=====================================
    EARS v0.7 Beta for linux x86
    Tishina Syndicate 
    http://tishina.cjb.net 
    <tishina@innocent.com> 
    December 31,1998.
======================================
        
        
USAGE of EARS engine
====================
   
   EARS engine is comprised of a set of commands that may either be executed
   manually through the console (in any order) or invoked by the detection
   module(s) in which case the assesment of the local/remote environment and
   according actions is autonomous and does not require user interaction. Once
   the engine is started (/usr/local/sbin/ears), the following commands may be
   issued at any time in any order at the EARS> prompt:

   WARNING: File arguments require a full path!
	    Hostnames need not be canonical, but must include '.' somewhere!

   Also, if you notice, -X11 is commented in Makefile for the sake of
   simplicity. It is also responsible for X display snooping code. So if
   you want such functionality, figure it out. All the code is in place.
   
   "help"
   	Quick reference to the available commands.
   	(<command> ? displays details) 
   
   "stat <arg>"
   	Provide statistics on the following resources:
   	"proc"..........Process table.
   	"user"..........User environment. 127.0.0.1 not displayed.
   	"net"...........Connections/interfaces.  
   
   "trace <arg>"
   	Determine the source:
   	<IP>............Find route to <IP>. 
   	<host>.........."" 
   	<pid>...........Find parent process of <pid>. 
   	<user>..........Find source host of <user> from kernel connection queue. 
   
   "kill <arg>"
   	Kill:
   	<IP>............End connection with <IP>.
   	<host>..........""
   	<pid>...........Kill <pid> (SIGKILL).
   	<user>..........Logoff <user>. Terminates lowest terminal assigned. 
   
   "deny <arg>"
   	Deny access:
   	<IP>............Set firewall to block <IP>.
   	<host>..........""
   	<file>..........Lock <file> from execution. (/PATH) 
   	<interface>.....Shutdown network <interface>.
   	<protocol>......Set firewall to block <protocol>. (UPPER CASE ONLY)
   
   "snoop <arg>"
   	Monitor resource:
   	<IP>............Envoke tcpdump on <IP>.
   	<host>..........""
   	<user>..........(N/A) Capture <user>'s keystrokes.
   	"X".............Capture keystrokes from X display.
   	<pid>...........(N/A) Monitor <pid>'s calls.
   
   "report <arg>"
   	Submit event log to:
   	"cert"..........CERT (Fill out CERT_FORM).
   	"trusted".......All trusted hosts.
   	<user@host>.....Specified <user@host>.
   
   "quit"
   	Exit EARS engine.
   
   "clear"
   	Reset console.
   
   "!"
   	Drop to shell.
    
   
-stas
last modified: 09JAN98
