To all I have noticed that, on many of the events that SiteProtector is displaying, there is extended information concerning server type and OS, whether a server has been access or not and other exciting fields. An example of these fields can be see in the HTTP_Windows Executable signature and include the following: Time, Tag Name, Status, Severity, Source IP, Target IP, Sensor DSN Name, Object Type, Object Name Source Port, URL, arg, http-server, accessed, code, verdict, victim-ip-addr, victim-port, intruder-ip-addr, repeat-count, start-time, end-time, algorithm-id, RSKILL, intruder-port, evasions and victim-ip-addr-end. There are others with similar information and other with additional information.
Is there anyway to filter the events on some of the parameters like verdict=attack_failed or accessed=no? If SiteProtector already knows that the attack was not successful, as indicated by the "accessed" and "verdict" fields, can I set up a filter to ignore these events? If an attack is not successful, I don't need to see them. Thanks Dan Wangler, GCIA, IT Security Administrator IT Security Response Team, Texas Instruments, Inc. Spring Creek Bldg 1, C196 6500 Chase Oaks Blvd, MS 8417, Plano, Texas, 75023 Tel #: 214-567-8304; Email: [EMAIL PROTECTED] _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
