[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISSForum] NIDS 7.0 source and destination fields
I have done a Network IDS 7.0 installation recently. (NIDS sensor NIC on a
hub with external FW interface, attackdetector policy applied)
It is picking up quite a lot of HTTP code red, nimba etc FROM my internal
web server. I am 120% sure that the webserver is patched, and checked the
configurations, vulnerability alerts etc.
Double click on an HTTP code red II event will show:
Source IP address: a.b.c.d (my web server), confused.....
Destination IP address: w.x.y.z (some external Internet address),
Victim's IP address: a.b.c.d (my web server), looks correct....
Intruder IP address: w.x.y.z (some external Internet address),
I am unsure of why the NIDS picking up the "wrong" Source and Destination IP
address as my webserver? Any ideas or advices???
Or which table in the ISSED can I find victim/intruder's IP address??
(Doesn't look like they are in Events table).
ISSForum mailing list
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo