Rob, First off, make sure you are at the latest version of SiteProtector (2.0 SP4). I'm not sure if the console LogWithRaw decoding was in available prior to SP4.
For evidence logging: The ev*.enc files that are stored in the ./Logs directory on the sensor are in Microsoft Network Monitor format. This means that you can view them with either MS Net Mon or any other packet analyzer that will parse .enc files (Ethereal, etc.) For Log With Raw: The advantage of LogWithRaw is that the first packet that triggered the signature is stored with the event inside the database. This is nice because it will always be available when running reports, viewing sensor analysis, etc. That being said, any signatures with LogWithRaw enabled will take up more space within the database (for obvious reasons.) To view the packet details from the LogWithRaw capture, right-click on one of the events within the Console and select Event Details. In the Event Attribute Value Pairs pane, click on an attribute titled 'FirstPacket.enc' (it will have a little document icon next to it.) Now the contents of this packet will appear in the right-hand pane. Also, you can right-click on the icon and save the .enc file to disk. Once you've done this, all of the same rules apply as the Evidence Log capture file. -Matt On Thu, 15 Jul 2004 09:19:20 -0400, Rob Baxter <[EMAIL PROTECTED]> wrote: > > I am currently working with a evaluation license of SiteProtector 2.0 > and Network Sensor 7.0 in our lab as an evaluation for possible > purchase. I have read in several places that RS is capable of logging > the raw packet data for generated alerts. I have updated the > policy/response for several signatures to do both LogWithRaw and > LogEvidence however I don't see any raw packet data available either in > the SiteProtector console or in the RealSecureDB database itself. Where > should I be looking for this information? With LogEvidence enabled I do > see the evXXX.enc files being generated but is there any way of viewing > them aside from a text editor? I have looked in the ISS documentation > and KB but have yet to find anything which address these issues. TIA if > someone can point me in the right direction. > > </rob> > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo/issforum > > To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] > > The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 > Barfield Road, Atlanta, Georgia, USA 30328. > _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
