It's not clear whether you are recieving and frames at all on your interface, so I suggest you start from the ground up, isolate the problem, before messing with the higher level RealSecure stuff.
I'd use packet analyzer or better yet, a known working interface on your host, run a tcpdump or something and see if you the traffic as expected. If it doesn't, play with the switch until it does. WHen it works OK, connect the sparc hardware port you intend to use for stealth instead, see if it also works as expected. Once you've proven that the interface is actually getting packets, properly configure the interface for stealth etc, and *then* then play with RealSecure. -----Original Message----- From: jaeson pilicon [mailto:hz6146@;yahoo.com] Sent: 01 November 2002 17:28 To: Nelson Fernando Aranzazu Cc: [EMAIL PROTECTED] Subject: Re: [ISSForum] Network Sensor can't capture events Dear Nelson, The IOS is "12.0(5.3)WC(1)" , Switch Model is "C2900XL)". I think that it cannot trigger the events with connection events policy if no implement port mirroring. But it can't recongize this packets as a correct pattern, all this tcp packets will be show as a "suspicious tcp". Do you have any idea? thanks again, Jaeson --- Nelson Fernando Aranzazu <[EMAIL PROTECTED]> wrote: > Jaeson, > > What kind of switches do you have IOS or CatOs? > > From your abstract, I think you should implement > some kind of > remote-port-mirroring (RSPAN) in switch B, because > it doesn磘 have port > mirroring enabled and for example right now switch A > isn't able to know if > there are traffic between two ports in switch B. > > Regards. > > > ----- Original Message ----- > From: "jaeson pilicon" <[EMAIL PROTECTED]> > To: "Nelson Fernando Aranzazu" > <[EMAIL PROTECTED]> > Sent: Friday, November 01, 2002 11:22 AM > Subject: Re: [ISSForum] Network Sensor can't capture > events > > > > Dear Nelson, > > > > Thank you for your reply. Yes, I had done this > "hme1" > > settings. Do you have any idea? > > > > thanks > > Jaeson > > > > --- Nelson Fernando Aranzazu > > <[EMAIL PROTECTED]> wrote: > > > Jaeson > > > > > > Did you configure hme1 for promiscous mode? > > > > > > If you didn't, try this one: > > > > > > /usr/sbin/ifconfig hme1 plumb -arp up > > > > > > Regards. > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > From: "jaeson pilicon" <[EMAIL PROTECTED]> > > > To: <[EMAIL PROTECTED]> > > > Sent: Friday, November 01, 2002 9:29 AM > > > Subject: [ISSForum] Network Sensor can't capture > > > events > > > > > > > > > > Dear all, > > > > > > > > I use NS sensor 6.5 on solaris 2.8 platform > with > > > > Stealth-mode, but it can't capture any events > and > > > > display on WGM. > > > > > > > > The detail settings/Scenario as follows: > > > > 1. One Network Sensor 6.5 on Solaris 2.8 > platform, > > > > - "hme0" adaptor connect to WGM > > > > - "hme1" adaptor as a monitoring interface > > > without > > > > ip address > > > > 2. Workgroup Manager 6.5 install on W2k > machine > > > > (had applied the lastest XPU & database > patch) > > > > 3. Monitoring interface connect to Cisco 29xx > > > switch > > > > (Port Monitoring had been done on Cisco > switch) > > > > > > > > Diagram: > > > > > > > > Internal Network > > > > | > > > > | > > > > Cisco Switch (B) > > > > | > > > > |(trunking) > > > > | > > > > Cisco Switch (A) > > > > | > > > > |(Port Monitoring) > > > > | > > > > [Stealth Mode]- hme1 > > > > Network Sensor 6.5 > > > > | > > > > | > > > > Working Manager 6.5 > > > > > > > > > > > > My Testing: > > > > 1. Connect a Notebook on Cisco Switch(A) and > > > perform a > > > > "port scan" attack. NS sensor 6.5 can be > > > captured > > > > > > > > this attack and display on WGM console. > > > [success] > > > > 2. But if connect a Notebook on Cisco Switch > (B) > > > and > > > > perform a "port scan" attack. NS sensor > 6.5 > > > cannot > > > > be captured this attack [Fail] > > > > 3. Then I try to make a "connection events" > policy > > > to > > > > capture all TCP events. NS sensor 6.5 can > be > > > > captured this event, but it's not show as a > > > "port > > > > scan" attack. It's show this event as a > > > (suspicous > > > > tcp). > > > > > > > > I appreciate that if you can give me any > > > suggestion. > > > > > > > > thank you, > > > > Jaeson > > > > > > > > > __________________________________________________ > > > > Do you Yahoo!? > > > > HotJobs - Search new jobs daily now > > > > http://hotjobs.yahoo.com/ > > > > > _______________________________________________ > > > > ISSForum mailing list > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > __________________________________________________ > > Do you Yahoo!? > > HotJobs - Search new jobs daily now > > http://hotjobs.yahoo.com/ > > > > > > __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] _______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
