Network Security: Detailed info on Re: [ISSForum] Sending high alerts to a flatfile or Tivoli

Subject:	Re: [ISSForum] Sending high alerts to a flatfile or Tivoli
Date:	Thu, 27 Oct 2005 15:28:39 -0400

Wouldn't a Fusion Script Response (custom TCL script) accomplish this too? 

Or...

A custom signature which had a custom response (again a TCL script). A script 
which would extract any type of data from the event you told it to and write it 
to a flat file.



Have you messed with the custom response capabilities? It's pretty cool what 
you can do.


David





-----Original Message-----
From: issforum-bounces@iss.net [mailto:issforum-bounces@iss.net] On Behalf Of 
Reiver
Sent: Tuesday, October 25, 2005 7:09 PM
To: jaeger
Cc: ISS user group (E-mail)
Subject: Re: [ISSForum] Sending high alerts to a flatfile or Tivoli

Yes, I considered that, however, would I parse the sensor event queue or ?. 
I'm trying to keep from writing the same events over again, if there is a 
queue built up though.  Although, after thinking about your e-mail, I wonder 
if I can set up a SQL trigger to do the same?  I'll have to look into that!

Thanks!!
Reiver

----- Original Message ----- 
From: "jaeger" <jaeger@bdg.de>
To: "Reiver" <reiver2002@hotmail.com>
Cc: "ISS user group (E-mail)" <issforum@iss.net>
Sent: Monday, October 24, 2005 6:28 PM
Subject: Re: [ISSForum] Sending high alerts to a flatfile or Tivoli


Reiver,

have you thought about coding a user defined response to write to a
local flat file? This is pretty much straightforward, a simple cmd file
response could look like this:

@echo off
rem parse all parameters needed in sensor response policy
echo %* >> c:\logfile

A more elegant way to do this is to use the logevent.exe utility from
the W2K resource kit, which allows to write to the local application
log. This can be used to trigger events in the local tivoli agent.

Karl


Reiver schrieb:

Nope. No printing subsystems, Posix, OS/2, OS stripped down to core, most
programs removed.  No OOB management.  ISS + multiple vendor appliances 
for
every zone and the POS Tivoli thrown in the mix. lol.

Reiver

----- Original Message ----- 
From: "Ballerini, Jean Paul (ISS EMEA)" <JPBallerini@iss.net>
To: "Reiver" <reiver2002@hotmail.com>; "issforum@atla-mm1.iss.net"
<issforum@iss.net>
Sent: Monday, October 17, 2005 10:38 AM
Subject: RE: [ISSForum] Sending high alerts to a flatfile or Tivoli

Not even SNMPv3 ?

Jean Paul

-----Original Message-----
From: issforum-bounces@atla-mm1.iss.net On Behalf Of Reiver
Sent: sabato 15 ottobre 2005 3.42
To: issforum@atla-mm1.iss.net
Subject: Re: [ISSForum] Sending high alerts to a flatfile or Tivoli

Sorry, forgot to mention that we aren't allowed to use SNMP (security
reasons).

Thanks!
Reiver

----- Original Message ----- 
From: "Bruetsch, Markus (ISS California)" <MBruetsch@iss.net>
To: "Reiver" <reiver2002@hotmail.com>; "issforum@atla-mm1.iss.net"
<issforum@iss.net>
Sent: Friday, October 14, 2005 8:04 AM
Subject: RE: [ISSForum] Sending high alerts to a flatfile or Tivoli

You can use the SNMP response in SiteProtector to sent the alerts to 
Tivoli.

Regards

Markus
-
Markus Brütsch
TZ: US Pacific
Office: 805 241 6282

-----Original Message-----
From: issforum-bounces@atla-mm1.iss.net On Behalf Of Reiver
Sent: Thu, Oct 13, 2005 17:37
To: issforum@atla-mm1.iss.net
Subject: [ISSForum] Sending high alerts to a flatfile or Tivoli

We are trying to send alerts for Server Sensor to a flatfile that Tivoli 
can
read or find a way for Tivoli to read the high alerts only in a more 
direct
manner.  Has anyone done this?  I realize that there is a Tivoli Console 
for
Real Secure, but I want to continue to monitor with site protector and I
don't have control of the Tivoli mothership, only the local agents.

Thanks!
_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.

_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.

_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security 
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.



-- 
  Karl-Heinz Jaeger
Manager Customer Services

______________________________________________________________

Schützen Sie Ihr Netz von Innen. - Sensibilisieren Sie Ihre Mitarbeiter
für IT-Sicherheit.
Erfahren Sie alles über unser kostenloses Security Awareness Training
unter: http://www.open-beware.de

Besuchen Sie unseren IDP-Workshop am 16.November 2005 in Frankfurt.
Informieren Sie sich hier: http://www.bdg.de/

Treffen Sie am 19. jeden Monats IT-Sicherheits-Experten beim
BDG-Security-Point!
Alle Informationen finden Sie hier: http://www.bdg.de/security-point

______________________________________________________________

* BDG GmbH & Co. KG - Make IT safe.
* Stolbergerstr. 307
D-50933 Koeln

Tel:      +49 (0)6126-94433-0
Fax:    +49 (0)6126-94433-31

E-Mail: karl.jaeger@bdg.de <mailto:karl.jaeger@bdg.de>
Web:   www.bdg.de <http://www.bdg.de>

______________________________________________________________


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security 
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.

<Prev in Thread]	Current Thread	[Next in Thread>
[ISSForum] Sending high alerts to a flatfile or Tivoli, Reiver Re: [ISSForum] Sending high alerts to a flatfile or Tivoli, Bruetsch, Markus \(ISS California\) Re: [ISSForum] Sending high alerts to a flatfile or Tivoli, Reiver Re: [ISSForum] Sending high alerts to a flatfile or Tivoli, Ballerini, Jean Paul \(ISS EMEA\) Re: [ISSForum] Sending high alerts to a flatfile or Tivoli, Reiver Re: [ISSForum] Sending high alerts to a flatfile or Tivoli, jaeger Re: [ISSForum] Sending high alerts to a flatfile or Tivoli, Reiver Re: [ISSForum] Sending high alerts to a flatfile or Tivoli, CAUSEY, David <=

Previous by Date:	Re: [ISSForum] Server Sensors that just die, CAUSEY, David
Next by Date:	Re: [ISSForum] Access to lan/wlan, CAUSEY, David
Previous by Thread:	Re: [ISSForum] Sending high alerts to a flatfile or Tivoli, Reiver
Next by Thread:	[ISSForum] Testing of ISS Products, Weiss, Mark \(M.A.\)
Indexes:	[Date] [Thread] [Top] [All Lists]