| Previous | Contents | Index |
To watch the session, use the mouse to select and execute the Watch option. When Watch is selected, a window for the watched session pops up and the user's keystroke activity is displayed in the window. For example, if the user is entering data on an input screen, you will see the input screen and each keystroke as the user types.
Select the Unwatch option when you want to stop watching the session. When Unwatch is selected, the watched session window will disappear. If you select this option and the session is not being watched, an error message is displayed.
The Clear option on the Security menu can also be used to clear all watched sessions.
One or more sessions can be watched at any time.
To get a "snapshot" of current session activity, select the Snapshot option.
When the Snapshot option is selected, a window pops up and the user's most current keystroke activity is displayed in the window. To exit the snapshot procedure, click on the INSA Manager window and then press [Return] --- the snapshot window disappears.
If the session is being recorded, the Playback option allows you to play back the recording in progress.
When this option is selected, a message says that the playback window is being created and you will be able to start, search or cancel the playback. (Refer to Section 9.2.2, Playing Back a Recording, for detail playback information.)
The Start Recording option allows you to start recording the session you are reviewing.
If the session you are reviewing is currently being recorded (you will see: Recording...), you can stop the recording process by selecting the Stop Recording option.
If you select this option and the session is not being recorded, an error message is displayed.
The Disconnect option is used to disconnect IP sessions.
ONLY IP sessions can be disconnected. If you attempt to disconnect a non-IP session, an error message is displayed. |
If the session is an IP session, and you select Disconnect, you are asked to confirm this action.
+Sure DISCONNECT session+
| Yes |
| No |
+-----------------------+
|
| Select Yes if you are SURE you want to disconnect the IP session. | |
| Select No if you do NOT want to disconnect the IP session. |
When you select Incidents, a menu of incidents is displayed if there have been alert incidents for this session. For example:
INTOUCH INSA INTOUCH INSA - Network Security Agent 23-Jan-1997
+ Incidents for LAT 2.22:17, probably user ALLEN +
| INVALID_LOGI 23-Jan-97 09:20:55 AM |
| MGMT 23-Jan-97 09:10:13 AM |
| MGMT 23-Jan-97 09:10:10 AM |
| MGMT 23-Jan-97 09:10:07 AM |
|------------------------------------------------|
| Exit |
+------------------------------------------------+
EXIT = Exit INTOUCH INSA \ = Back HELP = Help
|
If you want to display text information on an alert incident, use the mouse to select a specific incident. The "Output Options" menu will be displayed. Select Screen to display the detailed incident data on the screen. (See Section 6.6.2, Report Output Options for output information.)
9.2 Playback Option
The Playback option on the Security menu, plays back
previously recorded sessions.
When the Playback option is chosen,
+------Security-------+
| Sessions |
| Playback |
| Archive Playback |
+---------------------+
|
you are asked to select what recorded sessions you want to play back. After you select the sessions you want, INSA Manager creates a menu list of the selected recordings. You can then play back any of the listed recordings.
9.2.1 Selecting Session Recordings to Play Back
When you select Playback from the Security menu, the
following is displayed,
INTOUCH INSA Playback 23-Jan-1997 +Select Recordings+ | All | | User names | | Locations | | Alert names | |-----------------| | Exit | +-----------------+ EXIT = Exit INTOUCH INSA \ = Back HELP = Help |
and you are asked to select which session recordings you want to play back. The options are:
| All | all of the recordings | |
| User names | recordings for specific user names | |
| Locations | recordings for specific addresses or domains | |
| Alert names | recordings for specific alert names | |
| Exit | return to the Security menu |
The Select Recordings menu All option creates a menu list of all the recorded sessions. You can then play back any of the items on the menu list.
| Example 9-4 All Recordings List |
|---|
+-----------------------------------Playback-----------------------------------+ | Recordings Exit | +------------------------------------------------------------------------------+ +-----------------------------Recorded Sessions------------------------------+ | Source Location User Alert K bytes Recording Date | | RAY.UTW.COM GRS URGENT 24 14-Jan-1997 07:39:13 | | LAT 1.36:3 TONY URGENT 6 22-Jan-1997 07:39:08 | | TTITEST.COM DAN URGENT 10 23-Jan-1997 10:02:52 | | LAT 9.214:8 JEANNIE PRIV 139 13-Jan-1997 09:08:15 | | LAT 9.214:7 ALLEN PRIV 76 22-Jan-1997 09:01:02 | | TTITEST.COM DAN URGENT 14 21-Jan-1997 10:12:40 | | LAT 1.10:1 ALLEN URGENT 474 21-Jan-1997 10:08:16 | +----------------------------------------------------------------------------+ EXIT = Exit INTOUCH INSA \ = Back HELP = Help |
Each line of information includes:
Any of the recordings on the list can be played back. Section 9.2.2, Playing Back a Recording, explains how to select and play back a recording.
