[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ISSForum] NIDS 7.0 source and destination fields



Hi Jack,
   I'm having this problem too but found it on another signature "TCP_Probe_HTTP".Basically,the addresses reflected in source and destination does not tally with victim and intruder.I have opened a case and apparently its cause by XPU 20.13.If you wish to change how the source and destination IP are reported without using the New Tuning Parameters in X-Press Update 20.13. Please set this value:
You would need to do the following from your RealSecure Workgroup Manager: 1) Right click the affected sensor and select Properties. 
2) Navigate to the Advance Tab and select 'Add' 
3) The parameters are: Name = pam.report.intruder-as-source Type = Boolean Value = True 
4) Click Ok to apply the setting.
With this configuration, the sensor will report the SourceIP as the attackerip and the DestinationIP as the victimip.

Hope this helps.... :)

----- Original Message -----
From: "Chan, Jack" <jack.chan@xxxxxxxxxxxxx>
Date: Tue, 17 Jun 2003 09:20:36 +1000 
To: ISSForum@xxxxxxx
Subject: [ISSForum] NIDS 7.0 source and destination fields

> Hi, 
> 
> I have done a Network IDS 7.0 installation recently. (NIDS sensor NIC on a
> hub with external FW interface, attackdetector policy applied)
> 
> It is picking up quite a lot of HTTP code red, nimba etc FROM my internal
> web server. I am 120% sure that the webserver is patched, and checked the
> configurations, vulnerability alerts etc. 
> 
> Double click on an HTTP code red II event will show:
> ..... 
> Source IP address: 		a.b.c.d (my web server), confused.....
> Destination IP address: 	w.x.y.z (some external Internet address),
> confused.....
> Victim's IP address: 	a.b.c.d (my web server), looks correct....
> Intruder IP address: 		w.x.y.z (some external Internet address),
> looks correct....
> ......
> 
> I am unsure of why the NIDS picking up the "wrong" Source and Destination IP
> address as my webserver? Any ideas or advices???
> Or which table in the ISSED can I find victim/intruder's IP address??
> (Doesn't look like they are in Events table).
> 
> Thanks alot, 
> 
> Jack, 
> Security analyst
> _______________________________________________
> ISSForum mailing list
> ISSForum@xxxxxxx
> 
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo

-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

CareerBuilder.com has over 400,000 jobs. Be smarter about your job search
http://corp.mail.com/careers

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo