[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISSForum] NIDS 7.0 source and destination fields



Hi, 

I have done a Network IDS 7.0 installation recently. (NIDS sensor NIC on a
hub with external FW interface, attackdetector policy applied)

It is picking up quite a lot of HTTP code red, nimba etc FROM my internal
web server. I am 120% sure that the webserver is patched, and checked the
configurations, vulnerability alerts etc. 

Double click on an HTTP code red II event will show:
..... 
Source IP address: 		a.b.c.d (my web server), confused.....
Destination IP address: 	w.x.y.z (some external Internet address),
confused.....
Victim's IP address: 	a.b.c.d (my web server), looks correct....
Intruder IP address: 		w.x.y.z (some external Internet address),
looks correct....
......

I am unsure of why the NIDS picking up the "wrong" Source and Destination IP
address as my webserver? Any ideas or advices???
Or which table in the ISSED can I find victim/intruder's IP address??
(Doesn't look like they are in Events table).

Thanks alot, 

Jack, 
Security analyst
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo