HI Dan If I have understand you correctly, I think that you can use the exception option. just click on the event and designate it as an exception.
I would suggest you to read the Site protector Strategic guide for Site protector 2.0 SP1 as well, which provide great details on how to do it strategically. Best Regards Liran Chen SE ISS - NYC -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 01, 2003 6:15 PM To: [EMAIL PROTECTED] Subject: [ISSForum] SP 2.0 Events To all I have noticed that, on many of the events that SiteProtector is displaying, there is extended information concerning server type and OS, whether a server has been access or not and other exciting fields. An example of these fields can be see in the HTTP_Windows Executable signature and include the following: Time, Tag Name, Status, Severity, Source IP, Target IP, Sensor DSN Name, Object Type, Object Name Source Port, URL, arg, http-server, accessed, code, verdict, victim-ip-addr, victim-port, intruder-ip-addr, repeat-count, start-time, end-time, algorithm-id, RSKILL, intruder-port, evasions and victim-ip-addr-end. There are others with similar information and other with additional information. Is there anyway to filter the events on some of the parameters like verdict=attack_failed or accessed=no? If SiteProtector already knows that the attack was not successful, as indicated by the "accessed" and "verdict" fields, can I set up a filter to ignore these events? If an attack is not successful, I don't need to see them. Thanks Dan Wangler, GCIA, IT Security Administrator IT Security Response Team, Texas Instruments, Inc. Spring Creek Bldg 1, C196 6500 Chase Oaks Blvd, MS 8417, Plano, Texas, 75023 Tel #: 214-567-8304; Email: [EMAIL PROTECTED] _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
