TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Kyle,
Currently you can view the data from the database that stores the event, if
the event information(parameters) are captured. Currently ISS Real Secure
5.0 does not have this feature available as other Network IDS products
include this feature in order to better analyze some of the events that may
be occurring
/mark
At 08:41 AM 9/11/00 -0600, Haugsness, Kyle wrote:
>Jim,
>
>I'm sure that your customers are glad to hear this functionality is coming.
>Are there any plans to increase the level of logging? One of my biggest
>complaints with RealSecure (other than no custom signatures) is that an
>analyst cannot look at the raw data in a packet. This is critical for
>forensics and post-mortem evaluation of incidents.
>
>
>-Kyle
>
>
>
>-----Original Message-----
>From: Lindley, Jim (ISSAtlanta) [mailto:[EMAIL PROTECTED]]
>Sent: Friday, September 08, 2000 10:46 PM
>To: 'Service ISSecurity'; [EMAIL PROTECTED]; [EMAIL PROTECTED];
>[EMAIL PROTECTED]
>Cc: [EMAIL PROTECTED]
>Subject: RE: Real Secure Intrusion Detection
>
>
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
>problems!
>----------------------------------------------------------------------------
>
>Well, you can create SOME of your own decodes if you play by the RealSecure
>rules.
>
>For the Network Sensor, you may define perl regular expressions for
>searching a pre-defined set of packet data contexts (e.g., "DNS Queries"
>context defines a search of those packets which would contain something like
>"www.iss.net", while URL Data context would search for something like
>"/index.htm", or the part of a URL that starts after the DNS part. You may
>also search email contexts, user name, password, etc.) Essentially, you can
>use perl regex to search most of the useful packet data load contexts.
>
>For the OS Sensor, you may define similar perl regex searches of ANY WinNT
>event log and ANY local or redirected syslog or ANY logfile that can be
>placed on a machine running an OS Sensor (i.e., you may redirect Cisco
>router logs, PIX logs, Internet Scanner output, etc.)
>
>In addition, stay tuned for RS 5.5, which will permit (so the rumor goes)
>the creation of TCL scripts permitting users to create custom decodes and
>create correlations between events. So there are a lot of really
>interesting things available in RS 5.0 and a LOT of interesting things
>coming in RS 5.5 (Currently in public beta).
>
>James R Lindley
>Anomaly Detection Xpert
>X-Force Surveillance and Reconnaissance Group
>Special Operations Group
>Managed Security Services
>Internet Security Systems Inc
>Vox: 678-443-6323
>Fax: 678-443-6482
>An unquenchable thirst for Pierian Waters.
>
>Internet Security Systems - The Power To Protect.
>
>
>-----Original Message-----
>From: Service ISSecurity [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, September 07, 2000 3:33 AM
>To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
>[EMAIL PROTECTED]
>Cc: [EMAIL PROTECTED]
>Subject: RE: Real Secure Intrusion Detection
>
>
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
>problems!
>----------------------------------------------------------------------------
>
>Good Morning,
>
>It depends what the colleague is referring to:
>
>Yes, you can customize your own policies, using existing decodes and you can
>create "socket and ICMP" watchers using Connection Events, but you cannot
>create your own traffic decodes.
>
>If you want to do this, you are probably better off with another product
>that has this capability: ISS market their product (as does a certain
>product from Network Ice ;-) with the idea that "you trust them to protect
>your network", which is essentially why we now have Express Update
>Capability in the new release. We went down this track, I dont have the time
>to maintain decodes. Although, I must admit frustration on not being able to
>see how a decode works unless I send an email to ISS technical
>support....which also takes time.
>
>Having mentioned that about other products, even Swiss Army Pocket Knife
>tools like NFR have custom written decodes (Anzen Flight Jacket) and Snort
>(- from whitehats.com), because unless you are an expert...writing decodes
>is just plain hard!!!!
>
>Stephen Cooper
>
>
>
>
>Stephen J. Cooper
>Senior Systems Analyst
>Bank for International Settlements
>Phone: +41 61 2806792
>Fax: +41 61 2809100
>
>This user's PGP Public Keys can be
>obtained from certserver.pgp.com
>
>
>
>
>DISCLAIMER: Any e-mail messages from the Bank for International Settlements
>are sent in good faith, but shall not be binding nor construed as
>constituting any obligation on the part of the Bank.
>
>CONFIDENTIALITY NOTICE: This e-mail contains confidential information, which
>is intended only for the use of the recipient(s) named above. If you have
>received this communication in error, please notify the sender immediately
>via e-mail and return the entire message. Thank you for your assistance.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
