[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ISSForum] NIDS 7.0 source and destination fields
I'm having this problem too but found it on another signature "TCP_Probe_HTTP".Basically,the addresses reflected in source and destination does not tally with victim and intruder.I have opened a case and apparently its cause by XPU 20.13.If you wish to change how the source and destination IP are reported without using the New Tuning Parameters in X-Press Update 20.13. Please set this value:
You would need to do the following from your RealSecure Workgroup Manager: 1) Right click the affected sensor and select Properties.
2) Navigate to the Advance Tab and select 'Add'
3) The parameters are: Name = pam.report.intruder-as-source Type = Boolean Value = True
4) Click Ok to apply the setting.
With this configuration, the sensor will report the SourceIP as the attackerip and the DestinationIP as the victimip.
Hope this helps.... :)
----- Original Message -----
From: "Chan, Jack" <jack.chan@xxxxxxxxxxxxx>
Date: Tue, 17 Jun 2003 09:20:36 +1000
Subject: [ISSForum] NIDS 7.0 source and destination fields
> I have done a Network IDS 7.0 installation recently. (NIDS sensor NIC on a
> hub with external FW interface, attackdetector policy applied)
> It is picking up quite a lot of HTTP code red, nimba etc FROM my internal
> web server. I am 120% sure that the webserver is patched, and checked the
> configurations, vulnerability alerts etc.
> Double click on an HTTP code red II event will show:
> Source IP address: a.b.c.d (my web server), confused.....
> Destination IP address: w.x.y.z (some external Internet address),
> Victim's IP address: a.b.c.d (my web server), looks correct....
> Intruder IP address: w.x.y.z (some external Internet address),
> looks correct....
> I am unsure of why the NIDS picking up the "wrong" Source and Destination IP
> address as my webserver? Any ideas or advices???
> Or which table in the ISSED can I find victim/intruder's IP address??
> (Doesn't look like they are in Events table).
> Thanks alot,
> Security analyst
> ISSForum mailing list
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
Sign-up for your own FREE Personalized E-mail at Mail.com
CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
ISSForum mailing list
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo