RE: RS console 5.5 loose display ?:!

Lindley, Jim (ISSAtlanta) Fri, 09 Feb 2001 08:03:41 -0800

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

If you are sending "packet captures" as your test and the src socket and
dest sockets are identical for each test, then RS only sees ONE event.  If
you'll check the event's Advanced button in the policy editor, you'll see
that RS "defines" an event as an unique combination of src IP:Port AND dst
IP:Port.  So 10.10.101.10:3000 -> 10.10.10.11:3001 that triggers a decode
can be repeated as many times as you like, but the default "event
definition" will show it as ONE event.  Only when any of the four elements
of the event changes will you get another event.  

You can user-define this definition to choose particular parts of the IP->IP
socket-set to be an "unique" event. For example, to cut down on HTTP GET
traffic alerts, since every GET has a different src port, change the event
definition to IP:<ignore port>->destIP:port and you'll get only ONE event
when that src IP makes an HTTP GET.  Of course, this is all explained in the
RS User Guides.

James R Lindley
Anomaly Detection Xpert
Special Operations Group
Managed Security Services
Internet Security Systems Inc.
Vox:  404-236-3009
An unquenchable thirst for Pierian waters.

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 07, 2001 5:51 PM
To: Issforum@Iss. Net
Subject: RS console 5.5 loose display ?:!



TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------

hi all

We've just installed a RS Console 5.5 a one RS Network Sensor 5.0.1 and we
seem to have a problem

Sensor and console look good but when we make some testing like portscan,
ping scan, smurf ... the console display only one event even we do this
testing huge. We think the console only display the event when src, dst
address are different from previous event.

does RS console 5.5 loose traffic or have a new undocumented feature
filtering display ???

All software are on NT4 SP6.0a US
Sensor is in stealth mode with one of its NIC connected to a lan where there
is a console.

Monitored Network
        |
        |---RS NetWork-----
        |                       |   RS Console
        |                       |       |
                     ====================


anyone got this already ?
any solution ???

Thks in advance !
RE: RS console 5.5 loose display ?:!

Reply via email to
