Previous | Contents | Index |
While the playback is running, you can use the following options (shown in the Options box) to control the playback:
any key | Press ANY key (except + or -) to pause the playback and display the Playback Options menu. | |
+ |
Press the
+ (plus) key to INCREASE the playback speed.
The speed or play rate starts at 50. You can adjust it as high as 100 (the fastest speed) or as low as 1 (the slowest speed). |
|
- | Press the - (minus) key to DECREASE the playback speed. |
The File box shows which file is being processed. "current" is displayed in the box if you are playing back recordings from the current recordings file. An archive file name (i.e. APRIL_01_15) is displayed in the box if you are playing back recordings from one of the recordings archive files. See Section 9.3, Archive Playback Option.
The Status box is updated continuously as the playback runs. The Status box shows the status (PLAY, PAUSE, SEARCH, FINISHED), play rate (1-100), K bytes already played, and percent of total played.
Play is measured by K bytes. A K byte is 1024 bytes.
The Status box also shows the recording date and time which is updated as the recording is played back --- this is the date and time the text shown in the playback window was recorded.
If you press any key (except + or -) while the recording is being played back, the playback pauses and the Playback Options menu is displayed. You can then change playback speed, do a search, or continue the playback.
+------Playback Options------+ | Play | | Increase playback speed | | Decrease playback speed | | Search from here | | Search from beginning | |----------------------------| | Exit | +----------------------------+ |
Play | Continue playing back the recording. | |
Increase playback speed | Increase the playback speed. The maximum play rate is 100. The speed is shown in the Status box. Select Play to resume playback. | |
Decrease playback speed | Decrease the playback speed. The mimimum play rate is 1. The speed is shown in the Status box. Select Play to resume playback. | |
Search from here | Start the search from this point in the recording. | |
Search from beginning | Start the search from the beginning of the recording. |
To use the search option, select the recording you are going to play back, and then select Search Recording from the menu.
The playback search option allows you to search through the recording for patterns of characters, text, etc., and start playing back the recording from that point.
INTOUCH INSA Playback 23-Jan-1997 +----------------Recording started on 21-Jan-1997 10:08:16---------------+ | | | LAT 1.10:1, probably user ALLEN | | | | Last login : 21-Jan-1997 09:10:36 | | Alert : URGENT | | Recording size: 474 KB | +------------------------------------------------------------------------+ +--------------------+ | Start Playback | | Search Recording | | Cancel Playback | +--------------------+ EXIT = Exit INTOUCH INSA \ = Back HELP = Help |
You are asked to enter the pattern that you want to search for.
Search pattern? ____________________________________________________________ |
You can enter words, text, characters or specific patterns such as those used in the rules file. (See Section 8.3.4, Creating Rule Patterns.) If, for example, you want to search for the word "password", enter:
PASSWORD | to search for the word in UPPERCASE | |
password | to search for the word in lowercase | |
{|nocase|}password | to search for the word in upper, lower and mixed case |
After you enter the search pattern, the status box shows a status of SEARCH as INSA Manager searches the recording, at the maximum play rate, for the entered pattern displayed at the bottom of the window.
If/When the pattern is found, the playback pauses, and the Playback Options menu is displayed. A message at the bottom of the window tells how many times this search pattern has been found.
Depending on the pattern and subsequent keystroke actions, the pattern may or may not be displayed when the playback is paused. INSA Manager attempts to pause as close to the found pattern as is possible. If the pattern is not displayed, it is usually displayed when playback resumes. |
Select one of the following Playback Options to continue:
+-----Playback Options-----+ | Find next | | Play | | Increase search speed | | Decrease search speed | | Search from here | | Search from beginning | |--------------------------| | Exit | +--------------------------+ 1 occurrence of PASSWORD found |
Find next | Search for another occurrence of this pattern. | |
Play | Continue playing back the recording. | |
Increase search speed | Increase the search speed. The maximum play rate is 100. The speed is shown in the Status box. | |
Decrease search speed | Decrease the search speed. The mimimum play rate is 1. The speed is shown in the Status box. | |
Search from here | Start searching from this point in the recording. | |
Search from beginning | Start searching from the beginning of the recording. |
When the playback is completed, the status shows FINISHED and you are asked:
+-----------+ | Replay | | Exit | +-----------+ |
Select Replay to replay the recorded session. | |
Select Exit to return to the recordings list menu. |
If you select Replay, the recording starts playing back again. You can use the playback options as you did the first time the recording was played.
If you select Exit, the playback window disappears and you are returned to the menu list of recordings. You can then select another recording to play back.
If you Exit early --- without waiting for the "FINISHED" status display, the playback window disappears and you are returned to the recordings menu list with no chance to replay the recording. You can, however, re-select the same recording from the recordings list and start over. |
During a playback or search, you can press the plus (+) and minus (-) keys to increase and decrease speed. This does NOT stop the playback or search, only the speed changes as requested. If you want to stop the playback/search and change speeds, press any key (except + and -) to pause the playback and bring up the Playback Options menu. Then you can increase/decrease the speed and resume playback or search.
Some keys are associated with playback menu options. For example, if you press a key, such as the "P" key, to pause and bring up the Playback Options menu, the default menu option will be Play whether it is the first menu item or not. If the pressed key is not recognized, the first menu item will be the default item.
