Results 1 to 4 of 4

Thread: [RESOLVED] Is it possible for a discovery rule to launch a runner ?

  1. #1
    Junior Member
    Join Date
    May 2012
    Posts
    2

    [RESOLVED] Is it possible for a discovery rule to launch a runner ?

    Hello

    The final purpose is to use discovery rules quite as an expert system : some facts happen and fire rules which create facts which ... ;o)

    Below is a example of the possible process :

    - run nmap_discovery_runner.py to get the list on existing hosts
    - then, discovery rules parse the result in the following way (for instance) :
    if os=aix then launch a runner to explore target filesystems
    So, these rules detect aix systems and get filesystem list for each target
    - then, some other discovery rule parse the file system list to create file system monitoring services.

    This way, we don't need to launch manually several runner

    So,the questions are :
    - is it possible to launch a runner from a discovery rule ( I didn't found any way to do it)
    - do you think about side effects it could have ?

    Thank you for any help

  2. #2
    Shinken project leader
    Join Date
    May 2011
    Location
    Bordeaux (France)
    Posts
    2,131

    Re: Is it possible for a discovery rule to launch a runner ?

    I think you will love the new discovery features in the 1.2

    It's what you discribed in fact ;D

    You got 2 types of runners :
    * level 1 runners,
    * other levels

    Here is an example, from the sample configuration (it's a stupid example, but it show how it work):

    Level 1 : classic, you nmap, it say "hey, it's a linux!"
    Code:
    define discoveryrun {
        discoveryrun_name    nmap
        discoveryrun_command   nmap_discovery
    }
    
    define discoveryrule {
        discoveryrule_name    Linux
        creation_type      host
        os            linux
        +use           linux
    }
    Here is the current stable 1.0.1 way. Now the new layers in the curent git version, so for the 1.2.

    Level 2 : For each Linux, we will try to detect the distibution (fake_ are jsut echo commands in fact, for the tests) :
    Code:
    define discoveryrun {
        discoveryrun_name    FakeForLinux
        discoveryrun_command   fake_linux_discovery
        osvendor         linux
    }
    
    
    define discoveryrule {
        discoveryrule_name    Gentoo
        discoveryrule_order   -1
        creation_type      host
        distrib         gentoo
        +use           gentoo-linux
    }
    Here we got our hosts with use gentoo-linux,linux. Now we want more

    Layer 3 : And now again another level, we want to know the gentoo version
    Code:
    # Now the layer 3!
    define discoveryrun {
        discoveryrun_name    FakeForLinuxGentoo
        discoveryrun_command   fake_linux_gentoo_discovery
        distrib         gentoo
    }
    
    define discoveryrule {
        discoveryrule_name    GentooOld
        creation_type      host
        distribversion      gentooOLD
        +use           gentooOLD-linux
    }

    Like you see, it's really a stupid example, but it show that you can have as mainy "discovery layers" as you want.

    There is another example, more useful, in etc/packs/os/windows/discovery.cfg. It show how to scan all shares of a windows host and put the value in _shares (it will scan only the windows hosts).

    [size=12pt]How it work?[/size]
    In fact you can define "filters" in runners, like the "osvendor linux" for the runner "FakeForLinux". Without a filter, it's a layer 1 (nmap, vmware, etc). Laybe 1 is for large scan, layer 2+ iis for host specific thing.

    Then for each host it try to apply all rules, and remember which is apply. Then it try to see if it can launch new runners. If there is one or more, it launch it. And apply new rules, etc etc, untill all rules/runners are launched or there is no valid runner/rule to apply (so there is always an end ).

    It's already ok in the sources, you can give a try

    You can look at the discovery_windows_share command of the windows sample pack and apply it for AIX (snmpwalk I think?) ;D

    If it's ok, we will be able to add it in the aix sample pack if you want
    No direct support by personal message. Please open a thread so everyone can see the solution

  3. #3
    Junior Member
    Join Date
    May 2012
    Posts
    2

    Re: Is it possible for a discovery rule to launch a runner ?

    Thank's a lot

  4. #4
    Shinken project leader
    Join Date
    May 2011
    Location
    Bordeaux (France)
    Posts
    2,131

    Re: Is it possible for a discovery rule to launch a runner ?

    You're welcome
    No direct support by personal message. Please open a thread so everyone can see the solution

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •