Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISSForum] Reporting/Query Questions

from [Chris Norris/AMIG] Network Security [Permanent Link]
Subject: [ISSForum] Reporting/Query Questions
Date: Mon, 24 Jan 2005 08:57:41 -0500 
All,

      I'm somewhat new to the ISS Site Protector suite and realize that
like any large product that's been in service for a while someone else has
likely figured out solutions to things I'm just now finding. My issues are
related to extracting data for specific situations. I have created several
new Analysis Views to get what I want but here are a couple scenarios I'm
not clear on how to deal with.


-Generate a report (or even a view) showing ALL events that contain an IP
address regardless of whether it was the source or destination.
   -If I have an infected PC I want a way to view all events the IDs
   noticed regardless of whether it was "target" or "victim".

   -This is also useful in looking at chat, IM or P2P activity because now
   I have to do data 2 data exports for each IP, 1 as Source, 1 as
   destination. This makes following a conversation pretty difficult.

-Generate a report to show a graph of a single event over time graphed by
hour. Example: Show all YahooIM seen over 14 days graphed by 2 hour
intervals. Or show number of IM sessions per day for last 30 days.

   -We have implemented a software control solution, as well as
   communicated to users that all non approved IM is not permitted. We want
   to graph what we currently see in the IDS to show if our actions are
   effective. I want to show IM traffic graph 2 weeks prior and 2 weeks
   after the message.

   I'm considering going to my DBA's to see if they can pull some of this
   out for me. We have looked ISS Reporting tool but for the price it
   doesn't seem to be able to provide all of the capabilities we need. Some
   of the templates are helpful but there are many other ways I would wish
   to view the data that just aren't there.

   Regards,
   Chris Norris
   American Modern Insurance Companies
   Sr. Security Engineer
   IS Risk and Security Management
   7000 Midland Blvd.
   Amelia, OH 45102
   Ph: 513-947-5454
   email: cnorris@amig.com

_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISSForum] Reporting/Query Questions, Chris Norris/AMIG <=
Previous by Date:  [ISSForum] ISS SiteProtector and the Proventia A604 appliance questions, Harald Astrand
Next by Date:  RE: [ISSForum] ISS SiteProtector and the Proventia A604 appliancequestions, Duncanson, Robert
Previous by Thread:  [ISSForum] ISS SiteProtector and the Proventia A604 appliance questions, Harald Astrand
Next by Thread:  RE: [ISSForum] ISS SiteProtector and the Proventia A604 appliancequestions, Duncanson, Robert
Indexes:  [Date] [Thread] [Top] [All Lists]