OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RS Network Sensor Enhancement Request
From: Michael Engle (menglelanexperts.com)
Date: Thu Oct 19 2000 - 16:36:26 CDT

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

I'd like to request a feature for RS 5.0 Network Sensors.

In the User-Defined policy section, we have the ability to check for
email subject, sender, content, etc. However, the information provided
by the sensor is insufficient. It already is analyzing the entire
header and body of the message - it would be a piece of cake to provide
an interface where a custom alert could be sent, much in the same way
your custom event-log rules can be created in OS Sensors.

I'll give you an example. We set up custom event for a 5.0 Network
Sensor
which looks for

"---- BEGIN PGP SIGNED MESSAGE ----"

In the body of an email. When an alert is generated (via email), there
is
no way to tell who sent the message - just that it was from ip xx.xx and
to
ip xx.xx.

On the OS Sensor custom eventlog rules, you can specify
String1
String2
to pull some info out of the event log when you are doing custom event
log
searches.. String1 may be user SID, String2 their username, etc.

For the Network Sensors, strings could be set up like
String1=sender
String2=recipient
String3=subject

etc..

Mike