TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
In order to make this modification, it would require a change to the
existing database schema.
Maybe, instead of suggesting @String1, @String2, why not use the fields:
TagName and TagValue from the database.
If you create a custom event for POP1, POP2, POP3, you can then insert the
words you want it parse for..
/cheers
/m
scribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
>----------------------------------------------------------------------------
>
>I'd like to request a feature for RS 5.0 Network Sensors.
>
>In the User-Defined policy section, we have the ability to check for
>email subject, sender, content, etc. However, the information provided
>by the sensor is insufficient. It already is analyzing the entire
>header and body of the message - it would be a piece of cake to provide
>an interface where a custom alert could be sent, much in the same way
>your custom event-log rules can be created in OS Sensors.
>
>I'll give you an example. We set up custom event for a 5.0 Network
>Sensor
>which looks for
>
>"---- BEGIN PGP SIGNED MESSAGE ----"
>
>In the body of an email. When an alert is generated (via email), there
>is
>no way to tell who sent the message - just that it was from ip xx.xx and
>to
>ip xx.xx.
>
>On the OS Sensor custom eventlog rules, you can specify
>@String1
>@String2
>to pull some info out of the event log when you are doing custom event
>log
>searches.. @String1 may be user SID, @String2 their username, etc.
>
>For the Network Sensors, strings could be set up like
>@String1=sender
>@String2=recipient
>@String3=subject
>
>etc..
>
>Mike
