[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] NIDS 7.0 source and destination fields



Just use the "log evidence" response for the Code Red event.  This will
give you a packet capture in the "log" directory on the NID which you can
open with a packet analyzer such as Ethereal.  That will tell you what the
packet that is causing the event really is.  Also, just because your server
is patched does not mean it isn't infected.

Ryan J. Thomas



|---------+--------------------------->
|         |           "Chan, Jack"    |
|         |           <jack.chan@xxxxx|
|         |           isys.com>       |
|         |           Sent by:        |
|         |           issforum-admin@i|
|         |           ss.net          |
|         |                           |
|         |                           |
|         |           06/16/2003 04:20|
|         |           PM              |
|         |                           |
|---------+--------------------------->
  >---------------------------------------------------------------------------------------------------------------|
  |                                                                                                               |
  |        To:      ISSForum@xxxxxxx                                                                              |
  |        cc:                                                                                                    |
  |        Subject: [ISSForum] NIDS 7.0 source and destination fields                                             |
  >---------------------------------------------------------------------------------------------------------------|




Hi,

I have done a Network IDS 7.0 installation recently. (NIDS sensor NIC on a
hub with external FW interface, attackdetector policy applied)

It is picking up quite a lot of HTTP code red, nimba etc FROM my internal
web server. I am 120% sure that the webserver is patched, and checked the
configurations, vulnerability alerts etc.

Double click on an HTTP code red II event will show:
.....
Source IP address:                         a.b.c.d (my web server),
confused.....
Destination IP address:              w.x.y.z (some external Internet
address),
confused.....
Victim's IP address:           a.b.c.d (my web server), looks correct....
Intruder IP address:                       w.x.y.z (some external Internet
address),
looks correct....
......

I am unsure of why the NIDS picking up the "wrong" Source and Destination
IP
address as my webserver? Any ideas or advices???
Or which table in the ISSED can I find victim/intruder's IP address??
(Doesn't look like they are in Events table).

Thanks alot,

Jack,
Security analyst
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo







_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo