TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
No. The "e-mail" that the sensor emits is actually a properly formatted
text stream directed to the E-Mail Response IP address' port 25 (SMTP) out
of the Reporting NIC.
Please understand WHY the sensor generates ALL responses. ONLY THE SENSOR
IS GUARANTEED TO BE RUNNING 24x7x365. The RS Console is NOT an installed
service, but just an application, even if you do leave the program running
all the time. And using anything other than the sensor to generate
responses would just cause additional net traffic.
The Console is design for three purposes ONLY: Push policy; Collect sensor
logs into a database; and Show alert responses. And that's it!
James R Lindley
Anomaly Detection Xpert
X-Force Surveillance and Response Unit
Managed Security Services
Internet Security Systems Inc
Vox: 678-443-6323
Fax: 678-443-6482
An unquenchable thirst for Pierian Waters.
Internet Security Systems - The Power To Protect.
-----Original Message-----
From: Brian Tan Wee Beng [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 08, 2000 5:00 AM
To: '[EMAIL PROTECTED]'; Mark S. Velasquez; Lindley, Jim (ISSAtlanta)
Cc: [EMAIL PROTECTED]
Subject: RE: **RealSecure 5.0 & E-Mail Alerts**
Is there any script that can be used such that the console is sending the
mail instead???
Cheers
--
On Thu, 3 Aug 2000 14:58:58 Lindley, Jim (ISSAtlanta) wrote:
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
>---------------------------------------------------------------------------
-
>
>George et al:
>
>The TCP RST packets ARE generated by the "stealth" NIC, since that is the
>NIC on the monitored network. Since the IP/MAC address information is
>available to RS from BOTH ends of the suspect TCP session, RS builds TWO
>spoofed TCP RST packets using the IP/MAC information and sends each end of
>the suspect TCP session a TCP RST that purports to come from the other end
>of the session. Therefore, each end of the session being RSTed believes
the
>other end called off the conversation. These TCP RST packets are the ONLY
>output ever issued by the stealth NIC. All other responses that require
>communication are generated by the "reporting" NIC and sent to the network
>on which the monitoring RS Console is placed. If that network has no exit
>point for SNMP/SMTP/pagers/etc, then you have an "out-of-band" network,
>which is more secure BUT you loose the ability to use the SMTP/SNMP/pager
>responses.
>
>James R Lindley
>Anomaly Detection Xpert
>X-Force Surveillance and Response Unit
>Managed Security Services
>Internet Security Systems Inc
>Vox: 678-443-6323
>Fax: 678-443-6482
>An unquenchable thirst for Pierian Waters.
>
>Internet Security Systems - The Power To Protect.
>-----Original Message-----
>From: George Milliken [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, August 02, 2000 6:57 PM
>To: Mark S. Velasquez
>Cc: [EMAIL PROTECTED]
>Subject: Re: **RealSecure 5.0 & E-Mail Alerts**
>
>
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
>problems!
>---------------------------------------------------------------------------
-
>
>For that matter, how do TCP RS KILLs happen across the "secure" stealth
>interface?
>
>We have puzzled on this much recently. We assume the emails go out
>over the internal interface but I have not verified that via sniffer.
>
>But, how do the resets happen??? There is not guarentee that the
>internal interface can route packets back to the stealth (outside) side
>of the network.
>
>Anybody got a clue?
>
>
>
>
>
>"Mark S. Velasquez" wrote:
>>
>> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
>to
>> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
>problems!
>>
>---------------------------------------------------------------------------
-
>>
>> I've installed RealSecure 5.0. The Network Sensors are installed on
>> Sparc Solaris 7.0 platforms with the monitoring interface in stealth
>> mode( no IP assigned to it, no arp, etc.), and a second interface on a
>> private Network to the monitoring Console.
>>
>> My question concerns E-Mail Responses. I'd assumed that the monitoring
>> console sent them. From reading the manual it appears that the Network
>> Sensor sends them...if so how is this supposed to work in a secure
>> setup( it cant' send via the stealth-configured interface... and the
>> other interface connects directly to the Monitoring Console. ).
>>
>> How is everyone else sending E-Mail responses/alerts in a secure
>> configuration ?
>>
>> TIA
>>
>> Mark
>
>--
>
>
>Regards,
>
>
>
>George Milliken
>
>---------------------------------
>farm9, Inc.
>
>Online Intrusion Prevention 24x7
>http://www.farm9.com
>---------------------------------
>
>
>
>
Get your FREE Email at http://www.mailcityasia.com
