[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISSForum] Network Sensor - Connection Events



Did something change in the behaviour of Network
Sensor connection events from version 6.5 to 7.0? 

Connection events used to trigger when an attacker
would attempt to connect to a network device on a
given connection port (source ip any, source service
any, dest ip any, dest service ssh) - even if there
were no ssh service listening on that device.  

Now, in version 7.0, the event appears to trigger only
if the connection is established with a system that is
running ssh, and the three way handshake is
established.

The policy manual regarding connection events for both
6.5  and 7.0 look the same.  

Similarly, we used to have an connection event trigger
when someone attempted to connect to one of our unused
ip addresses (source ip/service any, dest ip=unused
ip, service any).  After the upgrade to 7.0, this
event no longer triggers when trying to connect to
this ip.

Anyone know why?

__________________________________
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes
http://hotjobs.sweepstakes.yahoo.com/signingbonus
_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo