TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Jay, This is a good characterization of the default behavior of version 7.0 of Network Sensor. This product contains a new component known internally as the "coalescer". (I forget how it is referred to in the network sensor documentation.) The purpose of this component is to reduce the amount of raw information that potentially floods the console. It recognizes related events and combines them. For instance, if you sent a hundred BackOrifice Ping packets in 60 seconds, only one event would appear on the console (not one hundred events). However, that one event would indicate that one hundred pings were seen. This is the simplest scenario it supports. It will also combine events that differ only by the intruder IP or the intruder port. In some cases, it also replaces a less specific event with a more specific one as more information becomes available. The potential downside is that the coalescer holds events for a period of time while it looks for an opportunity to combine them. By default, this delay could be up to 60 seconds. If this delay is too long for your environment, you can tune it. For instance, if you set the advanced tuning parameter, "advancedeventconsolidation.deltatime" to 5, events will never be delayed longer than 5 seconds. Obviously, using a shorter "deltatime" reduces the coalescers opportunities to combine events. In the BackOrifice ping example, using a deltatime of 5 would likely result in 12 events instead of 1. There are other advanced tuning parameters for the coalescer. Please refer to the online help. Paul -----Original Message----- From: Groomes, Jay [mailto:[EMAIL PROTECTED]] Sent: Friday, August 30, 2002 1:55 PM To: [EMAIL PROTECTED] Subject: Network Sensor 7.0 Everyone, I am new to this forum, so please bear with me, if this topic has been repeated before. Here is the situation... I recently upgraded our Network Sensors from 6.5 w/XU 5.3 to 7.0 w/XU 20.3. Also, I upgraded the Console from 6.5 to 6.6. Now, the problem is that ever since I upgraded the Console and Sensors, the Console picks up the event really slow. The time frame is about 30 seconds to a minute later, prior to when the event actually happens. Is there a way to resolve this issue? I would like to get the events in a "real-time" response. Any help is greatly appreciated. Jay Groomes
