserSwitchAttemptEventDetector |
|
| UserSwitchConfirmEventDetector |
|
| UserSwitchToKonark1EventDetector |
|
| UserSwitchToRootEventDetector |
|
| WrapperEventDetector |
|
| XDMEventDetector |
|