TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Jim,
I'm sure that your customers are glad to hear this functionality is coming.
Are there any plans to increase the level of logging? One of my biggest
complaints with RealSecure (other than no custom signatures) is that an
analyst cannot look at the raw data in a packet. This is critical for
forensics and post-mortem evaluation of incidents.
-Kyle
-----Original Message-----
From: Lindley, Jim (ISSAtlanta) [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 08, 2000 10:46 PM
To: 'Service ISSecurity'; [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: Real Secure Intrusion Detection
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Well, you can create SOME of your own decodes if you play by the RealSecure
rules.
For the Network Sensor, you may define perl regular expressions for
searching a pre-defined set of packet data contexts (e.g., "DNS Queries"
context defines a search of those packets which would contain something like
"www.iss.net", while URL Data context would search for something like
"/index.htm", or the part of a URL that starts after the DNS part. You may
also search email contexts, user name, password, etc.) Essentially, you can
use perl regex to search most of the useful packet data load contexts.
For the OS Sensor, you may define similar perl regex searches of ANY WinNT
event log and ANY local or redirected syslog or ANY logfile that can be
placed on a machine running an OS Sensor (i.e., you may redirect Cisco
router logs, PIX logs, Internet Scanner output, etc.)
In addition, stay tuned for RS 5.5, which will permit (so the rumor goes)
the creation of TCL scripts permitting users to create custom decodes and
create correlations between events. So there are a lot of really
interesting things available in RS 5.0 and a LOT of interesting things
coming in RS 5.5 (Currently in public beta).
James R Lindley
Anomaly Detection Xpert
X-Force Surveillance and Reconnaissance Group
Special Operations Group
Managed Security Services
Internet Security Systems Inc
Vox: 678-443-6323
Fax: 678-443-6482
An unquenchable thirst for Pierian Waters.
Internet Security Systems - The Power To Protect.
-----Original Message-----
From: Service ISSecurity [mailto:[EMAIL PROTECTED]]
Sent: Thursday, September 07, 2000 3:33 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: Real Secure Intrusion Detection
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Good Morning,
It depends what the colleague is referring to:
Yes, you can customize your own policies, using existing decodes and you can
create "socket and ICMP" watchers using Connection Events, but you cannot
create your own traffic decodes.
If you want to do this, you are probably better off with another product
that has this capability: ISS market their product (as does a certain
product from Network Ice ;-) with the idea that "you trust them to protect
your network", which is essentially why we now have Express Update
Capability in the new release. We went down this track, I dont have the time
to maintain decodes. Although, I must admit frustration on not being able to
see how a decode works unless I send an email to ISS technical
support....which also takes time.
Having mentioned that about other products, even Swiss Army Pocket Knife
tools like NFR have custom written decodes (Anzen Flight Jacket) and Snort
(- from whitehats.com), because unless you are an expert...writing decodes
is just plain hard!!!!
Stephen Cooper
Stephen J. Cooper
Senior Systems Analyst
Bank for International Settlements
Phone: +41 61 2806792
Fax: +41 61 2809100
This user's PGP Public Keys can be
obtained from certserver.pgp.com
DISCLAIMER: Any e-mail messages from the Bank for International Settlements
are sent in good faith, but shall not be binding nor construed as
constituting any obligation on the part of the Bank.
CONFIDENTIALITY NOTICE: This e-mail contains confidential information, which
is intended only for the use of the recipient(s) named above. If you have
received this communication in error, please notify the sender immediately
via e-mail and return the entire message. Thank you for your assistance.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
