Monday, March 5, 2007

Service and Process Information For IR

Over at Harlan Carvey's blog he talks about getting the service information during a incident response. Well lets take it a step further by collecting this information before the incident and storing it into a database. By doing this we can then compare the data when in incident does happen or if were lucky and have added monitoring to the processes we may catch it.

What I have put together is a program that will read the database to get a list of servers that you want to get the process and services information for. I have also included web pages that you can view the data with and update the known process and services information. If you constantly run the batch program you can see if there are any unknown processes added to the servers. If you want to take it a step further you could check the database after the batch run and send a message if there are any unknown services/processes that are found (assumes that you have gone through every service/process on each server which if you have a large server farm may take awhile).

The zip file for these programs is here. There are 3 directories,

SQL - Has the create statements for the database
batch_update - Program that reads the servers from the database and updates the current processes/services in the database. I did not write this program just extended one that I had found. The original author was Thomas Berger.
web_pages - The web pages for data entry and showing what service/process is running on what servers.

As you get it and check it out I am sure you might find a few mistakes and possible extensions to the programs as well. If you extend it further then shoot me an email and let me know what you did, it is always interesting to see how ideas can grow.



