I am trying to add and work with the TCL scripting features available with Server Sensor. Specifically, I am referring to a Server Sensor policy, OS Events tab, the "Failed Account Login Disabled" signature. I have checked the "Fusion Scripting" response and applied a custom script I have written. It is actually working fairly well but there are some issues. What the script does is collect data from the signature such as user name, computer name, domain name, IP, etc. then it writes that to a line in a plain text file. Then a second script (vbs script I wrote) which monitors that text file (called tcl.txt) for changes. When a change is detected it opens the text file and reads the bottom (most recent) line and takes the info from that line to create easier to read data. Now in sentence form the info is emailed to an admin... In the end what happens is an account is disabled because a bad password is attempted and a network admin gets an email within seconds that says something like "The user account MSMITH has been locked by server SERVERNAME on Friday, Feb 24, 2005"
The problem is that some systems peroidically have an issue where a user account is attempted over and over (and it is denied) but an email is generated 100+ times just for that one incident. Regardless of why that is happening I want to exclude certain servers from this report altogether, one of those is our VPN server. So I want to add lines of code to the TCL script which basically says (near the top of the script) "If servername = VPNSERVER then exit" (in TCL language of course). I have tried what I thought to be the proper way and it never works. The excluded servers always continue to email me incessantly. Does anyone have any TCL scripting experience that can help me with this script? I am very new to TCL. Or does anyone know of a good source for TCL/Server Sensor support? ISS won't help with this sort of thing at all. I'm sure you've seen their disclaimers :-) David _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
