Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISSForum] No TCL experience out there??

from [davidc] Network Security [Permanent Link]
Subject: [ISSForum] No TCL experience out there??
Date: Mon, 7 Mar 2005 12:17:54 -0500 
I posted the below message and have had ZERO replies. Has no one been
down this road before? Or any good suggestions to where I might get some
good TCL/Server Sensor help?


David





I am trying to add and work with the TCL scripting features available
with Server Sensor. Specifically, I am referring to a Server Sensor
policy, OS Events tab, the "Failed Account Login Disabled" signature. I
have checked the "Fusion Scripting" response and applied a custom script
I have written. It is actually working fairly well but there are some
issues. What the script does is collect data from the signature such as
user name, computer name, domain name, IP, etc. then it writes that to a
line in a plain text file. Then a second script (vbs script I wrote)
which monitors that text file (called tcl.txt) for changes. When a
change is detected it opens the text file and reads the bottom (most
recent) line and takes the info from that line to create   easier to
read data. Now in sentence form the info is emailed to an admin... In
the end what happens is an account is disabled because a bad password is
attempted and a network admin gets an email within seconds that says
something like "The user account MSMITH has been locked by server
SERVERNAME on Friday, Feb 24, 2005"

The problem is that some systems peroidically have an issue where a user
account is attempted over and over (and it is denied) but an email is
generated 100+ times just for that one incident. Regardless of why that
is happening I want to exclude certain servers from this report
altogether, one of those is our VPN server. So I want to add lines of
code to the TCL script which basically says  (near the top of the
script) "If servername = VPNSERVER then exit" (in TCL language of
course). I have tried what I thought to be the proper way and it never
works. The excluded servers always continue to email me incessantly.
Does anyone have any TCL scripting experience that can help me with this
script? I am very new to TCL. Or does anyone know of a good source for
TCL/Server Sensor support? ISS won't help with this sort of thing at
all. I'm sure you've seen their disclaimers :-)


David 

_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISSForum] No TCL experience out there??, davidc <=
Previous by Date:  Re: [ISSForum] Badly out of date Service Packs and XPUs., Go_ISS
Next by Date:  [ISSForum] rskill works, Claudia Patricia Prada
Previous by Thread:  [ISSForum] Re: Troubles upgrading to SP5.1 / Missing events, Richard Franken
Next by Thread:  [ISSForum] rskill works, Claudia Patricia Prada
Indexes:  [Date] [Thread] [Top] [All Lists]