If selecting recordings by User names,
+Select Recordings+
| All |
| User names |
| Locations |
| Alert names |
|-----------------|
| Exit |
+-----------------+
|
you are asked for the user names you want to include.
User names (AAA,BBB,...)? ____________________________________________________ |
You can enter a single user name or a comma-separated list of user names. You can also use the asterisk (*) character as a wildcard. Here are some examples:
To select user name ALAN, enter:
To select user names, ALAN, SUE and GEORGE, enter:
To select the user names that:
enter:
After the user names are entered,
User names (AAA,BBB,...)? dan,allen___________________________________________ |
a menu list of the recorded sessions for the specified user names is displayed. For example:
+-----------------------------------Playback-----------------------------------+ | Recordings Exit | +------------------------------------------------------------------------------+ +-----------------------------Recorded Sessions------------------------------+ | Source Location User Alert K bytes Recording Date | | TTITEST.COM DAN URGENT 10 23-Jan-1997 10:02:52 | | LAT 9.214:7 ALLEN PRIV 76 22-Jan-1997 09:01:02 | | TTITEST.COM DAN URGENT 14 21-Jan-1997 10:12:40 | | LAT 1.10:1 ALLEN URGENT 474 21-Jan-1997 10:08:16 | +----------------------------------------------------------------------------+ EXIT = Exit INTOUCH INSA \ = Back HELP = Help |
Any of the recordings on the list can be played back. Section 9.2.2, Playing Back a Recording, explains how to select and play back a recording.
If selecting session recordings by Locations,
+Select Recordings+
| All |
| User names |
| Locations |
| Alert names |
|-----------------|
| Exit |
+-----------------+
|
you are asked for the locations you want to include.
Locations (AAA,BBB,...)? ___________________________________________________ |
You can enter a single location/address, or a list of locations separated by commas. You can use the asterisk (*) character as a wildcard. Here are some examples:
To select LAT addresses that begin with LAT 1, enter:
To select IP domain names that end in .COM and IP addresses that end in .3, enter:
After you enter the locations,
Locations (AAA,BBB,...)? *.com______________________________________________ |
a menu list of the recorded sessions for the specified locations is displayed. For example:
+-----------------------------------Playback-----------------------------------+ | Recordings Exit | +------------------------------------------------------------------------------+ +-----------------------------Recorded Sessions------------------------------+ | Source Location User Alert K bytes Recording Date | | RAY.UTW.COM GRS URGENT 24 14-Jan-1997 07:39:13 | | TTITEST.COM DAN URGENT 10 23-Jan-1997 10:02:52 | | TTITEST.COM DAN URGENT 14 21-Jan-1997 10:12:40 | +----------------------------------------------------------------------------+ EXIT = Exit INTOUCH INSA \ = Back HELP = Help |
Any of the recordings on the list can be played back. Section 9.2.2, Playing Back a Recording, explains how to select and play back a recording.
If selecting recordings by Alert names,
+Select Recordings+
| All |
| User names |
| Locations |
| Alert names |
|-----------------|
| Exit |
+-----------------+
|
you are asked to select the alert names you want to include on the recordings menu list.
INSA Manager displays a menu of alert names for you to select from. The alert names come from the alert file. For example:
+Select Alert Names+
| all |
|------------------|
| INVALID_LOGIN |
| MGMT |
| PAYROLL |
| PRIV |
| URGENT |
|------------------|
| Exit |
+------------------+
|
You can select one, several or all alert names.
To include ALL alert names, select the all menu item.
To select an alert name, use the mouse to select the name you want from the menu of alert names. The selection is displayed at the top of the screen. Repeat this procedure for each name you want to select. Select as many alert names as you wish.
To remove one of the selected names, select the Remove Alert Name option. A menu of the selected alert names is displayed.
+--Select Alert Names--+
| ... +Remove Alert Name-+
| Remove Alert Name | INVALID_LOGIN |
|--------------------| MGMT |
| Exit | PRIV |
+--------------------+------------------+
|
Use the mouse to select the name you want to remove. The name will be removed from the list at the top of the screen. Repeat this procedure to remove any other names.
Select the accept current default menu item when you are done selecting (and removing) alert names.
Use the reset menu option to erase the current selections and start over.
