HPE Community
Operating System - OpenVMS
1830220 Members
2280 Online
109999 Solutions
New Discussion

Re: Blocking intrusion detection.

 
SOLVED
Go to solution
Jan van den Ende
Honored Contributor

‎02-15-2004 09:05 PM

‎02-15-2004 09:05 PM

Re: Blocking intrusion detection.

oct 1 2003 Anwar-Ul-Haq started the "Blocking Intrusion Detection .. " stream.
Oct 3 John Gillings posted an answer with a little script.
I only entered the forum end december, and when I read this stream it immediately suggested the solution for a problem we have had since our desktop environment started using Citrix.
It is really quite simple, you just need to be smart enough to think it up (which we were not) or have it pointed out.
The real winner is the partial wildcard in "DELETE/INTRUSION some_substring_* ".

Because I think both Anwar (for formulating the question) and John (for the blinding pointer) well deserve points, I ask them to reply to this, just so I may award them.

Jan
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
6 REPLIES 6
John Gillings
Honored Contributor

‎02-18-2004 08:42 AM

‎02-18-2004 08:42 AM

Solution

Re: Re: Blocking intrusion detection.

Jan,
Just be careful you don't mask any real intrusions! Maybe log any intrusions you delete somewhere?
A crucible of informative mistakes
Reply
Jan van den Ende
Honored Contributor

‎02-18-2004 06:16 PM

‎02-18-2004 06:16 PM

Re: Re: Blocking intrusion detection.

John:
of course! (we also have a policy that users who err too often often are singled out, and receive some extra instruction, so we need the info anyway)

jpe
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
Mobeen_1
Esteemed Contributor

‎02-26-2004 07:23 PM

‎02-26-2004 07:23 PM

Re: Re: Blocking intrusion detection.

Jan,
To be precise its supposed to be

DELETE/INTRU

rgds
Mobeen
0 Kudos
Reply
Jan van den Ende
Honored Contributor

‎03-07-2004 07:25 PM

‎03-07-2004 07:25 PM

Re: Re: Blocking intrusion detection.

Mobeen,

sorry, but that _MAY_ be the case if the user logs in from a terminal, but in our case _several_ users ( up to 60 in peak hours) use _the_same_ source (a Citrix server) to login from.
The DELETE/INTRUSION should specify EXACTLY (including case sensitivity) what the SOURCE field in SHOW INTRUSION gives.
And my real winner in this was the wildcard possibility!

Thanks for reacting anyway!

Jan
Don't rust yours pelled jacker to fine doll missed aches.
0 Kudos
Reply
Uwe Zessin
Honored Contributor

‎03-07-2004 07:35 PM

‎03-07-2004 07:35 PM

Re: Re: Blocking intrusion detection.

Mobeen,

if you like to see some other examples for the source you can see them with:

$ help delete/intrusion_record examples
.
0 Kudos
Reply
Mobeen_1
Esteemed Contributor

‎03-07-2004 07:48 PM

‎03-07-2004 07:48 PM

Re: Re: Blocking intrusion detection.

Jan,
Agreed :))

rgds
Mobeen
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.