Does anyone know newer Aduit.rul

Does anyone know newer Aduit.rul

Post by Homer W » Thu, 09 Apr 1998 04:00:00



Hi, There
Does anyone know where I can get newer version of aduit.rul for
auditing? my current audit.rul file is last modified at 9/25/976? It can
not recognize software such as Office97.
Thanks for help.

Homer Wu
System Engineer
DAOU Systems Inc.

 
 
 

Does anyone know newer Aduit.rul

Post by Joseph Minun » Sun, 12 Apr 1998 04:00:00


Also check out http://www.i405.com/sms/

Joseph Minuni


    There's a newer one at the MS-FTP Site. It's modified on March '98.

        Hi, There
        Does anyone know where I can get newer version of aduit.rul for
        auditing? my current audit.rul file is last modified at 9/25/976? It can
        not recognize software such as Office97.
        Thanks for help.
        Homer Wu
        System Engineer
        DAOU Systems Inc.

     FTP Directory: ftp://ftp.microsoft.com/bussys/winnt/sms-public/  

 
 
 

Does anyone know newer Aduit.rul

Post by Cuong Tra » Wed, 15 Apr 1998 04:00:00


Here is a couple of site where you can get the new Audit.Rul file.

The FTP location to the new AUDIT.RUL file:
ftp://ftp.microsoft.com/bussys/winnt/sms-public/msaudit.zip
Alternative to Microsoft's FTP:
http://ftp.sunet.se/pub/vendor/microsoft/bussys/winnt/sms-public/


>Hi, There
>Does anyone know where I can get newer version of aduit.rul for
>auditing? my current audit.rul file is last modified at 9/25/976? It can
>not recognize software such as Office97.
>Thanks for help.

>Homer Wu
>System Engineer
>DAOU Systems Inc.

 
 
 

1. anyone know hot to scan for names if you only know the IP adres?

If you know or suspect the workgroup/domain the target is using, you can
*sometimes* do the lookup based on that. I.e.

 smbclient -L WORKGROUP -I 111.222.111.222

Otherwise, if the target is Samba or some (?) NT 4 servers, you can use
the normal version of nmblookup.

 nmblookup -B 111.222.111.222 -S \*

This will return the available NetBIOS names (both node name and
workgroups/domains of which the node is a member).

But most MS implementations are brokenly hard-coded to reply to UDP port
139, regardless of the source port chosen dynamically by nmblookup. To get
the status/names on these machines, you will need:

1) A hacked nmblookup that is hard-coded to listen on port 139. See the
   end of Hobbit's CIFS white paper <URL:http://www.avian.org/> for the
   patch. Actually, you only need to change one line.

*** nmblookup.c Thu Jan 30 20:52:47 1997
--- attack/nmblookup.c  Tue Jan 21 01:39:16 1997
***************
*** 54,56 ****
--- 54,60 ----

+ #ifdef ATTACK
+   ServerFD = open_socket_in(SOCK_DGRAM, 137,3);
+ #else
    ServerFD = open_socket_in(SOCK_DGRAM, 0,3);
+ #endif /* ATTACK */

2) You'll need to run nmblookup as root or setuid root in order to listen
   on 139. Sorry, there is no way around this. UNIX reserves ports < 1024.

3) Because you need port 139 open, you can't run nmbd.

The source code and docs for nmblookup suggest that there might be a way
to play games with proxy wins, but querying the node seems easiest.

-rich
 spoken with all the authority of someone who just figured this out last week

2. which language can do this?

3. Has anyone recieved PGS3.0???

4. Binaries for SCO 3.2v4.2 (anyone have any newer than 1.9.15p8?)

5. FS: *NEW* Leather Sharp Zaurus Cases

6. SBS 4.5!! Anyone know anything?

7. Delete/Copy Path Too Long Files

8. Does anyone know if the OWA contact problem is a glitch or a setting change?

9. Anyone know of a security model that I can follow?

10. Anyone knows how to fix this?

11. Anyone know where I can get a copy of Kixtart?

12. Anyone know how to 'push' and execute single files on clients?