Re: Change control features in IDS products?

From: Andrew Plato (aplato@anitian.com)
Date: 01/04/02 

Date: Fri, 4 Jan 2002 13:24:43 -0800
From: "Andrew Plato" <aplato@anitian.com>
To: <toby.kohlenberg@intel.com>

> Does anyone know of any development
> being done to integrate change control
> features into IDS products? Have people
> got solutions that they've cobbled
> together for this? I can see using some
> source code control product to handle
> things like snort or dragon config and
> rule files, but what about a way to identify who made
> the last change to an ICEcap group config?

Toby,

ICEcap stores every last chunk of information in its SQL Server
database. This database has the ability to log the last ICEcap user who
made changes to the last group or policy config and when they made it.

If you navigate to the Tools item and then select longSQL query, run the
following Query:

select * from PolicyGroup

This will retrieve a list of all the groups in ICEcap. There is a field
for LastModifiedBy and LastModified. If you then Query the Users table
with:

select * from Users

You get a list of the users and their UserID....which is what is stored
in the LastModifiedBy column.

Now, you could code a report in Crystal Reports to pull this data from
the ICEcap database and then present it in a nicer format. You'd need a
copy of Crystal designer. You should also checkout the ICEcap Advanced
Admin Guide...which is supposed to be coming out one of these days (you
would think I know - I wrote the damn thing!) This tells you how to then
tie custom reports to ICEcap.

Now, I don't know if ISS has bigger plans for this feature. Its kind of
an undocumented thing. There are quite a few database fields that are
waiting for future use that actually do work. They just never tied them
to the UI.

Good luck!

------------------------------------
Andrew Plato
President / Principal Consultant
Anitian Corporation

(503) 644-5656 office
(503) 201-0821 cell
http://www.anitian.com
Yahoo Messenger: Anitian
------------------------------------

Relevant Pages

  • RE: Change control features in IDS products?
    ... If your not comfortable with SQL queries, you can paste this into the ICECap interface at: ... Tools -> SQL Utilities -> SQL Query ... This database has the ability to log the last ICEcap user who ...
    (Focus-IDS)
  • RE: Host IDS volume of reporting data
    ... I've been running NetworkICE's ICECap for two month with just 30 sensors and ... now my SQL Server database has reached 85M. ... ICECap deletes old events from the database after configurable ...
    (Focus-IDS)