[ISSForum] Reporting/Query Questions

Tue, 25 Jan 2005 05:36:24 -0800 

All,

      I'm somewhat new to the ISS Site Protector suite and realize that
like any large product that's been in service for a while someone else has
likely figured out solutions to things I'm just now finding. My issues are
related to extracting data for specific situations. I have created several
new Analysis Views to get what I want but here are a couple scenarios I'm
not clear on how to deal with.


-Generate a report (or even a view) showing ALL events that contain an IP
address regardless of whether it was the source or destination.
   -If I have an infected PC I want a way to view all events the IDs
   noticed regardless of whether it was "target" or "victim".

   -This is also useful in looking at chat, IM or P2P activity because now
   I have to do data 2 data exports for each IP, 1 as Source, 1 as
   destination. This makes following a conversation pretty difficult.

-Generate a report to show a graph of a single event over time graphed by
hour. Example: Show all YahooIM seen over 14 days graphed by 2 hour
intervals. Or show number of IM sessions per day for last 30 days.

   -We have implemented a software control solution, as well as
   communicated to users that all non approved IM is not permitted. We want
   to graph what we currently see in the IDS to show if our actions are
   effective. I want to show IM traffic graph 2 weeks prior and 2 weeks
   after the message.

   I'm considering going to my DBA's to see if they can pull some of this
   out for me. We have looked ISS Reporting tool but for the price it
   doesn't seem to be able to provide all of the capabilities we need. Some
   of the templates are helpful but there are many other ways I would wish
   to view the data that just aren't there.

   Regards,
   Chris Norris
   American Modern Insurance Companies
   Sr. Security Engineer
   IS Risk and Security Management
   7000 Midland Blvd.
   Amelia, OH 45102
   Ph: 513-947-5454
   email: [EMAIL PROTECTED]

_______________________________________________
ISSForum mailing list
[email protected]

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.

Reply via email to