The alert names you select are displayed at the top of the screen.
After you finish selecting alert names, a menu list of the recorded sessions for the specified alert names is displayed. For example, if the alert PRIV is selected, the list would show:
+-----------------------------------Playback-----------------------------------+ | Recordings Exit | +------------------------------------------------------------------------------+ +-----------------------------Recorded Sessions------------------------------+ | Source Location User Alert K bytes Recording Date | | LAT 9.214:8 JEANNIE PRIV 139 13-Jan-1997 09:08:15 | | LAT 9.214:7 ALLEN PRIV 76 22-Jan-1997 09:01:02 | +----------------------------------------------------------------------------+ EXIT = Exit INTOUCH INSA \ = Back HELP = Help |
Any of the recordings on the list can be played back. Section 9.2.2, Playing Back a Recording, explains how to select and play back a recording.
9.2.2 Playing Back a Recording
To start the playback procedure, use the mouse to select a recording
from the Recorded Sessions menu list. In the following example, the
recording for user ALLEN is selected:
+-----------------------------------Playback-----------------------------------+ | Recordings Exit | +------------------------------------------------------------------------------+ +-----------------------------Recorded Sessions------------------------------+ | Source Location User Alert K bytes Recording Date | | RAY.UTW.COM GRS URGENT 24 14-Jan-1997 07:39:13 | | LAT 1.36:3 TONY URGENT 6 22-Jan-1997 07:39:08 | | TTITEST.COM DAN URGENT 10 23-Jan-1997 10:02:52 | | LAT 9.214:8 JEANNIE PRIV 139 13-Jan-1997 09:08:15 | | LAT 9.214:7 ALLEN PRIV 76 22-Jan-1997 09:01:02 | | TTITEST.COM DAN URGENT 14 21-Jan-1997 10:12:40 | | LAT 1.10:1 ALLEN URGENT 474 21-Jan-1997 10:08:16 | +----------------------------------------------------------------------------+ |
After the recording is selected (ALLEN in this case), the screen clears and you see information about the recorded session and a message telling you that the playback window is being created.
INTOUCH INSA Playback 23-Jan-1997
+----------------Recording started on 21-Jan-1997 10:08:16---------------+
| |
| LAT 1.10:1, probably user ALLEN |
| |
| Last login : 21-Jan-1997 09:10:36 |
| Alert : URGENT |
| Recording size: 474 KB |
+------------------------------------------------------------------------+
Creating playback window...
EXIT = Exit INTOUCH INSA \ = Back HELP = Help
|
Next, INSA Manager opens the playback window and places you in the playback window.
At this time, the "active" window is the playback window which is blank. You are currently in the playback window, and you have to click back on the INSA Manager window which looks like the following. |
INTOUCH INSA Playback 23-Jan-1997
+----------------Recording started on 21-Jan-1997 10:08:16---------------+
| |
| LAT 1.10:1, probably user ALLEN |
| |
| Last login : 21-Jan-1997 09:10:36 |
| Alert : URGENT |
| Recording size: 474 KB |
+------------------------------------------------------------------------+
+--------------------+
| Start Playback |
| Search Recording |
| Cancel Playback |
+--------------------+
EXIT = Exit INTOUCH INSA \ = Back HELP = Help
|
After you click back to the INSA Manager window, you can select what you want to do next. The options are:
| Start Playback | start playing back the recorded session | |
| Search Recording | search the recording for a pattern of text, characters, etc. | |
| Cancel Playback | cancel this playback and return to the recordings list menu |
If you select Start Playback, INSA Manager starts the playback and displays the playback Options box and the Status box.
INTOUCH INSA Playback 23-Jan-1997
+----------------Recording started on 21-Jan-1997 10:08:16---------------+
| |
| LAT 1.10:1, probably user ALLEN |
| |
| Last login : 21-Jan-1997 09:10:36 |
| Alert : URGENT |
| Recording size: 474 KB |
+------------------------------------------------------------------------+
+------------------------------------------++----------------------------+
| Options || File |
| || |
| Press any key for a menu of playback || current |
| options. |+----------------------------+
| |+----------------------------+
| Press the + (plus) key to increase the || Status |
| playback speed. || |
| || Status : PLAY |
| Press the - (minus) key to decrease the || Play Rate : 50 |
| playback speed. || K bytes played: 94 |
| || Percent played: 20 |
+------------------------------------------+| |
| 21-Jan-1997 10:35:08 |
+----------------------------+
EXIT = Exit INTOUCH INSA \ = Back HELP = Help
|
| Previous | Next | Contents | Index |