Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISSForum] Proventia User defined Events

from [Chris Norris/AMIG] Network Security [Permanent Link]
Subject: [ISSForum] Proventia User defined Events
Date: Thu, 1 Dec 2005 08:46:00 -0500 
Hello all,

      I'm curious to know how many others were affected by this and how
they might be handling the issue.

      We recently upgraded our Proventia G to the new 1.2 image. After
doing so all of our User Defined Events either stopped working completely,
or if they worked would no longer return the data matched in the event and
display it in site protector.

      For example I had a user defined event we would use to audit
downloading of media using this REGEX:
(\.torrent)|(\.mp3)|(\.mpeg)|(\.wma)|(\.iso)
It would easily allow us to see what URL and what files were being accessed
since we know we had an issue with someone running BitTorrent as well as
engaging in other non approved activity. Prior to the upgrade I would be
able to see the URL in Site Protector to see if it was in fact something we
needed to investigate further. Obviously there were some "hits" on this
event that were not real policy violations. Another event we'd turn on when
needed simply show when someone searched for the term "nude" in Google or
Yahoo using this REGEX: .search\S{1,100}[^me]nude.? We had some fun
cleaning that expression up because our first attempt would trigger on
"menudefault". I'm no REGEX expert but we did have some great custom events
and there were extremely useful for various situations.

      After the upgrade site protector now displays this:   URL_Raw_Data
User Defined      (\.torrent)|(\.mp3)|(\.mpeg)|(\.wma)|(\.iso) which is
pretty much useless since those are just the REGEX strings I myself
entered. I don't want to log all of these events to an evidence file since
that involves to much effort in pulling over to analyze in Ethereal etc.
and we also use a central log/analysis/correlation system for our
firewalls, routers, syslogs, and IDS. That too has been affected since the
Site protector events no longer contain useful data.

      So now we've lost all function of our user defined event which is
troubling because we had over 2 dozen in use. I opened a support case and
was told this is considered the "normal" function of the Proventia now.
I've submitted an enhancement request but I'm baffled as to how a security
company could assume that not showing the data that triggered a user
defined event could not be a major flaw.

      has anyone else been affected by this and what are you now doing?



Regards,
Chris Norris CISSP


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISSForum] Proventia User defined Events, Chris Norris/AMIG <=
Next by Date:  [ISSForum] [[SPAM]] Tuning Server Sensors, Jason Baeder
Next by Thread:  [ISSForum] [[SPAM]] Tuning Server Sensors, Jason Baeder
Indexes:  [Date] [Thread] [Top] [All Lists]