OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: Real Secure Email
From: mark.teichernetworkice.com
Date: Sat Nov 04 2000 - 13:13:39 CST

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

At 12:19 PM 11/4/00 +0000, Stephen Bonner wrote:
>Mark,
>
>Thinking about this further, you can also use the SNMP alerting and then use
>a script response within HP OpenView to send emails, that would allow you to
>send different emails to different places based on the event being alerted
>or even on the volume of events.

Refer to page 30 of the ISS Real Secure NetSensor User's Guide,

-- *******************************************************************
-- TRAPS
-- *******************************************************************

eventinfo TRAP-TYPE
     ENTERPRISE iss
     VARIABLES
         {
                 eventEntryName,
                 eventEntryTime,
                 eventEntryAmask,
                 eventEntryPriority,
                 eventEntryProtocol,
                 eventEntrySourceIpAddress,
                 eventEntryDestinationIpAddress,
                 eventEntrySourceName,
                 eventEntryDestinationName,
                 eventEntryIcmpType,
                 eventEntryIcmpCode,
                 eventEntrySourcePort,
                 eventEntryDestinationPort,
                 eventEntrySourcePortName,
                 eventEntryDestinationPortName,
                 eventEntryUserActionList
         }
     DESCRIPTION
     "This trap is sent from a RealSecure engine whenever a event
          is encountered that the RealSecure engine is configured to send traps
          for. The details of the event are contained in the trap."
     ::= 1

>We have used this historically to throttle alarm rates across multiple
>engines - i.e. a port scan of 2000 OS sensors will produce 2000 alarms,
>after you've recieved the first 100 pages from the email to pager gateway
>you have a fairly good idea of what is going on without the next 1900 pages
>so if they are throttled and replaced by a single page notifying you to
>check the central event database.

You can also suprress an event by bumping the threshold..

>This does rely on SNMP which can be a lossy protocol and chaining multiple
>points of failure into an alert path.
>
>Does anyone know of a way of setting up a SNMP heartbeat from a RS sensor ?
>Or does anyone have a good approach to ensuring that with a large number of
>sensors that they are all working properly ? If you could send an SNMP
>heartbeat then the processing script on the HP Openview server could log the
>last heartbeat and a cron job could alert to any missing heartbeats. I
>suppose an alternative approach around this is to use a pull approach like
>the getcsv or enginestatus within enginemgr.exe.\

I have done this in the past where the iss.mib had to be compiled then put
in the correct directory fo HPOpenView, a couple of perl scripts..

>Stephen
>
>
>
>
>-----Original Message-----
>From: mark.teichernetworkice.com [mailto:mark.teichernetworkice.com]
>Sent: 04 November 2000 01:39
>To: Stephen Bonner; 'RScott Renegar'; issforumiss.net
>Subject: RE: Real Secure Email
>
>
>***********************************************************************
>IMPORTANT - This email originates from the Internet & therefore may not
>be from the apparent sender.
>
>If you have any doubts about the origin or content of the email please
>contact PC Support on ext. 2288.
>***********************************************************************
>
>
>Another trick is to use an email alias group
>
>Create the alias on your mail server, that way you can maintain the list as
>you would normally on your mail server.
>
>Insert the alias as the email address one wishes to utilize as a Email
>Global Response.
>
>sec-alertsorganization.domain
>
>sec-alerts
>
>etc
>
>/mark
>
>At 09:21 PM 11/3/00 +0000, Stephen Bonner wrote:
>
> >TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
> >majordomoiss.net Contact issforum-owneriss.net for help with any
>problems!
> >---------------------------------------------------------------------------
>-
> >
> >A comma delimited list of addresses within the Account section of the email
> >Global Response worked fine on RS 3.2 network sensors.
> >
> >We've moved away from email as an alert mechanism with 5 so I've not tested
> >it but I imagine it would be the same,
> >
> >Yours,
> >
> >Stephen.
> >
> >
> >-----Original Message-----
> >From: RScott Renegar [mailto:RScott.Renegarkc.frb.org]
> >Sent: 03 November 2000 19:18
> >To: issforumiss.net
> >Subject: Real Secure Email
> >
> >
> >***********************************************************************
> >IMPORTANT - This email originates from the Internet & therefore may not
> >be from the apparent sender.
> >
> >If you have any doubts about the origin or content of the email please
> >contact PC Support on ext. 2288.
> >***********************************************************************
> >
> >
> >
> >TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
> >majordomoiss.net Contact issforum-owneriss.net for help with any
> >problems!
> >---------------------------------------------------------------------------
>-
> >
> >I've seen this posted a long time ago, and the answer then was no, but has
> >anyone figured out a way to define multiple email addresses on the NETWORK
> >sensors?
>
>
>
>----------------------------------------------------------------------
>The information contained in this e-mail is confidential and solely for
>the intended addressee(s). Unauthorised reproduction, disclosure,
>modification,
>and/or distribution of this email may be unlawful. If you have received
>this email in error, please notify the sender immediately and delete it
>from your system. The views expressed in this message do not necessarily
>reflect those of LIFFE (Holdings) Plc or any of its subsidiary companies.
>----------------------------------------------------------------------