September 2nd, 2003, 06:39 PM
anyone use Symantec (Axent)ITA
I'm a network security manager for my company, running the latest version of Symantec ITA. One function i'm using ita for is to tail a router syslog. Does anyone out there know how I would set up ita to filter out specific events from a router syslog? Or how to set up complex search strings? I dont want anything specific (info wise..) just a basic example(s) of a search string..
September 10th, 2003, 10:26 AM
For example, here is an IIS log file entry:
10:46:32 192.168.2.5 GET /exchange/..%5c..%5c..%5c..%5c..%5c/winnt/system32/cmd.exe
To get ITA to alert on such a thing you would have a signature such as:
This will parse for any items in a log entry that contain the above, of course, you can be as granular as you like, you can check out pages 5.16 & 5.17 of the ITA users Guide for more information.
Hope this helps
September 22nd, 2003, 11:04 PM
Thanks.. i'll definately try it out...