Hello all,
I'm curious to know how many others were affected by this and how
they might be handling the issue.
We recently upgraded our Proventia G to the new 1.2 image. After
doing so all of our User Defined Events either stopped working completely,
or if they worked would no longer return the data matched in the event and
display it in site protector.
For example I had a user defined event we would use to audit
downloading of media using this REGEX:
(\.torrent)|(\.mp3)|(\.mpeg)|(\.wma)|(\.iso)
It would easily allow us to see what URL and what files were being accessed
since we know we had an issue with someone running BitTorrent as well as
engaging in other non approved activity. Prior to the upgrade I would be
able to see the URL in Site Protector to see if it was in fact something we
needed to investigate further. Obviously there were some "hits" on this
event that were not real policy violations. Another event we'd turn on when
needed simply show when someone searched for the term "nude" in Google or
Yahoo using this REGEX: .search\S{1,100}[^me]nude.? We had some fun
cleaning that expression up because our first attempt would trigger on
"menudefault". I'm no REGEX expert but we did have some great custom events
and there were extremely useful for various situations.
After the upgrade site protector now displays this: URL_Raw_Data
User Defined (\.torrent)|(\.mp3)|(\.mpeg)|(\.wma)|(\.iso) which is
pretty much useless since those are just the REGEX strings I myself
entered. I don't want to log all of these events to an evidence file since
that involves to much effort in pulling over to analyze in Ethereal etc.
and we also use a central log/analysis/correlation system for our
firewalls, routers, syslogs, and IDS. That too has been affected since the
Site protector events no longer contain useful data.
So now we've lost all function of our user defined event which is
troubling because we had over 2 dozen in use. I opened a support case and
was told this is considered the "normal" function of the Proventia now.
I've submitted an enhancement request but I'm baffled as to how a security
company could assume that not showing the data that triggered a user
defined event could not be a major flaw.
has anyone else been affected by this and what are you now doing?
Regards,
Chris Norris CISSP
_______________________________________________
ISSForum mailing list
[email protected]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]
The ISSForum mailing list is hosted and managed by Internet Security Systems,
6303 Barfield Road, Atlanta, Georgia, USA 30328.
