wiki:KrakenWindowsSentry
Last modified 14 months ago

Kraken Windows Sentry

  1. Kraken Windows Sentry
    1. Author
    2. Control Features
      1. process-list
      2. arp-cache
      3. routing-table
      4. netstat
    3. Loggers
      1. CPU Usage
      2. Memory Usage
      3. Network Usage
      4. Windows Event
    4. NT Service Mode
    5. NSIS Installer
    6. See also
    7. History

Windows Sentry is a SIEM (Security Information and Event Management) agent for windows operating systems. It provides performance loggers and remote command handler.

Author

Control Features

 WindowsCommandHandler implements  SentryCommandHandler and provides windows system information.

process-list

getProcesses() returns process informations.

data structure (encoded by kraken codec):

  • object list
    • key-value map
      • pid (int): process id
      • name (string): process name
      • cpu_usage (int): cpu usage of the process
      • working_set (long): memory usage of the process

arp-cache

getArpCache() returns arp entires in arp cache.

data structure

  • object list
    • key-value map
      • adapter (string): adapter name
      • type (string): static, dynamic, etc
      • mac (string): mac address in 00:00:00:00:00:00 format
      • ip (string): ip address

routing-table

getRoutingTable() returns routing entries.

data structure

  • object list
    • key-value map
      • type (string): Direct, Indirect, Invalid, or Other
      • protocol (string): Local, NetMgmt, ICMP, EGP, GGP, Hello, RIP, IS_IS, ES_IS, IGRP, BBN, OSPF, BGP, Autostatic, Static, StaticNonDOD, or Other
      • destination (string): destination ip address
      • mask (string): mask ip address
      • forward (string): ip address of forwarding network interface
      • metric (int): weight value

netstat

getNetStat() returns network connections.

data structure

  • object list
    • key-value map
      • tcp and object list
        • key-value-map
          • local_ip (string): local ip address
          • local_port (int): local port
          • remote_ip (string): remote ip address
          • remote_port (int): remote port
          • state (string): Closed, Listen, SynSent, SynReceived, Established, FinWait1, FinWait2, CloseWait, Closing, LastACK, TimeWait, DeleteTCB or Unknown
          • pid (int): process id
      • tcp6 and object list
        • key-value-map
          • local_ip (string): local ip address
          • local_port (int): local port
          • remote_ip (string): remote ip address
          • remote_port (int): remote port
          • state (string): Closed, Listen, SynSent, SynReceived, Established, FinWait1, FinWait2, CloseWait, Closing, LastACK, TimeWait, DeleteTCB or Unknown
          • pid (int): process id
      • udp and object list
        • key-value-map
          • local_ip (string): local ip address
          • local_port (int): local port
          • state (string): LISTEN hard-coded
          • pid (int): process id
      • udp6 and object list
        • key-value-map
          • local_ip (string): local ip address
          • local_port (int): local port
          • state (string): LISTEN hard-coded
          • pid (int): process id

Loggers

CPU Usage

system logtype

field name type description
logtype string system
idle int idle percent
kernel int kernel mode usage percent
user int user mode usage percent
msg string cpu usage: USAGE%

Memory Usage

system logtype

field name type description
logtype string system
pfree long physical free memory (KB)
ptotal long physical total memory (KB)
vfree long virtual free memory (KB)
vtotal long virtual total memory (KB)
msg string memory usage: physical PFREE/PTOTAL, virtual VFREE/VTOTAL

Network Usage

device logtype: network usage log per adapter

field name type description
logtype string device
scope string device
interval long interval in milliseconds
index int adapter index
type int 6 only (ethernetCsmacd)
description string adapter description
mtu int max transfer unit
mac string mac address (00:00:00:00:00:00 format)
bandwidth long link bandwidth (bps unit)
rx_bytes_delta long rx octets delta from last measure
tx_bytes_delta long tx octets delta from last measure
rx_ucast_pkts_delta long rx unicast octets delta from last measure
tx_ucast_pkts_delta long tx unicast octets delta from last measure
rx_nucast_pkts_delta long rx non-unicast octets delta from last measure
tx_nucast_pkts_delta long tx non-unicast octets delta from last measure
rx_errors_delta long rx error count delta from last measure
tx_errors_delta long tx error count delta from last measure
rx_discards_delta long rx drop count delta from last measure (packet loss)
tx_discards_delta long tx drop count delta from last measure (packet loss)
msg string network usage: NAME (MAC), RX[RXUSAGE%, RXBPS, RXFPS], TX[TXUSAGE%, TXBPS, TXFPS]

total logtype: network usage log for device which has most rx or tx utilization

field name type description
logtype string total
scope string total
max_usage int max network usage (percent)
description string
mac string mac address

Windows Event

WindowsEventLogger requires event_source configuration. (e.g. System, Application, etc) It saves last record number as last_id, and returns event logs after that record number at next time.

field name type description
record_number int event record number
event_id int event id
event_type string event type
generated string generated time (yyyy-MM-dd HH:mm:ssZ format)
written string written time (yyyy-MM-dd HH:mm:ssZ format)
provider_name string event provider name (e.g. Microsoft)
event_category string event category
user string user name (e.g. SYSTEM)

NT Service Mode

  • Use apache commons-daemon project.
  • will be documented soon

NSIS Installer

  • will be documented soon

See also

History

  • 1.0.0 release (2010-12-09)