TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Dave - As far as I know the user defined events for "filename" is only for SMTP traffic. You'll see that the selections follow that idea with the other choices being "Subject", "Body", and I think maybe (going from memory here..) the "From" and "To" fields. I have create dozens of filters for various email-spread virus & trojans but have not been able to create filters that would stop a string within TCP traffic. Without the console at hand to verify I won't say you can't but I don't believe you can make a filter for the filenames in the User Defined Events area for anything but SMTP. I know the 7.0 Network Sensors - well worth the upgrade - have SNORT (called TRONS by ISS [snort spelled backwards]) embedded in the application. Using the TRONS function (enable in the advanced tab under Properties) you could easily create a signature there to stop the file transfers. You can download the SNORT manual for the instructions on how to program the signatures. It is fairly easy and there are "rule"-sets for many such filters. Only thing to keep in mind is that there is a bit of overhead to running TRONS and you will want to be sure your hardware is up-to-the-task. If memory serves, the Knowledgebase has several comments on the subject. Good luck. Henry Schupp -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of David W Frye Sent: Friday, September 06, 2002 1:57 PM To: [EMAIL PROTECTED] Subject: User Defined Events Not Working TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Gang, We recently added some user defined events to stop the download of Instant Messaging clients. I have kills defined in a User defined event for Install_AIM.exe, icq2002aaol.exe, etc. None of them are working. The sensors are 6.5. I'm now questioning all my other user defined events. The event is on a Filename with the string being the file names like above. Anyone have any ideas why these are not working? I've looked at the policy file in notepad and everything looks in order. I have no filters set up for my IP address. I am at a loss. Ideas welcome! Thanks! Dave
