[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] session playback & logwithraw



Rob,

First off, make sure you are at the latest version of SiteProtector
(2.0 SP4).  I'm not sure if the console LogWithRaw decoding was in
available prior to SP4.

For evidence logging:
The ev*.enc files that are stored in the ./Logs directory on the
sensor are in Microsoft Network Monitor format.  This means that you
can view them with either MS Net Mon or any other packet analyzer that
will parse .enc files (Ethereal, etc.)

For Log With Raw:

The advantage of LogWithRaw is that the first packet that triggered
the signature is stored with the event inside the database.  This is
nice because it will always be available when running reports, viewing
sensor analysis, etc.  That being said, any signatures with LogWithRaw
enabled will take up more space within the database (for obvious
reasons.)

To view the packet details from the LogWithRaw capture, right-click on
one of the events within the Console and select Event Details.  In the
Event Attribute Value Pairs pane, click on an attribute titled
'FirstPacket.enc' (it will have a little document icon next to it.) 
Now the contents of this packet will appear in the right-hand pane. 
Also, you can right-click on the icon and save the .enc file to disk. 
Once you've done this, all of the same rules apply as the Evidence Log
capture file.

-Matt

On Thu, 15 Jul 2004 09:19:20 -0400, Rob Baxter <rbaxter@xxxxxxxxxxx> wrote:
> 
> I am currently working with a evaluation license of SiteProtector 2.0
> and Network Sensor 7.0 in our lab as an evaluation for possible
> purchase. I have read in several places that RS is capable of logging
> the raw packet data for generated alerts. I have updated the
> policy/response for several signatures to do both LogWithRaw and
> LogEvidence however I don't see any raw packet data available either in
> the SiteProtector console or in the RealSecureDB database itself. Where
> should I be looking for this information? With LogEvidence enabled I do
> see the evXXX.enc files being generated but is there any way of viewing
> them aside from a text editor? I have looked in the ISS documentation
> and KB but have yet to find anything which address these issues. TIA if
> someone can point me in the right direction.
> 
> </rob>
> _______________________________________________
> ISSForum mailing list
> ISSForum@xxxxxxx
> 
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum
> 
> To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx
> 
> The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
>
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.