Thanks! Calvin
From: "Quinn, Michael (Contractor)" <[EMAIL PROTECTED]>
To: "'Cloonan, John (ISS Cincinnati)'" <[EMAIL PROTECTED]>, "O'Flynn, Derek" <[EMAIL PROTECTED]>, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
CC: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, "Shields, Christine (Contractor)" <[EMAIL PROTECTED]>
Subject: RE: [ISSForum] Tivoli introduced into RS environment...overflowing console and db
Date: Wed, 28 Jan 2004 14:50:40 -0500
MIME-Version: 1.0
Received: from pfwssp1.ncr.disa.mil ([164.117.82.26]) by mc2-f37.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Wed, 28 Jan 2004 11:50:34 -0800
Received: from mtassp3.ncr.disa.mil by pfwssp1.ncr.disa.mil via smtpd (for mc2.bay6.hotmail.com [65.54.190.7]) with ESMTP; Wed, 28 Jan 2004 14:48:31 -0500
Received: by mtassp3.ncr.disa.mil with Internet Mail Service (5.5.2657.72)id <DL9ZWMXH>; Wed, 28 Jan 2004 14:50:36 -0500
X-Message-Info: JGTYoYF78jHnk2OrPGZcbhHLdBewXOCx
Message-ID: <[EMAIL PROTECTED]>
X-Mailer: Internet Mail Service (5.5.2657.72)
Return-Path: [EMAIL PROTECTED]
X-OriginalArrivalTime: 28 Jan 2004 19:50:34.0742 (UTC) FILETIME=[FE85D960:01C3E5D7]
Calvin,
We will soon be implementing Tivoli on our servers with Server Sensor and will have the same issue.
John, I looked at your 79 page white paper on creating custom RealSecure
events and responses but didn't find any help. Amy's response to call the
Tivoli developers and ask them to rewrite their code seemed like an
unacceptable response. I know that you can create the "exclusionary"
filters with the Network Sensor but can't find a way to create similar with
the Server Sensor. Our customers will also be rerquired to look at all
logons with admin privelages. Doing the math, based on Calvin's discovery,
the number of events per 24 hours is 288 per day per server. On a Workgroup
Manager only watching 100 servers, that is 28800 unnecessary events
reporting to the console and the database. We will literally have over 1000
servers with Tivoli and Server Sensor.
Is there a way that ISS can tweak their software to be able to create exclusionary filtering for sprecific traffic from specific IPs rather that an all-or-none scenario?
Charles, I have included you as I do not have Jo Jordan's email address. Please forward to her. Thanks.
-Mike
-----Original Message----- From: Cloonan, John (ISS Cincinnati) [mailto:[EMAIL PROTECTED] Sent: Monday, January 26, 2004 9:06 AM To: O'Flynn, Derek; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: [ISSForum] Tivoli introduced into RS environment...overflowing console and db
If you do not mind having Server Sensor simply ignore the event you can do so using the Trusted_User_List or local exceptions.
Refer to the Server Sensor documentation or to the following whitepaper for complete instructions. http://www.issadvisor.com/viewtopic.php?t=204 <http://www.issadvisor.com/viewtopic.php?t=204&highlight=customizing> &highlight=customizing
thanks, John
******************************************************* John Cloonan Product Manager Internet Security Systems *******************************************************
_____
From: [EMAIL PROTECTED] On Behalf Of O'Flynn, Derek Sent: Friday, January 23, 2004 1:32 PM To: [EMAIL PROTECTED] Subject: RE: [ISSForum] Tivoli introduced into RS environment...overflowing console and db
Call ISS and ascertain if you can rewrite the event to exclude logins occurring from the Tivoli server IP. Or see if they can rewrite the event to exclude the Tivoli Username.
Derek
-----Original Message----- From: Calvin Tait [ mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] Sent: Thursday, January 22, 2004 8:31 PM To: [EMAIL PROTECTED] Subject: [ISSForum] Tivoli introduced into RS environment...overflowing console and db
Hello, I've been running Real Secure Server Sensors on all our servers for a few years. Yesterday, a separate tool, Tivoli, was turned up in the environment. Tivoli requires a W2K server administrator account to run. The Tivoli agent logs in 6 times locally every 2 minutes to kick off programs. Each login triggers two alerts:
1. User login with admin privileges 2. User logon with special admin privileges
These two alerts pop up for every sensor * 6 * # of servers in each farm.
It fills 4 gigs of database space every hour and floods the console to the
point it's useless.
I can't disable the alerts because we are required to have them and store
them for a period of time for due diligence. I work for a large financial
institution and every admin login must be recorded and saved. Has anyone
ever used Tivoli in an environment that co-existed with Tivoli? I can't
find a single discussion on the net or in both product knowledge bases. I
do not use Tivoli to with the Real Secure Plug-in. The operate
independently of each other. Any help would be greatly appreciated!!!! I'm
at wit's end. I can't delete the excess rows in the db as fast as they are coming in.
Thanks!!! R _______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo <https://atla-mm1.iss.net/mailman/listinfo>
_________________________________________________________________
There are now three new levels of MSN Hotmail Extra Storage! Learn more. http://join.msn.com/?pgmarket=en-us&page=hotmail/es2&ST=1
_______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
