Windows port_test and foreign address?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Windows port_test and foreign address?

Matthew N. Wojcik
Looking at the OVAL schema docs, it doesn't appear that information on the remote (foreign) side of open connections is available in the Windows port_test.  Is this an intentional omission, or an oversight?  Note that it's available via netstat on the commandline.  I expected to see foreign_address and foreign_port analogs to the local_address and local_port elements of port_object and port_state (not sure if they'd want to be in the object or just the state).

I should add that I've only checked netstat output under Windows XP.  I suppose if this test dates back far enough, and earlier versions of Windows didn't report the foreign addr & port information, that would explain why the test doesn't include them.  Probably worth checking different versions of Windows.

Anyway, if there isn't some compelling reason to keep the remote side out of the test, could it be added in 5.8?

Thanks,

--Woj

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Windows port_test and foreign address?

Jon Baker
Administrator
Good catch woj. I have added a tracker item to the 5.8 release to make sure we address this issue.

Jon

============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]


>-----Original Message-----
>From: Wojcik, Matthew N. [mailto:[hidden email]]
>Sent: Wednesday, May 05, 2010 10:28 AM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: [OVAL-DEVELOPER-LIST] Windows port_test and foreign address?
>
>Looking at the OVAL schema docs, it doesn't appear that information on
>the remote (foreign) side of open connections is available in the
>Windows port_test.  Is this an intentional omission, or an oversight?
>Note that it's available via netstat on the commandline.  I expected
>to see foreign_address and foreign_port analogs to the local_address
>and local_port elements of port_object and port_state (not sure if
>they'd want to be in the object or just the state).
>
>I should add that I've only checked netstat output under Windows XP.
>I suppose if this test dates back far enough, and earlier versions of
>Windows didn't report the foreign addr & port information, that would
>explain why the test doesn't include them.  Probably worth checking
>different versions of Windows.
>
>Anyway, if there isn't some compelling reason to keep the remote side
>out of the test, could it be added in 5.8?
>
>Thanks,
>
>--Woj
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>[hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].