Dan, You can use (buy) the Fusion Engine that correlate information from diferent attacks and from your vulnerability analisys (using Internet Scanner and System Scanner). With all this information it can say for instance that the attack failed because the OS ir wrong or that the server that was attacked started to attack other servers.
It's really intresting what it can do, you should try. .(edu Eduardo Sanches TSC Brasil [EMAIL PROTECTED] 55 11 8133-2937 -----Mensagem original----- De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Enviada em: terca-feira, 1 de julho de 2003 19:15 Para: [EMAIL PROTECTED] Assunto: [ISSForum] SP 2.0 Events To all I have noticed that, on many of the events that SiteProtector is displaying, there is extended information concerning server type and OS, whether a server has been access or not and other exciting fields. An example of these fields can be see in the HTTP_Windows Executable signature and include the following: Time, Tag Name, Status, Severity, Source IP, Target IP, Sensor DSN Name, Object Type, Object Name Source Port, URL, arg, http-server, accessed, code, verdict, victim-ip-addr, victim-port, intruder-ip-addr, repeat-count, start-time, end-time, algorithm-id, RSKILL, intruder-port, evasions and victim-ip-addr-end. There are others with similar information and other with additional information. Is there anyway to filter the events on some of the parameters like verdict=attack_failed or accessed=no? If SiteProtector already knows that the attack was not successful, as indicated by the "accessed" and "verdict" fields, can I set up a filter to ignore these events? If an attack is not successful, I don't need to see them. Thanks Dan Wangler, GCIA, IT Security Administrator IT Security Response Team, Texas Instruments, Inc. Spring Creek Bldg 1, C196 6500 Chase Oaks Blvd, MS 8417, Plano, Texas, 75023 Tel #: 214-567-8304; Email: [EMAIL PROTECTED] _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
