[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] NIDS 7.0 source and destination fields



Thanks to 4 of you with the prompt response! So it is "working by design",
as some signatures are detected in the reply packets. 

Can anyone kindly suggest which tables/fields I can find the intruder and
victim in ISSED?? 

As I am writing code (using odbc) to extract out attackers and other info.
The code works for HIDS, but NIDS data will look a bit funny if my web
server is rated as Top ten attackers for the month :)

Thanks,

Jack


-----Original Message-----
From: Chan, Jack 
Sent: Tuesday, 17 June 2003 11:21 a.m.
To: ISSForum@xxxxxxx
Subject: [ISSForum] NIDS 7.0 source and destination fields


Hi, 

I have done a Network IDS 7.0 installation recently. (NIDS sensor NIC on a
hub with external FW interface, attackdetector policy applied)

It is picking up quite a lot of HTTP code red, nimba etc FROM my internal
web server. I am 120% sure that the webserver is patched, and checked the
configurations, vulnerability alerts etc. 

Double click on an HTTP code red II event will show:
..... 
Source IP address: 		a.b.c.d (my web server), confused.....
Destination IP address: 	w.x.y.z (some external Internet address),
confused.....
Victim's IP address: 	a.b.c.d (my web server), looks correct....
Intruder IP address: 		w.x.y.z (some external Internet address),
looks correct....
......

I am unsure of why the NIDS picking up the "wrong" Source and Destination IP
address as my webserver? Any ideas or advices???
Or which table in the ISSED can I find victim/intruder's IP address??
(Doesn't look like they are in Events table).

Thanks alot, 

Jack, 
Security analyst
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo