Dear Nelson, The IOS is "12.0(5.3)WC(1)" , Switch Model is "C2900XL)".
I think that it cannot trigger the events with connection events policy if no implement port mirroring. But it can't recongize this packets as a correct pattern, all this tcp packets will be show as a "suspicious tcp". Do you have any idea? thanks again, Jaeson --- Nelson Fernando Aranzazu <[EMAIL PROTECTED]> wrote: > Jaeson, > > What kind of switches do you have IOS or CatOs? > > From your abstract, I think you should implement > some kind of > remote-port-mirroring (RSPAN) in switch B, because > it doesn磘 have port > mirroring enabled and for example right now switch A > isn't able to know if > there are traffic between two ports in switch B. > > Regards. > > > ----- Original Message ----- > From: "jaeson pilicon" <[EMAIL PROTECTED]> > To: "Nelson Fernando Aranzazu" > <[EMAIL PROTECTED]> > Sent: Friday, November 01, 2002 11:22 AM > Subject: Re: [ISSForum] Network Sensor can't capture > events > > > > Dear Nelson, > > > > Thank you for your reply. Yes, I had done this > "hme1" > > settings. Do you have any idea? > > > > thanks > > Jaeson > > > > --- Nelson Fernando Aranzazu > > <[EMAIL PROTECTED]> wrote: > > > Jaeson > > > > > > Did you configure hme1 for promiscous mode? > > > > > > If you didn't, try this one: > > > > > > /usr/sbin/ifconfig hme1 plumb -arp up > > > > > > Regards. > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > From: "jaeson pilicon" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Friday, November 01, 2002 9:29 AM > > > Subject: [ISSForum] Network Sensor can't capture > > > events > > > > > > > > > > Dear all, > > > > > > > > I use NS sensor 6.5 on solaris 2.8 platform > with > > > > Stealth-mode, but it can't capture any events > and > > > > display on WGM. > > > > > > > > The detail settings/Scenario as follows: > > > > 1. One Network Sensor 6.5 on Solaris 2.8 > platform, > > > > - "hme0" adaptor connect to WGM > > > > - "hme1" adaptor as a monitoring interface > > > without > > > > ip address > > > > 2. Workgroup Manager 6.5 install on W2k > machine > > > > (had applied the lastest XPU & database > patch) > > > > 3. Monitoring interface connect to Cisco 29xx > > > switch > > > > (Port Monitoring had been done on Cisco > switch) > > > > > > > > Diagram: > > > > > > > > Internal Network > > > > | > > > > | > > > > Cisco Switch (B) > > > > | > > > > |(trunking) > > > > | > > > > Cisco Switch (A) > > > > | > > > > |(Port Monitoring) > > > > | > > > > [Stealth Mode]- hme1 > > > > Network Sensor 6.5 > > > > | > > > > | > > > > Working Manager 6.5 > > > > > > > > > > > > My Testing: > > > > 1. Connect a Notebook on Cisco Switch(A) and > > > perform a > > > > "port scan" attack. NS sensor 6.5 can be > > > captured > > > > > > > > this attack and display on WGM console. > > > [success] > > > > 2. But if connect a Notebook on Cisco Switch > (B) > > > and > > > > perform a "port scan" attack. NS sensor > 6.5 > > > cannot > > > > be captured this attack [Fail] > > > > 3. Then I try to make a "connection events" > policy > > > to > > > > capture all TCP events. NS sensor 6.5 can > be > > > > captured this event, but it's not show as a > > > "port > > > > scan" attack. It's show this event as a > > > (suspicous > > > > tcp). > > > > > > > > I appreciate that if you can give me any > > > suggestion. > > > > > > > > thank you, > > > > Jaeson > > > > > > > > > __________________________________________________ > > > > Do you Yahoo!? > > > > HotJobs - Search new jobs daily now > > > > http://hotjobs.yahoo.com/ > > > > > _______________________________________________ > > > > ISSForum mailing list > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > __________________________________________________ > > Do you Yahoo!? > > HotJobs - Search new jobs daily now > > http://hotjobs.yahoo.com/ > > > > > > __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ _______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
