[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] NIDS 7.0 source and destination fields



Hi

Jack Chan wrote:
> Can anyone kindly suggest which tables/fields I can find the
> intruder and victim in ISSED?? 
> 
> As I am writing code (using odbc) to extract out attackers 
> and other info. The code works for HIDS, but NIDS data will
> look a bit funny if my web server is rated as Top ten attackers
> for the month :)

I have moaned about this behaviour off and on for a couple of years
now. All credit to ISS - there was a new tuning parameter introduced
in XPU 20.13 for RSNS7.0 that fixes the 'source' and 'destination'
addresses to mean what we expect them to mean, rather than what is
technically correct!

>From the .ini file for XPU 20.13:

----------------------------------
a) Normally, sensors report and consoles show source and destination
as the source and destination of the packet that triggered the event.
As an alternative, you can enable the Boolean tuning parameter,
pam.report.intruder-as-source, to change the semantics of source and
destination. When enabled, sensors will report and consoles will show
source and destination as the source of the attack and destination of
the attack respectively (for attack events). Likewise, for audits, 
source and destination will be the source and destination of the
client request. That is, source will be the client and destination
will be the server.
----------------------------------

Obviously, this will only help for alerts that come in after you make
the change, but should help matters from here on in!

Robert

PS - if you are scripting results, "additional" details are in the
EventParams table, but are not that easy to extract!

--
Robert Turner GCIA
Security Solutions Designer & Analyst

BT Secure Business Services
T: +44 (0)113 244 5951  F: +44 (0)113 244 5657
Robert.D.Turner@xxxxxx

== # include std.disclaimer =====================================

British Telecommunications plc

Registered office: 81 Newgate Street London EC1A 7AJ

Registered in England no. 1800000

This electronic message contains information from British
Telecommunications plc which may be privileged or confidential.
The information is intended to be for the use of the individual(s)
or entity named above. If you are not the intended recipient be
aware that any disclosure, copying, distribution or use of the
contents of this information is prohibited. If you have received
this electronic message in error, please notify us by telephone
or email (to the numbers or address above) immediately.

Activity and use of the British Telecommunications plc E-mail
system is monitored to secure its effective operation and for
other lawful business purposes. Communications using this system
will also be monitored and may be recorded to secure effective
operation and for other lawful business purposes.

=================================================================
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo