port_*

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

port_*

Javier Godinez
Can anyone help me, I have been unable to find an example of the
correct usage of port_*. I just want a simple test to see if a UDP or
TCP port is open on a windows box. Does this (below) seem correct? Is
my local_port (under port_state) section correct? If I wanted to
specify only TCP, where wold I specify it?

 <tests>
   <port_test id="123" version="1" check="at least one" comment="TCP
or UDP port 1720 is open" check_existence="at_least_one_exists"
xmlns="...windows">
     <object object_ref="1337"/>
     <state state_ref="2172"/>
   </port_test>
 </tests>
 <objects>
   <port_object id="1337" version="1" xmlns="...#windows">
     <protocol operation="pattern match">.*</protocol>
     <local_address operation="pattern match">.*</local_address>
     <local_port operation="equals">1720</local_port>
   </port_object>
 </objects>
 <states>
   <port_state id="2172" version="1" xmlns="...windows">
     <local_port operation="pattern match">.*</local_port>
   </port_state>
 </states>


--
# Javier

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: port_*

Sudhir Gandhe-3
Javier,

If you are just testing to see TCP or UDP port 1720 is open then you don't need any state.

 <tests>
  <port_test id="123" version="1" check="all" comment="TCP or UDP port 1720 is open" check_existence="at_least_one_
exists" xmlns="...windows">
    <object object_ref="1337"/>
  </port_test>
 </tests>
 
 <objects>
  <port_object id="1337" version="1" xmlns="...#windows">
    <local_address operation="pattern match">.*</local_address>
    <local_port operation="equals">1720</local_port>
    <protocol operation="pattern match">.*</protocol>
  </port_object>
 </objects>


If you want to specify TCP then your object would look like -

<objects>
  <port_object id="1337" version="1" xmlns="...#windows">
    <local_address operation="pattern match">.*</local_address>
    <local_port operation="equals">1720</local_port>
    <protocol>TCP</protocol>
  </port_object>
 </objects>


You will need a state in case you want to compare the elements of the object to a defined state. Eg - in this case if you want to compare the process id (pid) to say "9999".




-SG


Sudhir Gandhe
Telos Corporation








On Wed, Mar 4, 2009 at 11:01 AM, Javier Godinez <[hidden email]> wrote:
Can anyone help me, I have been unable to find an example of the
correct usage of port_*. I just want a simple test to see if a UDP or
TCP port is open on a windows box. Does this (below) seem correct? Is
my local_port (under port_state) section correct? If I wanted to
specify only TCP, where wold I specify it?

 <tests>
  <port_test id="123" version="1" check="at least one" comment="TCP
or UDP port 1720 is open" check_existence="at_least_one_exists"
xmlns="...windows">
    <object object_ref="1337"/>
    <state state_ref="2172"/>
  </port_test>
 </tests>
 <objects>
  <port_object id="1337" version="1" xmlns="...#windows">
    <protocol operation="pattern match">.*</protocol>
    <local_address operation="pattern match">.*</local_address>
    <local_port operation="equals">1720</local_port>
  </port_object>
 </objects>
 <states>
  <port_state id="2172" version="1" xmlns="...windows">
    <local_port operation="pattern match">.*</local_port>
  </port_state>
 </states>


--
# Javier

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: port_*

Javier Godinez
Sudhir,

Thanks, but what if you wanted to make sure that a
specific process is listening to a specific port, the only thing I
could find is to specify the PID in port_state. Under the Linux
schema, this is much easier since I can simply specify program_name
under inetlisteningservers_state. Is there something similar under
windows?

Thanks again,
Javier Godinez

On Thu, Mar 5, 2009 at 9:01 AM, Sudhir Gandhe <[hidden email]> wrote:

> Javier,
>
> If you are just testing to see TCP or UDP port 1720 is open then you don't
> need any state.
>
>  <tests>
>   <port_test id="123" version="1" check="all" comment="TCP or UDP port 1720
> is open" check_existence="at_least_one_
> exists" xmlns="...windows">
>     <object object_ref="1337"/>
>   </port_test>
>  </tests>
>
>  <objects>
>   <port_object id="1337" version="1" xmlns="...#windows">
>     <local_address operation="pattern match">.*</local_address>
>     <local_port operation="equals">1720</local_port>
>     <protocol operation="pattern match">.*</protocol>
>   </port_object>
>  </objects>
>
>
> If you want to specify TCP then your object would look like -
> <objects>
>   <port_object id="1337" version="1" xmlns="...#windows">
>     <local_address operation="pattern match">.*</local_address>
>     <local_port operation="equals">1720</local_port>
>     <protocol>TCP</protocol>
>   </port_object>
>  </objects>
>
>
> You will need a state in case you want to compare the elements of the object
> to a defined state. Eg - in this case if you want to compare the process id
> (pid) to say "9999".
>
>
>
>
> -SG
>
>
> Sudhir Gandhe
> Telos Corporation
>
>
>
>
>
>
>
> On Wed, Mar 4, 2009 at 11:01 AM, Javier Godinez <[hidden email]> wrote:
>>
>> Can anyone help me, I have been unable to find an example of the
>> correct usage of port_*. I just want a simple test to see if a UDP or
>> TCP port is open on a windows box. Does this (below) seem correct? Is
>> my local_port (under port_state) section correct? If I wanted to
>> specify only TCP, where wold I specify it?
>>
>>  <tests>
>>   <port_test id="123" version="1" check="at least one" comment="TCP
>> or UDP port 1720 is open" check_existence="at_least_one_exists"
>> xmlns="...windows">
>>     <object object_ref="1337"/>
>>     <state state_ref="2172"/>
>>   </port_test>
>>  </tests>
>>  <objects>
>>   <port_object id="1337" version="1" xmlns="...#windows">
>>     <protocol operation="pattern match">.*</protocol>
>>     <local_address operation="pattern match">.*</local_address>
>>     <local_port operation="equals">1720</local_port>
>>   </port_object>
>>  </objects>
>>  <states>
>>   <port_state id="2172" version="1" xmlns="...windows">
>>     <local_port operation="pattern match">.*</local_port>
>>   </port_state>
>>  </states>
>>
>>
>> --
>> # Javier
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DEVELOPER-LIST
>> in the BODY of the message.  If you have difficulties, write to
>> [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
> difficulties, write to [hidden email].



--
# Javier

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: port_*

Sudhir Gandhe-3
Javier,


Looking at the Windows schema, this might not be possible. Schema needs to be expanded to incorporate the process name - OVAL 5.6 or 6.0.

Comments?



-SG

Sudhir Gandhe
Telos Corporation



On Thu, Mar 5, 2009 at 12:36 PM, Javier Godinez <[hidden email]> wrote:
Sudhir,

Thanks, but what if you wanted to make sure that a
specific process is listening to a specific port, the only thing I
could find is to specify the PID in port_state. Under the Linux
schema, this is much easier since I can simply specify program_name
under inetlisteningservers_state. Is there something similar under
windows?

Thanks again,
Javier Godinez

On Thu, Mar 5, 2009 at 9:01 AM, Sudhir Gandhe <[hidden email]> wrote:
> Javier,
>
> If you are just testing to see TCP or UDP port 1720 is open then you don't
> need any state.
>
>  <tests>
>   <port_test id="123" version="1" check="all" comment="TCP or UDP port 1720
> is open" check_existence="at_least_one_
> exists" xmlns="...windows">
>     <object object_ref="1337"/>
>   </port_test>
>  </tests>
>
>  <objects>
>   <port_object id="1337" version="1" xmlns="...#windows">
>     <local_address operation="pattern match">.*</local_address>
>     <local_port operation="equals">1720</local_port>
>     <protocol operation="pattern match">.*</protocol>
>   </port_object>
>  </objects>
>
>
> If you want to specify TCP then your object would look like -
> <objects>
>   <port_object id="1337" version="1" xmlns="...#windows">
>     <local_address operation="pattern match">.*</local_address>
>     <local_port operation="equals">1720</local_port>
>     <protocol>TCP</protocol>
>   </port_object>
>  </objects>
>
>
> You will need a state in case you want to compare the elements of the object
> to a defined state. Eg - in this case if you want to compare the process id
> (pid) to say "9999".
>
>
>
>
> -SG
>
>
> Sudhir Gandhe
> Telos Corporation
>
>
>
>
>
>
>
> On Wed, Mar 4, 2009 at 11:01 AM, Javier Godinez <[hidden email]> wrote:
>>
>> Can anyone help me, I have been unable to find an example of the
>> correct usage of port_*. I just want a simple test to see if a UDP or
>> TCP port is open on a windows box. Does this (below) seem correct? Is
>> my local_port (under port_state) section correct? If I wanted to
>> specify only TCP, where wold I specify it?
>>
>>  <tests>
>>   <port_test id="123" version="1" check="at least one" comment="TCP
>> or UDP port 1720 is open" check_existence="at_least_one_exists"
>> xmlns="...windows">
>>     <object object_ref="1337"/>
>>     <state state_ref="2172"/>
>>   </port_test>
>>  </tests>
>>  <objects>
>>   <port_object id="1337" version="1" xmlns="...#windows">
>>     <protocol operation="pattern match">.*</protocol>
>>     <local_address operation="pattern match">.*</local_address>
>>     <local_port operation="equals">1720</local_port>
>>   </port_object>
>>  </objects>
>>  <states>
>>   <port_state id="2172" version="1" xmlns="...windows">
>>     <local_port operation="pattern match">.*</local_port>
>>   </port_state>
>>  </states>
>>
>>
>> --
>> # Javier
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DEVELOPER-LIST
>> in the BODY of the message.  If you have difficulties, write to
>> [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
> difficulties, write to [hidden email].



--
# Javier

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: port_*

Matthew N. Wojcik
I may be wrong (it's been a *long* time since I've actually written any real OVAL definitions), but couldn't you do this using local variables?  Use the Windows process_* to find the pid(s) of any running process(es) that match the process characteristics you're looking for, and then plug that pid into a local variable to be used in the port_state.

--Woj                  Matthew N. Wojcik                 [hidden email]


> -----Original Message-----
> From: Sudhir Gandhe [mailto:[hidden email]]
> Sent: Thursday, March 05, 2009 1:08 PM
> To: oval-developer-list OVAL Developer List/Closed Public Discussion
> Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>
> Javier,
>
>
> Looking at the Windows schema, this might not be possible. Schema needs
> to be expanded to incorporate the process name - OVAL 5.6 or 6.0.
>
> Comments?
>
>
>
> -SG
>
> Sudhir Gandhe
> Telos Corporation
>
>
>
>
> On Thu, Mar 5, 2009 at 12:36 PM, Javier Godinez <[hidden email]>
> wrote:
>
>
> Sudhir,
>
> Thanks, but what if you wanted to make sure that a
> specific process is listening to a specific port, the only thing
> I
> could find is to specify the PID in port_state. Under the Linux
> schema, this is much easier since I can simply specify
> program_name
> under inetlisteningservers_state. Is there something similar
> under
> windows?
>
> Thanks again,
> Javier Godinez
>
>
> On Thu, Mar 5, 2009 at 9:01 AM, Sudhir Gandhe
> <[hidden email]> wrote:
> > Javier,
> >
> > If you are just testing to see TCP or UDP port 1720 is open
> then you don't
> > need any state.
> >
> >  <tests>
> >   <port_test id="123" version="1" check="all" comment="TCP or
> UDP port 1720
> > is open" check_existence="at_least_one_
> > exists" xmlns="...windows">
> >     <object object_ref="1337"/>
> >   </port_test>
> >  </tests>
> >
> >  <objects>
> >   <port_object id="1337" version="1" xmlns="...#windows">
> >     <local_address operation="pattern match">.*</local_address>
> >     <local_port operation="equals">1720</local_port>
> >     <protocol operation="pattern match">.*</protocol>
> >   </port_object>
> >  </objects>
> >
> >
> > If you want to specify TCP then your object would look like -
> > <objects>
> >   <port_object id="1337" version="1" xmlns="...#windows">
> >     <local_address operation="pattern match">.*</local_address>
> >     <local_port operation="equals">1720</local_port>
> >     <protocol>TCP</protocol>
> >   </port_object>
> >  </objects>
> >
> >
> > You will need a state in case you want to compare the elements
> of the object
> > to a defined state. Eg - in this case if you want to compare
> the process id
> > (pid) to say "9999".
> >
> >
> >
> >
> > -SG
> >
> >
> > Sudhir Gandhe
> > Telos Corporation
> >
> >
> >
> >
> >
> >
> >
> > On Wed, Mar 4, 2009 at 11:01 AM, Javier Godinez
> <[hidden email]> wrote:
> >>
> >> Can anyone help me, I have been unable to find an example of
> the
> >> correct usage of port_*. I just want a simple test to see if a
> UDP or
> >> TCP port is open on a windows box. Does this (below) seem
> correct? Is
> >> my local_port (under port_state) section correct? If I wanted
> to
> >> specify only TCP, where wold I specify it?
> >>
> >>  <tests>
> >>   <port_test id="123" version="1" check="at least one"
> comment="TCP
> >> or UDP port 1720 is open"
> check_existence="at_least_one_exists"
> >> xmlns="...windows">
> >>     <object object_ref="1337"/>
> >>     <state state_ref="2172"/>
> >>   </port_test>
> >>  </tests>
> >>  <objects>
> >>   <port_object id="1337" version="1" xmlns="...#windows">
> >>     <protocol operation="pattern match">.*</protocol>
> >>     <local_address operation="pattern
> match">.*</local_address>
> >>     <local_port operation="equals">1720</local_port>
> >>   </port_object>
> >>  </objects>
> >>  <states>
> >>   <port_state id="2172" version="1" xmlns="...windows">
> >>     <local_port operation="pattern match">.*</local_port>
> >>   </port_state>
> >>  </states>
> >>
> >>
> >> --
> >> # Javier
> >>
> >> To unsubscribe, send an email message to
> [hidden email] with
> >> SIGNOFF OVAL-DEVELOPER-LIST
> >> in the BODY of the message.  If you have difficulties, write
> to
> >> [hidden email].
> >
> > To unsubscribe, send an email message to
> [hidden email] with
> > SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you
> have
> > difficulties, write to OVAL-DEVELOPER-LIST-
> [hidden email].
>
>
>
>
> --
>
> # Javier
>
> To unsubscribe, send an email message to [hidden email]
> with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to
> [hidden email].
>
>
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
> difficulties, write to [hidden email].

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: port_*

Javier Godinez
In reply to this post by Sudhir Gandhe-3
Haven't looked at 6.0 yet, but this might be a worthwhile thing to do
and would bring the interfaces for Windows up to par with the Linux
interface.

Thanks,
jg

On Thu, Mar 5, 2009 at 10:08 AM, Sudhir Gandhe <[hidden email]> wrote:

> Javier,
>
>
> Looking at the Windows schema, this might not be possible. Schema needs to
> be expanded to incorporate the process name - OVAL 5.6 or 6.0.
>
> Comments?
>
>
>
> -SG
>
> Sudhir Gandhe
> Telos Corporation
>
>
>
> On Thu, Mar 5, 2009 at 12:36 PM, Javier Godinez <[hidden email]> wrote:
>>
>> Sudhir,
>>
>> Thanks, but what if you wanted to make sure that a
>> specific process is listening to a specific port, the only thing I
>> could find is to specify the PID in port_state. Under the Linux
>> schema, this is much easier since I can simply specify program_name
>> under inetlisteningservers_state. Is there something similar under
>> windows?
>>
>> Thanks again,
>> Javier Godinez
>>
>> On Thu, Mar 5, 2009 at 9:01 AM, Sudhir Gandhe <[hidden email]>
>> wrote:
>> > Javier,
>> >
>> > If you are just testing to see TCP or UDP port 1720 is open then you
>> > don't
>> > need any state.
>> >
>> >  <tests>
>> >   <port_test id="123" version="1" check="all" comment="TCP or UDP port
>> > 1720
>> > is open" check_existence="at_least_one_
>> > exists" xmlns="...windows">
>> >     <object object_ref="1337"/>
>> >   </port_test>
>> >  </tests>
>> >
>> >  <objects>
>> >   <port_object id="1337" version="1" xmlns="...#windows">
>> >     <local_address operation="pattern match">.*</local_address>
>> >     <local_port operation="equals">1720</local_port>
>> >     <protocol operation="pattern match">.*</protocol>
>> >   </port_object>
>> >  </objects>
>> >
>> >
>> > If you want to specify TCP then your object would look like -
>> > <objects>
>> >   <port_object id="1337" version="1" xmlns="...#windows">
>> >     <local_address operation="pattern match">.*</local_address>
>> >     <local_port operation="equals">1720</local_port>
>> >     <protocol>TCP</protocol>
>> >   </port_object>
>> >  </objects>
>> >
>> >
>> > You will need a state in case you want to compare the elements of the
>> > object
>> > to a defined state. Eg - in this case if you want to compare the process
>> > id
>> > (pid) to say "9999".
>> >
>> >
>> >
>> >
>> > -SG
>> >
>> >
>> > Sudhir Gandhe
>> > Telos Corporation
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > On Wed, Mar 4, 2009 at 11:01 AM, Javier Godinez <[hidden email]>
>> > wrote:
>> >>
>> >> Can anyone help me, I have been unable to find an example of the
>> >> correct usage of port_*. I just want a simple test to see if a UDP or
>> >> TCP port is open on a windows box. Does this (below) seem correct? Is
>> >> my local_port (under port_state) section correct? If I wanted to
>> >> specify only TCP, where wold I specify it?
>> >>
>> >>  <tests>
>> >>   <port_test id="123" version="1" check="at least one" comment="TCP
>> >> or UDP port 1720 is open" check_existence="at_least_one_exists"
>> >> xmlns="...windows">
>> >>     <object object_ref="1337"/>
>> >>     <state state_ref="2172"/>
>> >>   </port_test>
>> >>  </tests>
>> >>  <objects>
>> >>   <port_object id="1337" version="1" xmlns="...#windows">
>> >>     <protocol operation="pattern match">.*</protocol>
>> >>     <local_address operation="pattern match">.*</local_address>
>> >>     <local_port operation="equals">1720</local_port>
>> >>   </port_object>
>> >>  </objects>
>> >>  <states>
>> >>   <port_state id="2172" version="1" xmlns="...windows">
>> >>     <local_port operation="pattern match">.*</local_port>
>> >>   </port_state>
>> >>  </states>
>> >>
>> >>
>> >> --
>> >> # Javier
>> >>
>> >> To unsubscribe, send an email message to [hidden email] with
>> >> SIGNOFF OVAL-DEVELOPER-LIST
>> >> in the BODY of the message.  If you have difficulties, write to
>> >> [hidden email].
>> >
>> > To unsubscribe, send an email message to [hidden email] with
>> > SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
>> > difficulties, write to [hidden email].
>>
>>
>>
>> --
>> # Javier
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DEVELOPER-LIST
>> in the BODY of the message.  If you have difficulties, write to
>> [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
> difficulties, write to [hidden email].



--
# Javier

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: port_*

Javier Godinez
In reply to this post by Matthew N. Wojcik
Matt,

Possibly, I'll look into it.

Thanks!
jg

On Thu, Mar 5, 2009 at 10:18 AM, Wojcik, Matthew N. <[hidden email]> wrote:

> I may be wrong (it's been a *long* time since I've actually written any real OVAL definitions), but couldn't you do this using local variables?  Use the Windows process_* to find the pid(s) of any running process(es) that match the process characteristics you're looking for, and then plug that pid into a local variable to be used in the port_state.
>
> --Woj                  Matthew N. Wojcik                 [hidden email]
>
>
>> -----Original Message-----
>> From: Sudhir Gandhe [mailto:[hidden email]]
>> Sent: Thursday, March 05, 2009 1:08 PM
>> To: oval-developer-list OVAL Developer List/Closed Public Discussion
>> Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>>
>> Javier,
>>
>>
>> Looking at the Windows schema, this might not be possible. Schema needs
>> to be expanded to incorporate the process name - OVAL 5.6 or 6.0.
>>
>> Comments?
>>
>>
>>
>> -SG
>>
>> Sudhir Gandhe
>> Telos Corporation
>>
>>
>>
>>
>> On Thu, Mar 5, 2009 at 12:36 PM, Javier Godinez <[hidden email]>
>> wrote:
>>
>>
>>       Sudhir,
>>
>>       Thanks, but what if you wanted to make sure that a
>>       specific process is listening to a specific port, the only thing
>> I
>>       could find is to specify the PID in port_state. Under the Linux
>>       schema, this is much easier since I can simply specify
>> program_name
>>       under inetlisteningservers_state. Is there something similar
>> under
>>       windows?
>>
>>       Thanks again,
>>       Javier Godinez
>>
>>
>>       On Thu, Mar 5, 2009 at 9:01 AM, Sudhir Gandhe
>> <[hidden email]> wrote:
>>       > Javier,
>>       >
>>       > If you are just testing to see TCP or UDP port 1720 is open
>> then you don't
>>       > need any state.
>>       >
>>       >  <tests>
>>       >   <port_test id="123" version="1" check="all" comment="TCP or
>> UDP port 1720
>>       > is open" check_existence="at_least_one_
>>       > exists" xmlns="...windows">
>>       >     <object object_ref="1337"/>
>>       >   </port_test>
>>       >  </tests>
>>       >
>>       >  <objects>
>>       >   <port_object id="1337" version="1" xmlns="...#windows">
>>       >     <local_address operation="pattern match">.*</local_address>
>>       >     <local_port operation="equals">1720</local_port>
>>       >     <protocol operation="pattern match">.*</protocol>
>>       >   </port_object>
>>       >  </objects>
>>       >
>>       >
>>       > If you want to specify TCP then your object would look like -
>>       > <objects>
>>       >   <port_object id="1337" version="1" xmlns="...#windows">
>>       >     <local_address operation="pattern match">.*</local_address>
>>       >     <local_port operation="equals">1720</local_port>
>>       >     <protocol>TCP</protocol>
>>       >   </port_object>
>>       >  </objects>
>>       >
>>       >
>>       > You will need a state in case you want to compare the elements
>> of the object
>>       > to a defined state. Eg - in this case if you want to compare
>> the process id
>>       > (pid) to say "9999".
>>       >
>>       >
>>       >
>>       >
>>       > -SG
>>       >
>>       >
>>       > Sudhir Gandhe
>>       > Telos Corporation
>>       >
>>       >
>>       >
>>       >
>>       >
>>       >
>>       >
>>       > On Wed, Mar 4, 2009 at 11:01 AM, Javier Godinez
>> <[hidden email]> wrote:
>>       >>
>>       >> Can anyone help me, I have been unable to find an example of
>> the
>>       >> correct usage of port_*. I just want a simple test to see if a
>> UDP or
>>       >> TCP port is open on a windows box. Does this (below) seem
>> correct? Is
>>       >> my local_port (under port_state) section correct? If I wanted
>> to
>>       >> specify only TCP, where wold I specify it?
>>       >>
>>       >>  <tests>
>>       >>   <port_test id="123" version="1" check="at least one"
>> comment="TCP
>>       >> or UDP port 1720 is open"
>> check_existence="at_least_one_exists"
>>       >> xmlns="...windows">
>>       >>     <object object_ref="1337"/>
>>       >>     <state state_ref="2172"/>
>>       >>   </port_test>
>>       >>  </tests>
>>       >>  <objects>
>>       >>   <port_object id="1337" version="1" xmlns="...#windows">
>>       >>     <protocol operation="pattern match">.*</protocol>
>>       >>     <local_address operation="pattern
>> match">.*</local_address>
>>       >>     <local_port operation="equals">1720</local_port>
>>       >>   </port_object>
>>       >>  </objects>
>>       >>  <states>
>>       >>   <port_state id="2172" version="1" xmlns="...windows">
>>       >>     <local_port operation="pattern match">.*</local_port>
>>       >>   </port_state>
>>       >>  </states>
>>       >>
>>       >>
>>       >> --
>>       >> # Javier
>>       >>
>>       >> To unsubscribe, send an email message to
>> [hidden email] with
>>       >> SIGNOFF OVAL-DEVELOPER-LIST
>>       >> in the BODY of the message.  If you have difficulties, write
>> to
>>       >> [hidden email].
>>       >
>>       > To unsubscribe, send an email message to
>> [hidden email] with
>>       > SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you
>> have
>>       > difficulties, write to OVAL-DEVELOPER-LIST-
>> [hidden email].
>>
>>
>>
>>
>>       --
>>
>>       # Javier
>>
>>       To unsubscribe, send an email message to [hidden email]
>> with
>>       SIGNOFF OVAL-DEVELOPER-LIST
>>       in the BODY of the message.  If you have difficulties, write to
>> [hidden email].
>>
>>
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
>> difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].
>



--
# Javier

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: port_*

Javier Godinez
In reply to this post by Matthew N. Wojcik
Maybe I'm trying to do something that OVAL wasn't designed to do, but
does anyone know how to grab a local_variable from a port_state? I
need a way to fill in the PID in the code below. Here is what I have,
any ideas? I think that as Matt suggested, it could be possible
somehow to match a process to a port.

<tests>
  <port_test>
    <object object_ref="2"/>
    <state state_ref="3"/>
  <port_test>
</tests>

<objects>
  <port_object id="2">
    <protocol operation="equals">UDP</protocol>
    <local_address operation="pattern match">.*</local_address>
    <local_port operation="equals">123</local_port>
  </port_object>
  <process_object id="1" >
    <command_line operation="equals"
datatype="string">svchost.exe</command_line>
  </process>
</objects>

<states>
  <port_state id="3">
    <pid><!-- how do I get the local variable pid--></pid>
  </port_state>
</states>

<variables>
  <local_variable>
    <object_component item_field="pid" object_ref="1"/>
  </local_variable>
</variables>

Thanks,
jg

On Thu, Mar 5, 2009 at 10:18 AM, Wojcik, Matthew N. <[hidden email]> wrote:

> I may be wrong (it's been a *long* time since I've actually written any real OVAL definitions), but couldn't you do this using local variables?  Use the Windows process_* to find the pid(s) of any running process(es) that match the process characteristics you're looking for, and then plug that pid into a local variable to be used in the port_state.
>
> --Woj                  Matthew N. Wojcik                 [hidden email]
>
>
>> -----Original Message-----
>> From: Sudhir Gandhe [mailto:[hidden email]]
>> Sent: Thursday, March 05, 2009 1:08 PM
>> To: oval-developer-list OVAL Developer List/Closed Public Discussion
>> Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>>
>> Javier,
>>
>>
>> Looking at the Windows schema, this might not be possible. Schema needs
>> to be expanded to incorporate the process name - OVAL 5.6 or 6.0.
>>
>> Comments?
>>
>>
>>
>> -SG
>>
>> Sudhir Gandhe
>> Telos Corporation
>>
>>
>>
>>
>> On Thu, Mar 5, 2009 at 12:36 PM, Javier Godinez <[hidden email]>
>> wrote:
>>
>>
>>       Sudhir,
>>
>>       Thanks, but what if you wanted to make sure that a
>>       specific process is listening to a specific port, the only thing
>> I
>>       could find is to specify the PID in port_state. Under the Linux
>>       schema, this is much easier since I can simply specify
>> program_name
>>       under inetlisteningservers_state. Is there something similar
>> under
>>       windows?
>>
>>       Thanks again,
>>       Javier Godinez
>>
>>
>>       On Thu, Mar 5, 2009 at 9:01 AM, Sudhir Gandhe
>> <[hidden email]> wrote:
>>       > Javier,
>>       >
>>       > If you are just testing to see TCP or UDP port 1720 is open
>> then you don't
>>       > need any state.
>>       >
>>       >  <tests>
>>       >   <port_test id="123" version="1" check="all" comment="TCP or
>> UDP port 1720
>>       > is open" check_existence="at_least_one_
>>       > exists" xmlns="...windows">
>>       >     <object object_ref="1337"/>
>>       >   </port_test>
>>       >  </tests>
>>       >
>>       >  <objects>
>>       >   <port_object id="1337" version="1" xmlns="...#windows">
>>       >     <local_address operation="pattern match">.*</local_address>
>>       >     <local_port operation="equals">1720</local_port>
>>       >     <protocol operation="pattern match">.*</protocol>
>>       >   </port_object>
>>       >  </objects>
>>       >
>>       >
>>       > If you want to specify TCP then your object would look like -
>>       > <objects>
>>       >   <port_object id="1337" version="1" xmlns="...#windows">
>>       >     <local_address operation="pattern match">.*</local_address>
>>       >     <local_port operation="equals">1720</local_port>
>>       >     <protocol>TCP</protocol>
>>       >   </port_object>
>>       >  </objects>
>>       >
>>       >
>>       > You will need a state in case you want to compare the elements
>> of the object
>>       > to a defined state. Eg - in this case if you want to compare
>> the process id
>>       > (pid) to say "9999".
>>       >
>>       >
>>       >
>>       >
>>       > -SG
>>       >
>>       >
>>       > Sudhir Gandhe
>>       > Telos Corporation
>>       >
>>       >
>>       >
>>       >
>>       >
>>       >
>>       >
>>       > On Wed, Mar 4, 2009 at 11:01 AM, Javier Godinez
>> <[hidden email]> wrote:
>>       >>
>>       >> Can anyone help me, I have been unable to find an example of
>> the
>>       >> correct usage of port_*. I just want a simple test to see if a
>> UDP or
>>       >> TCP port is open on a windows box. Does this (below) seem
>> correct? Is
>>       >> my local_port (under port_state) section correct? If I wanted
>> to
>>       >> specify only TCP, where wold I specify it?
>>       >>
>>       >>  <tests>
>>       >>   <port_test id="123" version="1" check="at least one"
>> comment="TCP
>>       >> or UDP port 1720 is open"
>> check_existence="at_least_one_exists"
>>       >> xmlns="...windows">
>>       >>     <object object_ref="1337"/>
>>       >>     <state state_ref="2172"/>
>>       >>   </port_test>
>>       >>  </tests>
>>       >>  <objects>
>>       >>   <port_object id="1337" version="1" xmlns="...#windows">
>>       >>     <protocol operation="pattern match">.*</protocol>
>>       >>     <local_address operation="pattern
>> match">.*</local_address>
>>       >>     <local_port operation="equals">1720</local_port>
>>       >>   </port_object>
>>       >>  </objects>
>>       >>  <states>
>>       >>   <port_state id="2172" version="1" xmlns="...windows">
>>       >>     <local_port operation="pattern match">.*</local_port>
>>       >>   </port_state>
>>       >>  </states>
>>       >>
>>       >>
>>       >> --
>>       >> # Javier
>>       >>
>>       >> To unsubscribe, send an email message to
>> [hidden email] with
>>       >> SIGNOFF OVAL-DEVELOPER-LIST
>>       >> in the BODY of the message.  If you have difficulties, write
>> to
>>       >> [hidden email].
>>       >
>>       > To unsubscribe, send an email message to
>> [hidden email] with
>>       > SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you
>> have
>>       > difficulties, write to OVAL-DEVELOPER-LIST-
>> [hidden email].
>>
>>
>>
>>
>>       --
>>
>>       # Javier
>>
>>       To unsubscribe, send an email message to [hidden email]
>> with
>>       SIGNOFF OVAL-DEVELOPER-LIST
>>       in the BODY of the message.  If you have difficulties, write to
>> [hidden email].
>>
>>
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
>> difficulties, write to [hidden email].
>
> To unsubscribe, send an email message to [hidden email] with
> SIGNOFF OVAL-DEVELOPER-LIST
> in the BODY of the message.  If you have difficulties, write to [hidden email].
>

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: port_*

Jon Baker
Administrator
Javier,

I think you are really close. It looks like you just need to add a variable reference to your state. Something like this:


<states>
  <port_state id="3">
    <pid var_ref="oval:example:var:1" var_check="all"/>
  </port_state>
</states>

<variables>
  <local_variable id="oval:example:var:1">
    <object_component item_field="pid" object_ref="1"/>
  </local_variable>
</variables>

Did that take care of it for you?


Jon

============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]


>-----Original Message-----
>From: Javier Godinez [mailto:[hidden email]]
>Sent: Friday, March 06, 2009 6:16 PM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>
>Maybe I'm trying to do something that OVAL wasn't designed to do, but
>does anyone know how to grab a local_variable from a port_state? I
>need a way to fill in the PID in the code below. Here is what I have,
>any ideas? I think that as Matt suggested, it could be possible
>somehow to match a process to a port.
>
><tests>
>  <port_test>
>    <object object_ref="2"/>
>    <state state_ref="3"/>
>  <port_test>
></tests>
>
><objects>
>  <port_object id="2">
>    <protocol operation="equals">UDP</protocol>
>    <local_address operation="pattern match">.*</local_address>
>    <local_port operation="equals">123</local_port>
>  </port_object>
>  <process_object id="1" >
>    <command_line operation="equals"
>datatype="string">svchost.exe</command_line>
>  </process>
></objects>
>
><states>
>  <port_state id="3">
>    <pid><!-- how do I get the local variable pid--></pid>
>  </port_state>
></states>
>
><variables>
>  <local_variable>
>    <object_component item_field="pid" object_ref="1"/>
>  </local_variable>
></variables>
>
>Thanks,
>jg
>
>On Thu, Mar 5, 2009 at 10:18 AM, Wojcik, Matthew N. <[hidden email]>
>wrote:
>> I may be wrong (it's been a *long* time since I've actually written
>any real OVAL definitions), but couldn't you do this using local
>variables?  Use the Windows process_* to find the pid(s) of any running
>process(es) that match the process characteristics you're looking for,
>and then plug that pid into a local variable to be used in the
>port_state.
>>
>> --Woj                  Matthew N. Wojcik                 [hidden email]
>>
>>
>>> -----Original Message-----
>>> From: Sudhir Gandhe [mailto:[hidden email]]
>>> Sent: Thursday, March 05, 2009 1:08 PM
>>> To: oval-developer-list OVAL Developer List/Closed Public Discussion
>>> Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>>>
>>> Javier,
>>>
>>>
>>> Looking at the Windows schema, this might not be possible. Schema
>needs
>>> to be expanded to incorporate the process name - OVAL 5.6 or 6.0.
>>>
>>> Comments?
>>>
>>>
>>>
>>> -SG
>>>
>>> Sudhir Gandhe
>>> Telos Corporation
>>>
>>>
>>>
>>>
>>> On Thu, Mar 5, 2009 at 12:36 PM, Javier Godinez <[hidden email]>
>>> wrote:
>>>
>>>
>>>       Sudhir,
>>>
>>>       Thanks, but what if you wanted to make sure that a
>>>       specific process is listening to a specific port, the only
>thing
>>> I
>>>       could find is to specify the PID in port_state. Under the Linux
>>>       schema, this is much easier since I can simply specify
>>> program_name
>>>       under inetlisteningservers_state. Is there something similar
>>> under
>>>       windows?
>>>
>>>       Thanks again,
>>>       Javier Godinez
>>>
>>>
>>>       On Thu, Mar 5, 2009 at 9:01 AM, Sudhir Gandhe
>>> <[hidden email]> wrote:
>>>       > Javier,
>>>       >
>>>       > If you are just testing to see TCP or UDP port 1720 is open
>>> then you don't
>>>       > need any state.
>>>       >
>>>       >  <tests>
>>>       >   <port_test id="123" version="1" check="all" comment="TCP or
>>> UDP port 1720
>>>       > is open" check_existence="at_least_one_
>>>       > exists" xmlns="...windows">
>>>       >     <object object_ref="1337"/>
>>>       >   </port_test>
>>>       >  </tests>
>>>       >
>>>       >  <objects>
>>>       >   <port_object id="1337" version="1" xmlns="...#windows">
>>>       >     <local_address operation="pattern
>match">.*</local_address>
>>>       >     <local_port operation="equals">1720</local_port>
>>>       >     <protocol operation="pattern match">.*</protocol>
>>>       >   </port_object>
>>>       >  </objects>
>>>       >
>>>       >
>>>       > If you want to specify TCP then your object would look like -
>>>       > <objects>
>>>       >   <port_object id="1337" version="1" xmlns="...#windows">
>>>       >     <local_address operation="pattern
>match">.*</local_address>
>>>       >     <local_port operation="equals">1720</local_port>
>>>       >     <protocol>TCP</protocol>
>>>       >   </port_object>
>>>       >  </objects>
>>>       >
>>>       >
>>>       > You will need a state in case you want to compare the
>elements
>>> of the object
>>>       > to a defined state. Eg - in this case if you want to compare
>>> the process id
>>>       > (pid) to say "9999".
>>>       >
>>>       >
>>>       >
>>>       >
>>>       > -SG
>>>       >
>>>       >
>>>       > Sudhir Gandhe
>>>       > Telos Corporation
>>>       >
>>>       >
>>>       >
>>>       >
>>>       >
>>>       >
>>>       >
>>>       > On Wed, Mar 4, 2009 at 11:01 AM, Javier Godinez
>>> <[hidden email]> wrote:
>>>       >>
>>>       >> Can anyone help me, I have been unable to find an example of
>>> the
>>>       >> correct usage of port_*. I just want a simple test to see if
>a
>>> UDP or
>>>       >> TCP port is open on a windows box. Does this (below) seem
>>> correct? Is
>>>       >> my local_port (under port_state) section correct? If I
>wanted
>>> to
>>>       >> specify only TCP, where wold I specify it?
>>>       >>
>>>       >>  <tests>
>>>       >>   <port_test id="123" version="1" check="at least one"
>>> comment="TCP
>>>       >> or UDP port 1720 is open"
>>> check_existence="at_least_one_exists"
>>>       >> xmlns="...windows">
>>>       >>     <object object_ref="1337"/>
>>>       >>     <state state_ref="2172"/>
>>>       >>   </port_test>
>>>       >>  </tests>
>>>       >>  <objects>
>>>       >>   <port_object id="1337" version="1" xmlns="...#windows">
>>>       >>     <protocol operation="pattern match">.*</protocol>
>>>       >>     <local_address operation="pattern
>>> match">.*</local_address>
>>>       >>     <local_port operation="equals">1720</local_port>
>>>       >>   </port_object>
>>>       >>  </objects>
>>>       >>  <states>
>>>       >>   <port_state id="2172" version="1" xmlns="...windows">
>>>       >>     <local_port operation="pattern match">.*</local_port>
>>>       >>   </port_state>
>>>       >>  </states>
>>>       >>
>>>       >>
>>>       >> --
>>>       >> # Javier
>>>       >>
>>>       >> To unsubscribe, send an email message to
>>> [hidden email] with
>>>       >> SIGNOFF OVAL-DEVELOPER-LIST
>>>       >> in the BODY of the message.  If you have difficulties, write
>>> to
>>>       >> [hidden email].
>>>       >
>>>       > To unsubscribe, send an email message to
>>> [hidden email] with
>>>       > SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If
>you
>>> have
>>>       > difficulties, write to OVAL-DEVELOPER-LIST-
>>> [hidden email].
>>>
>>>
>>>
>>>
>>>       --
>>>
>>>       # Javier
>>>
>>>       To unsubscribe, send an email message to
>[hidden email]
>>> with
>>>       SIGNOFF OVAL-DEVELOPER-LIST
>>>       in the BODY of the message.  If you have difficulties, write to
>>> [hidden email].
>>>
>>>
>>>
>>> To unsubscribe, send an email message to [hidden email]
>with
>>> SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
>>> difficulties, write to [hidden email].
>>
>> To unsubscribe, send an email message to [hidden email] with
>> SIGNOFF OVAL-DEVELOPER-LIST
>> in the BODY of the message.  If you have difficulties, write to OVAL-
>[hidden email].
>>
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>[hidden email].
Reply | Threaded
Open this post in threaded view
|

Accounts: Guest account status issue

Amanda Joseph
I'm having issues getting the following check to return expected results on
both vista and xp: 'Accounts: Guest account status'. I've tried running the
latest ovaldi.exe (5.5.4) on three seperate machines, including the WinXP
virtual file, and no matter if the Guest account is disabled or not, a
result of false is always returned. Is this check supposed to test whether
the account is disabled or not, or have I missed something here?

Regards,
Amanda

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: port_*

Javier Godinez
In reply to this post by Jon Baker
Jon,


It makes since to me, but when I run it I the results are "unknown".
In my test below I am trying to make sure that the System process is
running on port 445 (SMB)
Does this test make since? Is my usage of process_object seem correct? anyone?


  <tests>
    <port_test id="oval:com.test:tst:445" version="1" check="at least
one" comment="SMB is listening on TCP port 445"
check_existence="at_least_one_exists">
      <object object_ref="oval:com.test:obj:445"/>
      <state state_ref="oval:com.test:ste:445"/>
    </port_test>
  </tests>

  <objects>
    <port_object id="oval:com.test:obj:445" version="1">
      <local_address operation="pattern match">.*</local_address>
      <local_port operation="equals">445</local_port>
      <protocol operation="equals">TCP</protocol>
    </port_object>
    <process_object id="oval:com.test:obj:10000" version="1">
      <command_line operation="equals" datatype="string">System</command_line>
    </process_object>
  </objects>

  <states>
    <port_state id="oval:com.test:ste:445" version="1">
      <pid var_ref="oval:com.test:var:445" var_check="all"/>
    </port_state>
  </states>

  <variables>
  <local_variable id="oval:com.test:var:445" version="1"
datatype="string" comment="The System process identifier">
  <object_component item_field="pid" object_ref="oval:com.test:obj:10000"/>
  </local_variable>
  </variables>


Thanks a lot!
jg




On Sat, Mar 14, 2009 at 4:34 PM, Baker, Jon <[hidden email]> wrote:

> Javier,
>
> I think you are really close. It looks like you just need to add a variable reference to your state. Something like this:
>
>
> <states>
>  <port_state id="3">
>    <pid var_ref="oval:example:var:1" var_check="all"/>
>  </port_state>
> </states>
>
> <variables>
>  <local_variable id="oval:example:var:1">
>    <object_component item_field="pid" object_ref="1"/>
>  </local_variable>
> </variables>
>
> Did that take care of it for you?
>
>
> Jon
>
> ============================================
> Jonathan O. Baker
> G022 - IA Industry Collaboration
> The MITRE Corporation
> Email: [hidden email]
>
>
>>-----Original Message-----
>>From: Javier Godinez [mailto:[hidden email]]
>>Sent: Friday, March 06, 2009 6:16 PM
>>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>>Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>>
>>Maybe I'm trying to do something that OVAL wasn't designed to do, but
>>does anyone know how to grab a local_variable from a port_state? I
>>need a way to fill in the PID in the code below. Here is what I have,
>>any ideas? I think that as Matt suggested, it could be possible
>>somehow to match a process to a port.
>>
>><tests>
>>  <port_test>
>>    <object object_ref="2"/>
>>    <state state_ref="3"/>
>>  <port_test>
>></tests>
>>
>><objects>
>>  <port_object id="2">
>>    <protocol operation="equals">UDP</protocol>
>>    <local_address operation="pattern match">.*</local_address>
>>    <local_port operation="equals">123</local_port>
>>  </port_object>
>>  <process_object id="1" >
>>    <command_line operation="equals"
>>datatype="string">svchost.exe</command_line>
>>  </process>
>></objects>
>>
>><states>
>>  <port_state id="3">
>>    <pid><!-- how do I get the local variable pid--></pid>
>>  </port_state>
>></states>
>>
>><variables>
>>  <local_variable>
>>    <object_component item_field="pid" object_ref="1"/>
>>  </local_variable>
>></variables>
>>
>>Thanks,
>>jg
>>
>>On Thu, Mar 5, 2009 at 10:18 AM, Wojcik, Matthew N. <[hidden email]>
>>wrote:
>>> I may be wrong (it's been a *long* time since I've actually written
>>any real OVAL definitions), but couldn't you do this using local
>>variables?  Use the Windows process_* to find the pid(s) of any running
>>process(es) that match the process characteristics you're looking for,
>>and then plug that pid into a local variable to be used in the
>>port_state.
>>>
>>> --Woj                  Matthew N. Wojcik                 [hidden email]
>>>
>>>
>>>> -----Original Message-----
>>>> From: Sudhir Gandhe [mailto:[hidden email]]
>>>> Sent: Thursday, March 05, 2009 1:08 PM
>>>> To: oval-developer-list OVAL Developer List/Closed Public Discussion
>>>> Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>>>>
>>>> Javier,
>>>>
>>>>
>>>> Looking at the Windows schema, this might not be possible. Schema
>>needs
>>>> to be expanded to incorporate the process name - OVAL 5.6 or 6.0.
>>>>
>>>> Comments?
>>>>
>>>>
>>>>
>>>> -SG
>>>>
>>>> Sudhir Gandhe
>>>> Telos Corporation
>>>>
>>>>
>>>>
>>>>
>>>> On Thu, Mar 5, 2009 at 12:36 PM, Javier Godinez <[hidden email]>
>>>> wrote:
>>>>
>>>>
>>>>       Sudhir,
>>>>
>>>>       Thanks, but what if you wanted to make sure that a
>>>>       specific process is listening to a specific port, the only
>>thing
>>>> I
>>>>       could find is to specify the PID in port_state. Under the Linux
>>>>       schema, this is much easier since I can simply specify
>>>> program_name
>>>>       under inetlisteningservers_state. Is there something similar
>>>> under
>>>>       windows?
>>>>
>>>>       Thanks again,
>>>>       Javier Godinez
>>>>
>>>>
>>>>       On Thu, Mar 5, 2009 at 9:01 AM, Sudhir Gandhe
>>>> <[hidden email]> wrote:
>>>>       > Javier,
>>>>       >
>>>>       > If you are just testing to see TCP or UDP port 1720 is open
>>>> then you don't
>>>>       > need any state.
>>>>       >
>>>>       >  <tests>
>>>>       >   <port_test id="123" version="1" check="all" comment="TCP or
>>>> UDP port 1720
>>>>       > is open" check_existence="at_least_one_
>>>>       > exists" xmlns="...windows">
>>>>       >     <object object_ref="1337"/>
>>>>       >   </port_test>
>>>>       >  </tests>
>>>>       >
>>>>       >  <objects>
>>>>       >   <port_object id="1337" version="1" xmlns="...#windows">
>>>>       >     <local_address operation="pattern
>>match">.*</local_address>
>>>>       >     <local_port operation="equals">1720</local_port>
>>>>       >     <protocol operation="pattern match">.*</protocol>
>>>>       >   </port_object>
>>>>       >  </objects>
>>>>       >
>>>>       >
>>>>       > If you want to specify TCP then your object would look like -
>>>>       > <objects>
>>>>       >   <port_object id="1337" version="1" xmlns="...#windows">
>>>>       >     <local_address operation="pattern
>>match">.*</local_address>
>>>>       >     <local_port operation="equals">1720</local_port>
>>>>       >     <protocol>TCP</protocol>
>>>>       >   </port_object>
>>>>       >  </objects>
>>>>       >
>>>>       >
>>>>       > You will need a state in case you want to compare the
>>elements
>>>> of the object
>>>>       > to a defined state. Eg - in this case if you want to compare
>>>> the process id
>>>>       > (pid) to say "9999".
>>>>       >
>>>>       >
>>>>       >
>>>>       >
>>>>       > -SG
>>>>       >
>>>>       >
>>>>       > Sudhir Gandhe
>>>>       > Telos Corporation
>>>>       >
>>>>       >
>>>>       >
>>>>       >
>>>>       >
>>>>       >
>>>>       >
>>>>       > On Wed, Mar 4, 2009 at 11:01 AM, Javier Godinez
>>>> <[hidden email]> wrote:
>>>>       >>
>>>>       >> Can anyone help me, I have been unable to find an example of
>>>> the
>>>>       >> correct usage of port_*. I just want a simple test to see if
>>a
>>>> UDP or
>>>>       >> TCP port is open on a windows box. Does this (below) seem
>>>> correct? Is
>>>>       >> my local_port (under port_state) section correct? If I
>>wanted
>>>> to
>>>>       >> specify only TCP, where wold I specify it?
>>>>       >>
>>>>       >>  <tests>
>>>>       >>   <port_test id="123" version="1" check="at least one"
>>>> comment="TCP
>>>>       >> or UDP port 1720 is open"
>>>> check_existence="at_least_one_exists"
>>>>       >> xmlns="...windows">
>>>>       >>     <object object_ref="1337"/>
>>>>       >>     <state state_ref="2172"/>
>>>>       >>   </port_test>
>>>>       >>  </tests>
>>>>       >>  <objects>
>>>>       >>   <port_object id="1337" version="1" xmlns="...#windows">
>>>>       >>     <protocol operation="pattern match">.*</protocol>
>>>>       >>     <local_address operation="pattern
>>>> match">.*</local_address>
>>>>       >>     <local_port operation="equals">1720</local_port>
>>>>       >>   </port_object>
>>>>       >>  </objects>
>>>>       >>  <states>
>>>>       >>   <port_state id="2172" version="1" xmlns="...windows">
>>>>       >>     <local_port operation="pattern match">.*</local_port>
>>>>       >>   </port_state>
>>>>       >>  </states>
>>>>       >>
>>>>       >>
>>>>       >> --
>>>>       >> # Javier
>>>>       >>
>>>>       >> To unsubscribe, send an email message to
>>>> [hidden email] with
>>>>       >> SIGNOFF OVAL-DEVELOPER-LIST
>>>>       >> in the BODY of the message.  If you have difficulties, write
>>>> to
>>>>       >> [hidden email].
>>>>       >
>>>>       > To unsubscribe, send an email message to
>>>> [hidden email] with
>>>>       > SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If
>>you
>>>> have
>>>>       > difficulties, write to OVAL-DEVELOPER-LIST-
>>>> [hidden email].
>>>>
>>>>
>>>>
>>>>
>>>>       --
>>>>
>>>>       # Javier
>>>>
>>>>       To unsubscribe, send an email message to
>>[hidden email]
>>>> with
>>>>       SIGNOFF OVAL-DEVELOPER-LIST
>>>>       in the BODY of the message.  If you have difficulties, write to
>>>> [hidden email].
>>>>
>>>>
>>>>
>>>> To unsubscribe, send an email message to [hidden email]
>>with
>>>> SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
>>>> difficulties, write to [hidden email].
>>>
>>> To unsubscribe, send an email message to [hidden email] with
>>> SIGNOFF OVAL-DEVELOPER-LIST
>>> in the BODY of the message.  If you have difficulties, write to OVAL-
>>[hidden email].
>>>
>>
>>To unsubscribe, send an email message to [hidden email] with
>>SIGNOFF OVAL-DEVELOPER-LIST
>>in the BODY of the message.  If you have difficulties, write to OVAL-
>>[hidden email].
>



--
# Javier

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: port_*

Javier Godinez
I think I seem what my problem is, port_object and process_object are
not currently supported under the reference parser.
But if anyone has any comments on my usage, they will be appreciated...

Thnx again,
jg

On Tue, Mar 17, 2009 at 3:56 PM, Javier Godinez <[hidden email]> wrote:

> Jon,
>
>
> It makes since to me, but when I run it I the results are "unknown".
> In my test below I am trying to make sure that the System process is
> running on port 445 (SMB)
> Does this test make since? Is my usage of process_object seem correct? anyone?
>
>
>  <tests>
>    <port_test id="oval:com.test:tst:445" version="1" check="at least
> one" comment="SMB is listening on TCP port 445"
> check_existence="at_least_one_exists">
>      <object object_ref="oval:com.test:obj:445"/>
>      <state state_ref="oval:com.test:ste:445"/>
>    </port_test>
>  </tests>
>
>  <objects>
>    <port_object id="oval:com.test:obj:445" version="1">
>      <local_address operation="pattern match">.*</local_address>
>      <local_port operation="equals">445</local_port>
>      <protocol operation="equals">TCP</protocol>
>    </port_object>
>    <process_object id="oval:com.test:obj:10000" version="1">
>      <command_line operation="equals" datatype="string">System</command_line>
>    </process_object>
>  </objects>
>
>  <states>
>    <port_state id="oval:com.test:ste:445" version="1">
>      <pid var_ref="oval:com.test:var:445" var_check="all"/>
>    </port_state>
>  </states>
>
>  <variables>
>        <local_variable id="oval:com.test:var:445" version="1"
> datatype="string" comment="The System process identifier">
>                <object_component item_field="pid" object_ref="oval:com.test:obj:10000"/>
>        </local_variable>
>  </variables>
>
>
> Thanks a lot!
> jg
>
>
>
>
> On Sat, Mar 14, 2009 at 4:34 PM, Baker, Jon <[hidden email]> wrote:
>> Javier,
>>
>> I think you are really close. It looks like you just need to add a variable reference to your state. Something like this:
>>
>>
>> <states>
>>  <port_state id="3">
>>    <pid var_ref="oval:example:var:1" var_check="all"/>
>>  </port_state>
>> </states>
>>
>> <variables>
>>  <local_variable id="oval:example:var:1">
>>    <object_component item_field="pid" object_ref="1"/>
>>  </local_variable>
>> </variables>
>>
>> Did that take care of it for you?
>>
>>
>> Jon
>>
>> ============================================
>> Jonathan O. Baker
>> G022 - IA Industry Collaboration
>> The MITRE Corporation
>> Email: [hidden email]
>>
>>
>>>-----Original Message-----
>>>From: Javier Godinez [mailto:[hidden email]]
>>>Sent: Friday, March 06, 2009 6:16 PM
>>>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>>>Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>>>
>>>Maybe I'm trying to do something that OVAL wasn't designed to do, but
>>>does anyone know how to grab a local_variable from a port_state? I
>>>need a way to fill in the PID in the code below. Here is what I have,
>>>any ideas? I think that as Matt suggested, it could be possible
>>>somehow to match a process to a port.
>>>
>>><tests>
>>>  <port_test>
>>>    <object object_ref="2"/>
>>>    <state state_ref="3"/>
>>>  <port_test>
>>></tests>
>>>
>>><objects>
>>>  <port_object id="2">
>>>    <protocol operation="equals">UDP</protocol>
>>>    <local_address operation="pattern match">.*</local_address>
>>>    <local_port operation="equals">123</local_port>
>>>  </port_object>
>>>  <process_object id="1" >
>>>    <command_line operation="equals"
>>>datatype="string">svchost.exe</command_line>
>>>  </process>
>>></objects>
>>>
>>><states>
>>>  <port_state id="3">
>>>    <pid><!-- how do I get the local variable pid--></pid>
>>>  </port_state>
>>></states>
>>>
>>><variables>
>>>  <local_variable>
>>>    <object_component item_field="pid" object_ref="1"/>
>>>  </local_variable>
>>></variables>
>>>
>>>Thanks,
>>>jg
>>>
>>>On Thu, Mar 5, 2009 at 10:18 AM, Wojcik, Matthew N. <[hidden email]>
>>>wrote:
>>>> I may be wrong (it's been a *long* time since I've actually written
>>>any real OVAL definitions), but couldn't you do this using local
>>>variables?  Use the Windows process_* to find the pid(s) of any running
>>>process(es) that match the process characteristics you're looking for,
>>>and then plug that pid into a local variable to be used in the
>>>port_state.
>>>>
>>>> --Woj                  Matthew N. Wojcik                 [hidden email]
>>>>
>>>>
>>>>> -----Original Message-----
>>>>> From: Sudhir Gandhe [mailto:[hidden email]]
>>>>> Sent: Thursday, March 05, 2009 1:08 PM
>>>>> To: oval-developer-list OVAL Developer List/Closed Public Discussion
>>>>> Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>>>>>
>>>>> Javier,
>>>>>
>>>>>
>>>>> Looking at the Windows schema, this might not be possible. Schema
>>>needs
>>>>> to be expanded to incorporate the process name - OVAL 5.6 or 6.0.
>>>>>
>>>>> Comments?
>>>>>
>>>>>
>>>>>
>>>>> -SG
>>>>>
>>>>> Sudhir Gandhe
>>>>> Telos Corporation
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On Thu, Mar 5, 2009 at 12:36 PM, Javier Godinez <[hidden email]>
>>>>> wrote:
>>>>>
>>>>>
>>>>>       Sudhir,
>>>>>
>>>>>       Thanks, but what if you wanted to make sure that a
>>>>>       specific process is listening to a specific port, the only
>>>thing
>>>>> I
>>>>>       could find is to specify the PID in port_state. Under the Linux
>>>>>       schema, this is much easier since I can simply specify
>>>>> program_name
>>>>>       under inetlisteningservers_state. Is there something similar
>>>>> under
>>>>>       windows?
>>>>>
>>>>>       Thanks again,
>>>>>       Javier Godinez
>>>>>
>>>>>
>>>>>       On Thu, Mar 5, 2009 at 9:01 AM, Sudhir Gandhe
>>>>> <[hidden email]> wrote:
>>>>>       > Javier,
>>>>>       >
>>>>>       > If you are just testing to see TCP or UDP port 1720 is open
>>>>> then you don't
>>>>>       > need any state.
>>>>>       >
>>>>>       >  <tests>
>>>>>       >   <port_test id="123" version="1" check="all" comment="TCP or
>>>>> UDP port 1720
>>>>>       > is open" check_existence="at_least_one_
>>>>>       > exists" xmlns="...windows">
>>>>>       >     <object object_ref="1337"/>
>>>>>       >   </port_test>
>>>>>       >  </tests>
>>>>>       >
>>>>>       >  <objects>
>>>>>       >   <port_object id="1337" version="1" xmlns="...#windows">
>>>>>       >     <local_address operation="pattern
>>>match">.*</local_address>
>>>>>       >     <local_port operation="equals">1720</local_port>
>>>>>       >     <protocol operation="pattern match">.*</protocol>
>>>>>       >   </port_object>
>>>>>       >  </objects>
>>>>>       >
>>>>>       >
>>>>>       > If you want to specify TCP then your object would look like -
>>>>>       > <objects>
>>>>>       >   <port_object id="1337" version="1" xmlns="...#windows">
>>>>>       >     <local_address operation="pattern
>>>match">.*</local_address>
>>>>>       >     <local_port operation="equals">1720</local_port>
>>>>>       >     <protocol>TCP</protocol>
>>>>>       >   </port_object>
>>>>>       >  </objects>
>>>>>       >
>>>>>       >
>>>>>       > You will need a state in case you want to compare the
>>>elements
>>>>> of the object
>>>>>       > to a defined state. Eg - in this case if you want to compare
>>>>> the process id
>>>>>       > (pid) to say "9999".
>>>>>       >
>>>>>       >
>>>>>       >
>>>>>       >
>>>>>       > -SG
>>>>>       >
>>>>>       >
>>>>>       > Sudhir Gandhe
>>>>>       > Telos Corporation
>>>>>       >
>>>>>       >
>>>>>       >
>>>>>       >
>>>>>       >
>>>>>       >
>>>>>       >
>>>>>       > On Wed, Mar 4, 2009 at 11:01 AM, Javier Godinez
>>>>> <[hidden email]> wrote:
>>>>>       >>
>>>>>       >> Can anyone help me, I have been unable to find an example of
>>>>> the
>>>>>       >> correct usage of port_*. I just want a simple test to see if
>>>a
>>>>> UDP or
>>>>>       >> TCP port is open on a windows box. Does this (below) seem
>>>>> correct? Is
>>>>>       >> my local_port (under port_state) section correct? If I
>>>wanted
>>>>> to
>>>>>       >> specify only TCP, where wold I specify it?
>>>>>       >>
>>>>>       >>  <tests>
>>>>>       >>   <port_test id="123" version="1" check="at least one"
>>>>> comment="TCP
>>>>>       >> or UDP port 1720 is open"
>>>>> check_existence="at_least_one_exists"
>>>>>       >> xmlns="...windows">
>>>>>       >>     <object object_ref="1337"/>
>>>>>       >>     <state state_ref="2172"/>
>>>>>       >>   </port_test>
>>>>>       >>  </tests>
>>>>>       >>  <objects>
>>>>>       >>   <port_object id="1337" version="1" xmlns="...#windows">
>>>>>       >>     <protocol operation="pattern match">.*</protocol>
>>>>>       >>     <local_address operation="pattern
>>>>> match">.*</local_address>
>>>>>       >>     <local_port operation="equals">1720</local_port>
>>>>>       >>   </port_object>
>>>>>       >>  </objects>
>>>>>       >>  <states>
>>>>>       >>   <port_state id="2172" version="1" xmlns="...windows">
>>>>>       >>     <local_port operation="pattern match">.*</local_port>
>>>>>       >>   </port_state>
>>>>>       >>  </states>
>>>>>       >>
>>>>>       >>
>>>>>       >> --
>>>>>       >> # Javier
>>>>>       >>
>>>>>       >> To unsubscribe, send an email message to
>>>>> [hidden email] with
>>>>>       >> SIGNOFF OVAL-DEVELOPER-LIST
>>>>>       >> in the BODY of the message.  If you have difficulties, write
>>>>> to
>>>>>       >> [hidden email].
>>>>>       >
>>>>>       > To unsubscribe, send an email message to
>>>>> [hidden email] with
>>>>>       > SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If
>>>you
>>>>> have
>>>>>       > difficulties, write to OVAL-DEVELOPER-LIST-
>>>>> [hidden email].
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>       --
>>>>>
>>>>>       # Javier
>>>>>
>>>>>       To unsubscribe, send an email message to
>>>[hidden email]
>>>>> with
>>>>>       SIGNOFF OVAL-DEVELOPER-LIST
>>>>>       in the BODY of the message.  If you have difficulties, write to
>>>>> [hidden email].
>>>>>
>>>>>
>>>>>
>>>>> To unsubscribe, send an email message to [hidden email]
>>>with
>>>>> SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you have
>>>>> difficulties, write to [hidden email].
>>>>
>>>> To unsubscribe, send an email message to [hidden email] with
>>>> SIGNOFF OVAL-DEVELOPER-LIST
>>>> in the BODY of the message.  If you have difficulties, write to OVAL-
>>>[hidden email].
>>>>
>>>
>>>To unsubscribe, send an email message to [hidden email] with
>>>SIGNOFF OVAL-DEVELOPER-LIST
>>>in the BODY of the message.  If you have difficulties, write to OVAL-
>>>[hidden email].
>>
>
>
>
> --
> # Javier
>



--
# Javier

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: port_*

Jon Baker
Administrator
Javier,

Sorry about that I should have caught on earlier that you were running this through ovaldi. We have adding support for the port and process tests under windows on the list to implement. They have just not made it to the top of the list yet. I will add a comment to the feature requests to implement these tests in sourceforge indicating that another user has requested them.

Sorry,

Jon

============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]


>-----Original Message-----
>From: Javier Godinez [mailto:[hidden email]]
>Sent: Tuesday, March 17, 2009 7:20 PM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>
>I think I seem what my problem is, port_object and process_object are
>not currently supported under the reference parser.
>But if anyone has any comments on my usage, they will be appreciated...
>
>Thnx again,
>jg
>
>On Tue, Mar 17, 2009 at 3:56 PM, Javier Godinez <[hidden email]>
>wrote:
>> Jon,
>>
>>
>> It makes since to me, but when I run it I the results are "unknown".
>> In my test below I am trying to make sure that the System process is
>> running on port 445 (SMB)
>> Does this test make since? Is my usage of process_object seem correct?
>anyone?
>>
>>
>>  <tests>
>>    <port_test id="oval:com.test:tst:445" version="1" check="at least
>> one" comment="SMB is listening on TCP port 445"
>> check_existence="at_least_one_exists">
>>      <object object_ref="oval:com.test:obj:445"/>
>>      <state state_ref="oval:com.test:ste:445"/>
>>    </port_test>
>>  </tests>
>>
>>  <objects>
>>    <port_object id="oval:com.test:obj:445" version="1">
>>      <local_address operation="pattern match">.*</local_address>
>>      <local_port operation="equals">445</local_port>
>>      <protocol operation="equals">TCP</protocol>
>>    </port_object>
>>    <process_object id="oval:com.test:obj:10000" version="1">
>>      <command_line operation="equals"
>datatype="string">System</command_line>
>>    </process_object>
>>  </objects>
>>
>>  <states>
>>    <port_state id="oval:com.test:ste:445" version="1">
>>      <pid var_ref="oval:com.test:var:445" var_check="all"/>
>>    </port_state>
>>  </states>
>>
>>  <variables>
>>        <local_variable id="oval:com.test:var:445" version="1"
>> datatype="string" comment="The System process identifier">
>>                <object_component item_field="pid"
>object_ref="oval:com.test:obj:10000"/>
>>        </local_variable>
>>  </variables>
>>
>>
>> Thanks a lot!
>> jg
>>
>>
>>
>>
>> On Sat, Mar 14, 2009 at 4:34 PM, Baker, Jon <[hidden email]> wrote:
>>> Javier,
>>>
>>> I think you are really close. It looks like you just need to add a
>variable reference to your state. Something like this:
>>>
>>>
>>> <states>
>>>  <port_state id="3">
>>>    <pid var_ref="oval:example:var:1" var_check="all"/>
>>>  </port_state>
>>> </states>
>>>
>>> <variables>
>>>  <local_variable id="oval:example:var:1">
>>>    <object_component item_field="pid" object_ref="1"/>
>>>  </local_variable>
>>> </variables>
>>>
>>> Did that take care of it for you?
>>>
>>>
>>> Jon
>>>
>>> ============================================
>>> Jonathan O. Baker
>>> G022 - IA Industry Collaboration
>>> The MITRE Corporation
>>> Email: [hidden email]
>>>
>>>
>>>>-----Original Message-----
>>>>From: Javier Godinez [mailto:[hidden email]]
>>>>Sent: Friday, March 06, 2009 6:16 PM
>>>>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>>>>Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>>>>
>>>>Maybe I'm trying to do something that OVAL wasn't designed to do, but
>>>>does anyone know how to grab a local_variable from a port_state? I
>>>>need a way to fill in the PID in the code below. Here is what I have,
>>>>any ideas? I think that as Matt suggested, it could be possible
>>>>somehow to match a process to a port.
>>>>
>>>><tests>
>>>>  <port_test>
>>>>    <object object_ref="2"/>
>>>>    <state state_ref="3"/>
>>>>  <port_test>
>>>></tests>
>>>>
>>>><objects>
>>>>  <port_object id="2">
>>>>    <protocol operation="equals">UDP</protocol>
>>>>    <local_address operation="pattern match">.*</local_address>
>>>>    <local_port operation="equals">123</local_port>
>>>>  </port_object>
>>>>  <process_object id="1" >
>>>>    <command_line operation="equals"
>>>>datatype="string">svchost.exe</command_line>
>>>>  </process>
>>>></objects>
>>>>
>>>><states>
>>>>  <port_state id="3">
>>>>    <pid><!-- how do I get the local variable pid--></pid>
>>>>  </port_state>
>>>></states>
>>>>
>>>><variables>
>>>>  <local_variable>
>>>>    <object_component item_field="pid" object_ref="1"/>
>>>>  </local_variable>
>>>></variables>
>>>>
>>>>Thanks,
>>>>jg
>>>>
>>>>On Thu, Mar 5, 2009 at 10:18 AM, Wojcik, Matthew N. <[hidden email]>
>>>>wrote:
>>>>> I may be wrong (it's been a *long* time since I've actually written
>>>>any real OVAL definitions), but couldn't you do this using local
>>>>variables?  Use the Windows process_* to find the pid(s) of any
>running
>>>>process(es) that match the process characteristics you're looking
>for,
>>>>and then plug that pid into a local variable to be used in the
>>>>port_state.
>>>>>
>>>>> --Woj                  Matthew N. Wojcik
>[hidden email]
>>>>>
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Sudhir Gandhe [mailto:[hidden email]]
>>>>>> Sent: Thursday, March 05, 2009 1:08 PM
>>>>>> To: oval-developer-list OVAL Developer List/Closed Public
>Discussion
>>>>>> Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>>>>>>
>>>>>> Javier,
>>>>>>
>>>>>>
>>>>>> Looking at the Windows schema, this might not be possible. Schema
>>>>needs
>>>>>> to be expanded to incorporate the process name - OVAL 5.6 or 6.0.
>>>>>>
>>>>>> Comments?
>>>>>>
>>>>>>
>>>>>>
>>>>>> -SG
>>>>>>
>>>>>> Sudhir Gandhe
>>>>>> Telos Corporation
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, Mar 5, 2009 at 12:36 PM, Javier Godinez
><[hidden email]>
>>>>>> wrote:
>>>>>>
>>>>>>
>>>>>>       Sudhir,
>>>>>>
>>>>>>       Thanks, but what if you wanted to make sure that a
>>>>>>       specific process is listening to a specific port, the only
>>>>thing
>>>>>> I
>>>>>>       could find is to specify the PID in port_state. Under the
>Linux
>>>>>>       schema, this is much easier since I can simply specify
>>>>>> program_name
>>>>>>       under inetlisteningservers_state. Is there something similar
>>>>>> under
>>>>>>       windows?
>>>>>>
>>>>>>       Thanks again,
>>>>>>       Javier Godinez
>>>>>>
>>>>>>
>>>>>>       On Thu, Mar 5, 2009 at 9:01 AM, Sudhir Gandhe
>>>>>> <[hidden email]> wrote:
>>>>>>       > Javier,
>>>>>>       >
>>>>>>       > If you are just testing to see TCP or UDP port 1720 is
>open
>>>>>> then you don't
>>>>>>       > need any state.
>>>>>>       >
>>>>>>       >  <tests>
>>>>>>       >   <port_test id="123" version="1" check="all" comment="TCP
>or
>>>>>> UDP port 1720
>>>>>>       > is open" check_existence="at_least_one_
>>>>>>       > exists" xmlns="...windows">
>>>>>>       >     <object object_ref="1337"/>
>>>>>>       >   </port_test>
>>>>>>       >  </tests>
>>>>>>       >
>>>>>>       >  <objects>
>>>>>>       >   <port_object id="1337" version="1" xmlns="...#windows">
>>>>>>       >     <local_address operation="pattern
>>>>match">.*</local_address>
>>>>>>       >     <local_port operation="equals">1720</local_port>
>>>>>>       >     <protocol operation="pattern match">.*</protocol>
>>>>>>       >   </port_object>
>>>>>>       >  </objects>
>>>>>>       >
>>>>>>       >
>>>>>>       > If you want to specify TCP then your object would look
>like -
>>>>>>       > <objects>
>>>>>>       >   <port_object id="1337" version="1" xmlns="...#windows">
>>>>>>       >     <local_address operation="pattern
>>>>match">.*</local_address>
>>>>>>       >     <local_port operation="equals">1720</local_port>
>>>>>>       >     <protocol>TCP</protocol>
>>>>>>       >   </port_object>
>>>>>>       >  </objects>
>>>>>>       >
>>>>>>       >
>>>>>>       > You will need a state in case you want to compare the
>>>>elements
>>>>>> of the object
>>>>>>       > to a defined state. Eg - in this case if you want to
>compare
>>>>>> the process id
>>>>>>       > (pid) to say "9999".
>>>>>>       >
>>>>>>       >
>>>>>>       >
>>>>>>       >
>>>>>>       > -SG
>>>>>>       >
>>>>>>       >
>>>>>>       > Sudhir Gandhe
>>>>>>       > Telos Corporation
>>>>>>       >
>>>>>>       >
>>>>>>       >
>>>>>>       >
>>>>>>       >
>>>>>>       >
>>>>>>       >
>>>>>>       > On Wed, Mar 4, 2009 at 11:01 AM, Javier Godinez
>>>>>> <[hidden email]> wrote:
>>>>>>       >>
>>>>>>       >> Can anyone help me, I have been unable to find an example
>of
>>>>>> the
>>>>>>       >> correct usage of port_*. I just want a simple test to see
>if
>>>>a
>>>>>> UDP or
>>>>>>       >> TCP port is open on a windows box. Does this (below) seem
>>>>>> correct? Is
>>>>>>       >> my local_port (under port_state) section correct? If I
>>>>wanted
>>>>>> to
>>>>>>       >> specify only TCP, where wold I specify it?
>>>>>>       >>
>>>>>>       >>  <tests>
>>>>>>       >>   <port_test id="123" version="1" check="at least one"
>>>>>> comment="TCP
>>>>>>       >> or UDP port 1720 is open"
>>>>>> check_existence="at_least_one_exists"
>>>>>>       >> xmlns="...windows">
>>>>>>       >>     <object object_ref="1337"/>
>>>>>>       >>     <state state_ref="2172"/>
>>>>>>       >>   </port_test>
>>>>>>       >>  </tests>
>>>>>>       >>  <objects>
>>>>>>       >>   <port_object id="1337" version="1" xmlns="...#windows">
>>>>>>       >>     <protocol operation="pattern match">.*</protocol>
>>>>>>       >>     <local_address operation="pattern
>>>>>> match">.*</local_address>
>>>>>>       >>     <local_port operation="equals">1720</local_port>
>>>>>>       >>   </port_object>
>>>>>>       >>  </objects>
>>>>>>       >>  <states>
>>>>>>       >>   <port_state id="2172" version="1" xmlns="...windows">
>>>>>>       >>     <local_port operation="pattern match">.*</local_port>
>>>>>>       >>   </port_state>
>>>>>>       >>  </states>
>>>>>>       >>
>>>>>>       >>
>>>>>>       >> --
>>>>>>       >> # Javier
>>>>>>       >>
>>>>>>       >> To unsubscribe, send an email message to
>>>>>> [hidden email] with
>>>>>>       >> SIGNOFF OVAL-DEVELOPER-LIST
>>>>>>       >> in the BODY of the message.  If you have difficulties,
>write
>>>>>> to
>>>>>>       >> [hidden email].
>>>>>>       >
>>>>>>       > To unsubscribe, send an email message to
>>>>>> [hidden email] with
>>>>>>       > SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If
>>>>you
>>>>>> have
>>>>>>       > difficulties, write to OVAL-DEVELOPER-LIST-
>>>>>> [hidden email].
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>       --
>>>>>>
>>>>>>       # Javier
>>>>>>
>>>>>>       To unsubscribe, send an email message to
>>>>[hidden email]
>>>>>> with
>>>>>>       SIGNOFF OVAL-DEVELOPER-LIST
>>>>>>       in the BODY of the message.  If you have difficulties, write
>to
>>>>>> [hidden email].
>>>>>>
>>>>>>
>>>>>>
>>>>>> To unsubscribe, send an email message to [hidden email]
>>>>with
>>>>>> SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you
>have
>>>>>> difficulties, write to OVAL-DEVELOPER-LIST-
>[hidden email].
>>>>>
>>>>> To unsubscribe, send an email message to [hidden email]
>with
>>>>> SIGNOFF OVAL-DEVELOPER-LIST
>>>>> in the BODY of the message.  If you have difficulties, write to
>OVAL-
>>>>[hidden email].
>>>>>
>>>>
>>>>To unsubscribe, send an email message to [hidden email]
>with
>>>>SIGNOFF OVAL-DEVELOPER-LIST
>>>>in the BODY of the message.  If you have difficulties, write to OVAL-
>>>>[hidden email].
>>>
>>
>>
>>
>> --
>> # Javier
>>
>
>
>
>--
># Javier
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>[hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: port_*

Javier Godinez
Don't mention it Jon, no need to apologize, I appreciate your help.

Thanks,
jg

On Tue, Mar 17, 2009 at 5:15 PM, Baker, Jon <[hidden email]> wrote:

> Javier,
>
> Sorry about that I should have caught on earlier that you were running this through ovaldi. We have adding support for the port and process tests under windows on the list to implement. They have just not made it to the top of the list yet. I will add a comment to the feature requests to implement these tests in sourceforge indicating that another user has requested them.
>
> Sorry,
>
> Jon
>
> ============================================
> Jonathan O. Baker
> G022 - IA Industry Collaboration
> The MITRE Corporation
> Email: [hidden email]
>
>
>>-----Original Message-----
>>From: Javier Godinez [mailto:[hidden email]]
>>Sent: Tuesday, March 17, 2009 7:20 PM
>>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>>Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>>
>>I think I seem what my problem is, port_object and process_object are
>>not currently supported under the reference parser.
>>But if anyone has any comments on my usage, they will be appreciated...
>>
>>Thnx again,
>>jg
>>
>>On Tue, Mar 17, 2009 at 3:56 PM, Javier Godinez <[hidden email]>
>>wrote:
>>> Jon,
>>>
>>>
>>> It makes since to me, but when I run it I the results are "unknown".
>>> In my test below I am trying to make sure that the System process is
>>> running on port 445 (SMB)
>>> Does this test make since? Is my usage of process_object seem correct?
>>anyone?
>>>
>>>
>>>  <tests>
>>>    <port_test id="oval:com.test:tst:445" version="1" check="at least
>>> one" comment="SMB is listening on TCP port 445"
>>> check_existence="at_least_one_exists">
>>>      <object object_ref="oval:com.test:obj:445"/>
>>>      <state state_ref="oval:com.test:ste:445"/>
>>>    </port_test>
>>>  </tests>
>>>
>>>  <objects>
>>>    <port_object id="oval:com.test:obj:445" version="1">
>>>      <local_address operation="pattern match">.*</local_address>
>>>      <local_port operation="equals">445</local_port>
>>>      <protocol operation="equals">TCP</protocol>
>>>    </port_object>
>>>    <process_object id="oval:com.test:obj:10000" version="1">
>>>      <command_line operation="equals"
>>datatype="string">System</command_line>
>>>    </process_object>
>>>  </objects>
>>>
>>>  <states>
>>>    <port_state id="oval:com.test:ste:445" version="1">
>>>      <pid var_ref="oval:com.test:var:445" var_check="all"/>
>>>    </port_state>
>>>  </states>
>>>
>>>  <variables>
>>>        <local_variable id="oval:com.test:var:445" version="1"
>>> datatype="string" comment="The System process identifier">
>>>                <object_component item_field="pid"
>>object_ref="oval:com.test:obj:10000"/>
>>>        </local_variable>
>>>  </variables>
>>>
>>>
>>> Thanks a lot!
>>> jg
>>>
>>>
>>>
>>>
>>> On Sat, Mar 14, 2009 at 4:34 PM, Baker, Jon <[hidden email]> wrote:
>>>> Javier,
>>>>
>>>> I think you are really close. It looks like you just need to add a
>>variable reference to your state. Something like this:
>>>>
>>>>
>>>> <states>
>>>>  <port_state id="3">
>>>>    <pid var_ref="oval:example:var:1" var_check="all"/>
>>>>  </port_state>
>>>> </states>
>>>>
>>>> <variables>
>>>>  <local_variable id="oval:example:var:1">
>>>>    <object_component item_field="pid" object_ref="1"/>
>>>>  </local_variable>
>>>> </variables>
>>>>
>>>> Did that take care of it for you?
>>>>
>>>>
>>>> Jon
>>>>
>>>> ============================================
>>>> Jonathan O. Baker
>>>> G022 - IA Industry Collaboration
>>>> The MITRE Corporation
>>>> Email: [hidden email]
>>>>
>>>>
>>>>>-----Original Message-----
>>>>>From: Javier Godinez [mailto:[hidden email]]
>>>>>Sent: Friday, March 06, 2009 6:16 PM
>>>>>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>>>>>Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>>>>>
>>>>>Maybe I'm trying to do something that OVAL wasn't designed to do, but
>>>>>does anyone know how to grab a local_variable from a port_state? I
>>>>>need a way to fill in the PID in the code below. Here is what I have,
>>>>>any ideas? I think that as Matt suggested, it could be possible
>>>>>somehow to match a process to a port.
>>>>>
>>>>><tests>
>>>>>  <port_test>
>>>>>    <object object_ref="2"/>
>>>>>    <state state_ref="3"/>
>>>>>  <port_test>
>>>>></tests>
>>>>>
>>>>><objects>
>>>>>  <port_object id="2">
>>>>>    <protocol operation="equals">UDP</protocol>
>>>>>    <local_address operation="pattern match">.*</local_address>
>>>>>    <local_port operation="equals">123</local_port>
>>>>>  </port_object>
>>>>>  <process_object id="1" >
>>>>>    <command_line operation="equals"
>>>>>datatype="string">svchost.exe</command_line>
>>>>>  </process>
>>>>></objects>
>>>>>
>>>>><states>
>>>>>  <port_state id="3">
>>>>>    <pid><!-- how do I get the local variable pid--></pid>
>>>>>  </port_state>
>>>>></states>
>>>>>
>>>>><variables>
>>>>>  <local_variable>
>>>>>    <object_component item_field="pid" object_ref="1"/>
>>>>>  </local_variable>
>>>>></variables>
>>>>>
>>>>>Thanks,
>>>>>jg
>>>>>
>>>>>On Thu, Mar 5, 2009 at 10:18 AM, Wojcik, Matthew N. <[hidden email]>
>>>>>wrote:
>>>>>> I may be wrong (it's been a *long* time since I've actually written
>>>>>any real OVAL definitions), but couldn't you do this using local
>>>>>variables?  Use the Windows process_* to find the pid(s) of any
>>running
>>>>>process(es) that match the process characteristics you're looking
>>for,
>>>>>and then plug that pid into a local variable to be used in the
>>>>>port_state.
>>>>>>
>>>>>> --Woj                  Matthew N. Wojcik
>>[hidden email]
>>>>>>
>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Sudhir Gandhe [mailto:[hidden email]]
>>>>>>> Sent: Thursday, March 05, 2009 1:08 PM
>>>>>>> To: oval-developer-list OVAL Developer List/Closed Public
>>Discussion
>>>>>>> Subject: Re: [OVAL-DEVELOPER-LIST] port_*
>>>>>>>
>>>>>>> Javier,
>>>>>>>
>>>>>>>
>>>>>>> Looking at the Windows schema, this might not be possible. Schema
>>>>>needs
>>>>>>> to be expanded to incorporate the process name - OVAL 5.6 or 6.0.
>>>>>>>
>>>>>>> Comments?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -SG
>>>>>>>
>>>>>>> Sudhir Gandhe
>>>>>>> Telos Corporation
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Mar 5, 2009 at 12:36 PM, Javier Godinez
>><[hidden email]>
>>>>>>> wrote:
>>>>>>>
>>>>>>>
>>>>>>>       Sudhir,
>>>>>>>
>>>>>>>       Thanks, but what if you wanted to make sure that a
>>>>>>>       specific process is listening to a specific port, the only
>>>>>thing
>>>>>>> I
>>>>>>>       could find is to specify the PID in port_state. Under the
>>Linux
>>>>>>>       schema, this is much easier since I can simply specify
>>>>>>> program_name
>>>>>>>       under inetlisteningservers_state. Is there something similar
>>>>>>> under
>>>>>>>       windows?
>>>>>>>
>>>>>>>       Thanks again,
>>>>>>>       Javier Godinez
>>>>>>>
>>>>>>>
>>>>>>>       On Thu, Mar 5, 2009 at 9:01 AM, Sudhir Gandhe
>>>>>>> <[hidden email]> wrote:
>>>>>>>       > Javier,
>>>>>>>       >
>>>>>>>       > If you are just testing to see TCP or UDP port 1720 is
>>open
>>>>>>> then you don't
>>>>>>>       > need any state.
>>>>>>>       >
>>>>>>>       >  <tests>
>>>>>>>       >   <port_test id="123" version="1" check="all" comment="TCP
>>or
>>>>>>> UDP port 1720
>>>>>>>       > is open" check_existence="at_least_one_
>>>>>>>       > exists" xmlns="...windows">
>>>>>>>       >     <object object_ref="1337"/>
>>>>>>>       >   </port_test>
>>>>>>>       >  </tests>
>>>>>>>       >
>>>>>>>       >  <objects>
>>>>>>>       >   <port_object id="1337" version="1" xmlns="...#windows">
>>>>>>>       >     <local_address operation="pattern
>>>>>match">.*</local_address>
>>>>>>>       >     <local_port operation="equals">1720</local_port>
>>>>>>>       >     <protocol operation="pattern match">.*</protocol>
>>>>>>>       >   </port_object>
>>>>>>>       >  </objects>
>>>>>>>       >
>>>>>>>       >
>>>>>>>       > If you want to specify TCP then your object would look
>>like -
>>>>>>>       > <objects>
>>>>>>>       >   <port_object id="1337" version="1" xmlns="...#windows">
>>>>>>>       >     <local_address operation="pattern
>>>>>match">.*</local_address>
>>>>>>>       >     <local_port operation="equals">1720</local_port>
>>>>>>>       >     <protocol>TCP</protocol>
>>>>>>>       >   </port_object>
>>>>>>>       >  </objects>
>>>>>>>       >
>>>>>>>       >
>>>>>>>       > You will need a state in case you want to compare the
>>>>>elements
>>>>>>> of the object
>>>>>>>       > to a defined state. Eg - in this case if you want to
>>compare
>>>>>>> the process id
>>>>>>>       > (pid) to say "9999".
>>>>>>>       >
>>>>>>>       >
>>>>>>>       >
>>>>>>>       >
>>>>>>>       > -SG
>>>>>>>       >
>>>>>>>       >
>>>>>>>       > Sudhir Gandhe
>>>>>>>       > Telos Corporation
>>>>>>>       >
>>>>>>>       >
>>>>>>>       >
>>>>>>>       >
>>>>>>>       >
>>>>>>>       >
>>>>>>>       >
>>>>>>>       > On Wed, Mar 4, 2009 at 11:01 AM, Javier Godinez
>>>>>>> <[hidden email]> wrote:
>>>>>>>       >>
>>>>>>>       >> Can anyone help me, I have been unable to find an example
>>of
>>>>>>> the
>>>>>>>       >> correct usage of port_*. I just want a simple test to see
>>if
>>>>>a
>>>>>>> UDP or
>>>>>>>       >> TCP port is open on a windows box. Does this (below) seem
>>>>>>> correct? Is
>>>>>>>       >> my local_port (under port_state) section correct? If I
>>>>>wanted
>>>>>>> to
>>>>>>>       >> specify only TCP, where wold I specify it?
>>>>>>>       >>
>>>>>>>       >>  <tests>
>>>>>>>       >>   <port_test id="123" version="1" check="at least one"
>>>>>>> comment="TCP
>>>>>>>       >> or UDP port 1720 is open"
>>>>>>> check_existence="at_least_one_exists"
>>>>>>>       >> xmlns="...windows">
>>>>>>>       >>     <object object_ref="1337"/>
>>>>>>>       >>     <state state_ref="2172"/>
>>>>>>>       >>   </port_test>
>>>>>>>       >>  </tests>
>>>>>>>       >>  <objects>
>>>>>>>       >>   <port_object id="1337" version="1" xmlns="...#windows">
>>>>>>>       >>     <protocol operation="pattern match">.*</protocol>
>>>>>>>       >>     <local_address operation="pattern
>>>>>>> match">.*</local_address>
>>>>>>>       >>     <local_port operation="equals">1720</local_port>
>>>>>>>       >>   </port_object>
>>>>>>>       >>  </objects>
>>>>>>>       >>  <states>
>>>>>>>       >>   <port_state id="2172" version="1" xmlns="...windows">
>>>>>>>       >>     <local_port operation="pattern match">.*</local_port>
>>>>>>>       >>   </port_state>
>>>>>>>       >>  </states>
>>>>>>>       >>
>>>>>>>       >>
>>>>>>>       >> --
>>>>>>>       >> # Javier
>>>>>>>       >>
>>>>>>>       >> To unsubscribe, send an email message to
>>>>>>> [hidden email] with
>>>>>>>       >> SIGNOFF OVAL-DEVELOPER-LIST
>>>>>>>       >> in the BODY of the message.  If you have difficulties,
>>write
>>>>>>> to
>>>>>>>       >> [hidden email].
>>>>>>>       >
>>>>>>>       > To unsubscribe, send an email message to
>>>>>>> [hidden email] with
>>>>>>>       > SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If
>>>>>you
>>>>>>> have
>>>>>>>       > difficulties, write to OVAL-DEVELOPER-LIST-
>>>>>>> [hidden email].
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>       --
>>>>>>>
>>>>>>>       # Javier
>>>>>>>
>>>>>>>       To unsubscribe, send an email message to
>>>>>[hidden email]
>>>>>>> with
>>>>>>>       SIGNOFF OVAL-DEVELOPER-LIST
>>>>>>>       in the BODY of the message.  If you have difficulties, write
>>to
>>>>>>> [hidden email].
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> To unsubscribe, send an email message to [hidden email]
>>>>>with
>>>>>>> SIGNOFF OVAL-DEVELOPER-LIST in the BODY of the message. If you
>>have
>>>>>>> difficulties, write to OVAL-DEVELOPER-LIST-
>>[hidden email].
>>>>>>
>>>>>> To unsubscribe, send an email message to [hidden email]
>>with
>>>>>> SIGNOFF OVAL-DEVELOPER-LIST
>>>>>> in the BODY of the message.  If you have difficulties, write to
>>OVAL-
>>>>>[hidden email].
>>>>>>
>>>>>
>>>>>To unsubscribe, send an email message to [hidden email]
>>with
>>>>>SIGNOFF OVAL-DEVELOPER-LIST
>>>>>in the BODY of the message.  If you have difficulties, write to OVAL-
>>>>>[hidden email].
>>>>
>>>
>>>
>>>
>>> --
>>> # Javier
>>>
>>
>>
>>
>>--
>># Javier
>>
>>To unsubscribe, send an email message to [hidden email] with
>>SIGNOFF OVAL-DEVELOPER-LIST
>>in the BODY of the message.  If you have difficulties, write to OVAL-
>>[hidden email].
>



--
# Javier

To unsubscribe, send an email message to [hidden email] with
SIGNOFF OVAL-DEVELOPER-LIST
in the BODY of the message.  If you have difficulties, write to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Accounts: Guest account status issue

Jon Baker
Administrator
In reply to this post by Amanda Joseph
Amanda,

Can you send the xml file with the definition you are looking at and the id of the definition to test? We can do a bit of testing here to see if this is an issue with the interpreter or perhaps with the content itself. If it is a content issue you will likely want to report it to the NIST FDCC team.

Jon

============================================
Jonathan O. Baker
G022 - IA Industry Collaboration
The MITRE Corporation
Email: [hidden email]


>-----Original Message-----
>From: Amanda Joseph [mailto:[hidden email]]
>Sent: Tuesday, March 17, 2009 11:45 AM
>To: oval-developer-list OVAL Developer List/Closed Public Discussion
>Subject: [OVAL-DEVELOPER-LIST] Accounts: Guest account status issue
>
>I'm having issues getting the following check to return expected results
>on
>both vista and xp: 'Accounts: Guest account status'. I've tried running
>the
>latest ovaldi.exe (5.5.4) on three seperate machines, including the
>WinXP
>virtual file, and no matter if the Guest account is disabled or not, a
>result of false is always returned. Is this check supposed to test
>whether
>the account is disabled or not, or have I missed something here?
>
>Regards,
>Amanda
>
>To unsubscribe, send an email message to [hidden email] with
>SIGNOFF OVAL-DEVELOPER-LIST
>in the BODY of the message.  If you have difficulties, write to OVAL-
>[hidden email].