Manualshelf

User guide

ManualsBrandsIBM Manualscomputers & electronicsProventia G, Mntc
101102103104105106107108109110
Chapter 9: Configuring Other Intrusion Prevention Settings
102
News_Group
context
Use the News_Group context to monitor the names of news groups that people at your
company access.
Monitors
The News_Group context monitors people accessing news groups using the NNTP
protocol.
Example
You can use the context to detect subscriptions to news groups, such as hacker or
pornography groups, that are inappropriate according to your company’s Internet
usage policy.
Password context Use the Password context to identify passwords passed in clear text over the network.
When a password is not encrypted, an attacker can easily steal it by monitoring traffic
with a sniffer program from another site.
Monitors
The Password context monitors programs or users sending passwords in clear text
using the FTP, POP, IMAP, NNTP or HTTP protocols.
You can also use the Password context to do the following:
monitor compromised accounts to gain forensic data
monitor the accounts of terminated employees
detect the use of default passwords
Note: This context does not monitor encrypted passwords.
Examples
Monitoring compromised accounts:
After cancelling a compromised account, you can
create a signature to monitor outside attempts to use it and find the person that
accessed the compromised data.
Monitoring terminated employee accounts: Add searches for terminated employees’
passwords to detect unauthorized remote access attempts to their closed accounts.
Detecting the use of default passwords: Set up signatures to look for default
passwords relevant to your site to detect attackers probing for common
vulnerabilities.
Note: The X-Force database contains many records detailing the names of such
accounts. For more information about default passwords, look up passwords in the X-
Force database at
http://xforce.iss.net
.
Using this signature with Internet Scanner
If you scan the network using Internet Scanner, a signature using this context to check
for default passwords may detect many instances of this event in response to a
password scan.