TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
I'd like to request a feature for RS 5.0 Network Sensors.
In the User-Defined policy section, we have the ability to check for
email subject, sender, content, etc. However, the information provided
by the sensor is insufficient. It already is analyzing the entire
header and body of the message - it would be a piece of cake to provide
an interface where a custom alert could be sent, much in the same way
your custom event-log rules can be created in OS Sensors.
I'll give you an example. We set up custom event for a 5.0 Network
Sensor
which looks for
"---- BEGIN PGP SIGNED MESSAGE ----"
In the body of an email. When an alert is generated (via email), there
is
no way to tell who sent the message - just that it was from ip xx.xx and
to
ip xx.xx.
On the OS Sensor custom eventlog rules, you can specify
@String1
@String2
to pull some info out of the event log when you are doing custom event
log
searches.. @String1 may be user SID, @String2 their username, etc.
For the Network Sensors, strings could be set up like
@String1=sender
@String2=recipient
@String3=subject
etc..
Mike
