Jaeson Did you configure hme1 for promiscous mode?
If you didn't, try this one: /usr/sbin/ifconfig hme1 plumb -arp up Regards. ----- Original Message ----- From: "jaeson pilicon" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, November 01, 2002 9:29 AM Subject: [ISSForum] Network Sensor can't capture events > Dear all, > > I use NS sensor 6.5 on solaris 2.8 platform with > Stealth-mode, but it can't capture any events and > display on WGM. > > The detail settings/Scenario as follows: > 1. One Network Sensor 6.5 on Solaris 2.8 platform, > - "hme0" adaptor connect to WGM > - "hme1" adaptor as a monitoring interface without > ip address > 2. Workgroup Manager 6.5 install on W2k machine > (had applied the lastest XPU & database patch) > 3. Monitoring interface connect to Cisco 29xx switch > (Port Monitoring had been done on Cisco switch) > > Diagram: > > Internal Network > | > | > Cisco Switch (B) > | > |(trunking) > | > Cisco Switch (A) > | > |(Port Monitoring) > | > [Stealth Mode]- hme1 > Network Sensor 6.5 > | > | > Working Manager 6.5 > > > My Testing: > 1. Connect a Notebook on Cisco Switch(A) and perform a > "port scan" attack. NS sensor 6.5 can be captured > > this attack and display on WGM console. [success] > 2. But if connect a Notebook on Cisco Switch (B) and > perform a "port scan" attack. NS sensor 6.5 cannot > be captured this attack [Fail] > 3. Then I try to make a "connection events" policy to > capture all TCP events. NS sensor 6.5 can be > captured this event, but it's not show as a "port > scan" attack. It's show this event as a (suspicous > tcp). > > I appreciate that if you can give me any suggestion. > > thank you, > Jaeson > > __________________________________________________ > Do you Yahoo!? > HotJobs - Search new jobs daily now > http://hotjobs.yahoo.com/ > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > _______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