The "Search . . ." menu options ask for a search pattern. The previous search pattern (if there was one) is the default. Either accepting the default or entering a new pattern resets the "found counter" to zero.
You can select "Start Playback" and play some of the recording and then do a search. To do this, press any key (except + or -) to pause the playback and bring up the Playback Options menu; select "Search from here" or "Search from beginning" and you will be asked for a search pattern.
9.3 Archive Playback Option
The Archive Playback option on the Security menu,
plays back archived recordings.
+------Security-------+ | Sessions | | Playback | | Archive Playback | +---------------------+ |
This option works basically the same as the Playback option. The difference is that you play back recorded sessions from an archive recordings file instead of from the current recordings file.
When the Archive Playback menu option is selected, a list of the archived recordings files is displayed.
+-------------------------------Archive Playback-------------------------------+ | Files Exit | +------------------------------------------------------------------------------+ +Archived Recordings+ | | | Files | | APRIL_01_15 | | MARCH_01_15 | | MARCH_16_31 | +-------------------+ EXIT = Exit INTOUCH INSA \ = Back HELP = Help |
Select the archive file that you want to play back session recordings from.
You are then asked to select the specific recordings to play back.
+Select Recordings+ | All | | User names | | Locations | | Alert names | |-----------------| | Exit | +-----------------+ |
After you select the archived recorded sessions you want, INSA Manager creates a menu list of the selected recordings. You can then play back any of the listed recordings.
If you need help to answer any of the prompts, you can press the [Help] key to get information, or refer to Section 9.2, Playback Option.
Example 10-1 Report Procedures |
---|
+-----------------INTOUCH INSA - Network Security Agent V1.5-------------------+ | Security Status Reports Maintenance General Advanced Exit | +----------------------+-------Reports-------+---------------------------------+ | Incident | | Alert | | Recordings | | Browser Accesses | +---------------Top----------------+ | URL Accesses | | IP Address (volume) | | Active Browsers | | IP Connection (volume) | | Audit | | Browser Accesses | | Page | | URL Accesses | | Top [>| | URL Connection | | Archive [>| | Email | +---------------------+ | Email (volume) | | Email Correspondence | | Email Correspondence (volume) | +----------------------------------+ +----Archive----+ | Incident | | Recordings | | Audit | +---------------+ |
The Reports menu options create various reports.
The E-mail reports appear on the Top menu only if the SMTP port has been enabled and the assigned port number is two or greater. See Chapter 13, E-mail Surveillance, for more information. |
The Reports menu options are:
10.1 Incident Reports
The Incident menu option creates reports of incidents
in the current incident file (refer to Section 10.18, Archive Incident Reports, for
information on creating reports from archived incident files).
+-------Reports-------+ | Incident | | Alert | | Recordings | | Browser Accesses | | URL Accesses | | Active Browsers | | Audit | | Page | | Top [>| | Archive [>| +---------------------+ |
INTOUCH INSA Incident Report 06-Mar-1997 +------------- Sort Order -------------++------------ Report Type -------------+ |1) || | |2) || | |3) ||File: current | |4) ||Type: | |5) || | |6) || | +--------------------------------------++--------------------------------------+ +--------- Selection Criteria -------------------------------------------------+ |Begin date : | |End date : | |Alert names: | |Priorities : | |User names : | |Locations : | +------------------------------------------------------------------------------+ +----Sort Order-----+ | default order | |-------------------| | Incident date | | Incident time | | User name | | Alert priority | | Alert name | | Location | |-------------------| | Exit | +-------------------+ EXIT = Exit INTOUCH INSA \ = Back HELP = Help |
Before a report is created, you are asked some questions about the type of report to create, what to include on the report, time period to report on, etc.
Selecting "Exit" from any of the menu prompts or entering "EXIT" at an input prompt stops the incident report procedure and returns you to the Reports menu. To back up to previous prompts, use the \ (backslash) key. |
When the Incident report option is selected, the Incident Report screen is displayed and you are asked for a sort order. You choose how to sort the data for the report.
Note: If this report was run before, whatever sort order was selected the last time, will be shown in the "Sort Order" box. If you want to use this same sort order, select accept current default. If you want to change the sort order, select reset to start over.
The default sort order is by incident date and time. If you wish to accept the default sort order, select default order. If the default order is selected, the primary sort field "Incident date" is displayed in the "Sort Order" box:
+------------- Sort Order -------------+ |1) Incident date | |2) | |3) | |4) | |5) | |6) | +--------------------------------------+ |
and you continue on to the next report criteria prompt.
If you wish to specify a different sort order, use the mouse to select sort field items from the menu. For example, you could select "Alert name" as the primary sort field, select "User name" as the second sort field, select "Incident date" as the third sort field, etc. Select accept current default when you are done selecting sort fields.
+--------Sort Order---------+ | accept current default | | reset | |---------------------------| | Incident time | | Alert priority | | Location | |---------------------------| | Exit | +---------------------------+ |
The fields you select are displayed in the "Sort Order" box.
+------------- Sort Order -------------+ |1) Alert name | |2) User name | |3) Incident date | |4) | |5) | |6) | +--------------------------------------+ |
To change the sort order, select the reset menu item which appears on the menu after you have made your first selection. reset clears the sort order box and you can start over with your sort order selections or take the default.
Previous | Next | Contents | Index |