TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Hi
Welcome to the world of ISS ...
A common mistake when installing this product is to take one of the default
built in policys and apply this to your network sensors.
My advice to you is that Out the box the policys are only a guide line and
what I would reccommend is that you make a copy (Derive New) of the maximum
policy and then customise it for your environment.
The approach wich we have adopted is that RS looks for exceptions. So for
example we expect to see HTTP_Gets and Cookies therefore we turn these OFF.
If of course the only traffic you expect to see is FTP the you would leave
HTTP on and turn FTP off etc..
We did exactly the same thing as you have when we first installed this
product. We turned it on , Turned EVERYTHING on and logged everything Raw.
Well I don't need to tell you what happened - of course our logs went balistic
and were filling up overnight.
Take a while to read through each signature - decide if it applys to your
environment and configure your system accordingly.
Hope this information has helped you.
Regards
MARC CLASS
MNET Australia Pty. Ltd.
Melbourne
When we
This means to
>===== Original Message From Council Erastus Contr AFRL/IFOSS
<[EMAIL PROTECTED]> =====
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
>----------------------------------------------------------------------------
>
>All
> We have installed RealSecure 5.0 Network Sensor on an Ultra 30 with
>128MB of Ram running Solaris 7. The problem is that the RS Sensor will
>write so many messages to the admin logs of the sensor that it will cause
>the System to stop logging system messages. The RS Console (Workgroup
>Manager as it is now called) is a PII 300 with 128MB of Ram NT 4.0 SP6a.
>The most common error message is about the DB High-water Mark being reached
>(the DB is set to sync at 6% of 50000). I have also seen an error about IP
>fragments but I cannot remember the exact wording. Bottom line is there a
>way to stop the detector from logging to the syslog or to configure it to
>only log certain events after a certain threshold. Thanks for any
>assistance.
>
>Erastus Council Jr
>Engineer, MCSE, MCP+I
>Litton PRC
>AFRL / Rome Research Site / Information Assurance Office
>525 Brooks Rd
>Rome, NY 13441
>DSN 587-1653 Comm (315) 330-7550
MNET Australia Pty. Ltd.
Melbourne - Beautiful one day Overcast the next
Australia
[EMAIL PROTECTED]
