Zsolt, The session log file is available for FlexChecks, but what is shown here appears to be limited to what the sensor portion of Internet Scanner is standardly coded to provide in the logs. Those lines you refer to are for the most part dictated by the FlexCheck engine in the sensor, reporting that to the Controller in a fashion such as this: 2005-07-05 13:44:28.281 Start FlexCheck engine scanning target='x.x.x.x' # 2005-07-05 13:44:28.296 FlexCheck 'ICQ Server Check' run on x.x.x.x x.x.x.x: Vulnerable to the 'ICQ Server Check' FlexCheck FlexCheck Engine executed 1 FlexChecks on x.x.x.x in 47 milliseconds, status 0x0 If that is what you are looking for, the FlexCheck engine can accomplish this based on the found vuln condition. I do not see anything that plainly states in the logs the not vuln condition, and based on the logs, it seems the lack of the vulnerable statement suggests the not vuln condition. Example: 2005-07-05 15:09:34.671 Start FlexCheck engine scanning target='x.x.x.x' # 2005-07-05 15:09:34.687 FlexCheck 'ICQ Check Fail' run on x.x.x.x The 'ICQ Check Fail' FlexCheck failed on host x.x.x.x # 2005-07-05 15:09:34.687 FlexCheck 'ICQ Check Positive' run on x.x.x.x. x.x.x.x: Vulnerable to the 'ICQ Check Positive' FlexCheck
# 2005-07-05 15:09:34.703 FlexCheck 'ICQ Check Negative' run on x.x.x.x The 'ICQ Check Negative' FlexCheck finished on host x.x.x.x with code 0x0 FlexCheck Engine executed 3 FlexChecks on x.x.x.x in 15 milliseconds, status 0x0 ******************* Turning up tracing all the way up to 1000 in the Sensor Properties for the FlexCheck engine will get you get the maximum from the FlexCheck log file (located in the scanner_1\flexcheck directory) for the scans the custom checks are run against. This will provide a lot of internal data of how Internet Scanner is running the custom check, but it likely will not provide what I *believe* you are looking for, which is an "all in one" method to tell as your check was run what was vulnerable and more importantly what was found not to be vulnerable. Based on "CustomTest.exe" usage, it appears that the sensor is capable of reporting multiple states in the logs, but the custom check will have to be written in such a way to make use of this capability. It also appears that as is the case with other checks, the not vuln condition is implied by the lack of the vuln condition. I do not believe that the output detail you are looking for as is the case with a lot of internally shipped ISS checks will become evident in the session logs outside of what is populated in the "Info" section in the check creation window. "Sztano, Zsolt (GE Consumer Finance)" <[EMAIL PROTECTED]> wrote: Hi, I am wondering if logging to the Internet Scanner's session logfile (by default under directory: c:\program files\iss\isssensors\scanner_1\logs\) available from custom flexcheck. I found that only the result and scanning time is being put to the logfile, but while it can only parse 3 states of result (vulnerable, not vulnerable, error) it is a quite few set of information provided after the scanning. If you have any solutions, workarounds or ideas for detailed logging of the flexcheck please do not hesitate to share with me. Since I am scanning a quite number of assets (~ 4000, ~20000 IP's) weekly, neither I would like to put the scanning logs to separate files by ip (separate files for each scanning thread) nor to the windows registry. Thanks, Zsolt _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. --------------------------------- Yahoo! Sports Rekindle the Rivalries. Sign up for Fantasy Football _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
