I was doing the test and i found the same, i used and switch CNET and the sensor did not hear any, but i change it for hub and it works good.
Claudia Prada -----Original Message----- From: jaeson pilicon [mailto:hz6146@;yahoo.com] Sent: Viernes, 01 de Noviembre de 2002 07:36 p.m. To: Claudia Patricia Prada G; Nelson Fernando Aranzazu Cc: [EMAIL PROTECTED] Subject: RE: [ISSForum] Network Sensor can't capture events Dear all, Thank you very much for your kindly attention. But actually, all your suggestion had been tested by me in previously, but all fail. I think that the problem my be on switch. Because if I replace by hubs, it can be trigger all correct event. So do you have any idea on switch? thanks, Jaeson --- Claudia Patricia Prada G <[EMAIL PROTECTED]> wrote: > try it: > > > 1. on the deployment wizard use 127.0.0.1 > 2. the NIC without net address set a IP address > whatever without GW > 3. open the Realsecure, and monitor with the NIC > using whatever IP > 4. after you see the traffic, stop the sensor set > the NIC on sthealt mode > 5. start the sensor > > > CP > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:issforum-admin@;iss.net]On Behalf Of > jaeson pilicon > Sent: Viernes, 01 de Noviembre de 2002 12:28 p.m. > To: Nelson Fernando Aranzazu > Cc: [EMAIL PROTECTED] > Subject: Re: [ISSForum] Network Sensor can't capture > events > > > Dear Nelson, > > The IOS is "12.0(5.3)WC(1)" , Switch Model is > "C2900XL)". > > I think that it cannot trigger the events with > connection events policy if no implement port > mirroring. But it can't recongize this packets as a > correct pattern, all this tcp packets will be show > as > a "suspicious tcp". > > Do you have any idea? > > thanks again, > Jaeson > > --- Nelson Fernando Aranzazu > <[EMAIL PROTECTED]> wrote: > > Jaeson, > > > > What kind of switches do you have IOS or CatOs? > > > > From your abstract, I think you should implement > > some kind of > > remote-port-mirroring (RSPAN) in switch B, because > > it doesn磘 have port > > mirroring enabled and for example right now switch > A > > isn't able to know if > > there are traffic between two ports in switch B. > > > > Regards. > > > > > > ----- Original Message ----- > > From: "jaeson pilicon" <[EMAIL PROTECTED]> > > To: "Nelson Fernando Aranzazu" > > <[EMAIL PROTECTED]> > > Sent: Friday, November 01, 2002 11:22 AM > > Subject: Re: [ISSForum] Network Sensor can't > capture > > events > > > > > > > Dear Nelson, > > > > > > Thank you for your reply. Yes, I had done this > > "hme1" > > > settings. Do you have any idea? > > > > > > thanks > > > Jaeson > > > > > > --- Nelson Fernando Aranzazu > > > <[EMAIL PROTECTED]> wrote: > > > > Jaeson > > > > > > > > Did you configure hme1 for promiscous mode? > > > > > > > > If you didn't, try this one: > > > > > > > > /usr/sbin/ifconfig hme1 plumb -arp up > > > > > > > > Regards. > > > > > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > From: "jaeson pilicon" <[EMAIL PROTECTED]> > > > > To: <[EMAIL PROTECTED]> > > > > Sent: Friday, November 01, 2002 9:29 AM > > > > Subject: [ISSForum] Network Sensor can't > capture > > > > events > > > > > > > > > > > > > Dear all, > > > > > > > > > > I use NS sensor 6.5 on solaris 2.8 platform > > with > > > > > Stealth-mode, but it can't capture any > events > > and > > > > > display on WGM. > > > > > > > > > > The detail settings/Scenario as follows: > > > > > 1. One Network Sensor 6.5 on Solaris 2.8 > > platform, > > > > > - "hme0" adaptor connect to WGM > > > > > - "hme1" adaptor as a monitoring > interface > > > > without > > > > > ip address > > > > > 2. Workgroup Manager 6.5 install on W2k > > machine > > > > > (had applied the lastest XPU & database > > patch) > > > > > 3. Monitoring interface connect to Cisco > 29xx > > > > switch > > > > > (Port Monitoring had been done on Cisco > > switch) > > > > > > > > > > Diagram: > > > > > > > > > > Internal Network > > > > > | > > > > > | > > > > > Cisco Switch (B) > > > > > | > > > > > |(trunking) > > > > > | > > > > > Cisco Switch (A) > > > > > | > > > > > |(Port Monitoring) > > > > > | > > > > > [Stealth Mode]- hme1 > > > > > Network Sensor 6.5 > > > > > | > > > > > | > > > > > Working Manager 6.5 > > > > > > > > > > > > > > > My Testing: > > > > > 1. Connect a Notebook on Cisco Switch(A) and > > > > perform a > > > > > "port scan" attack. NS sensor 6.5 can be > > > > captured > > > > > > > > > > this attack and display on WGM console. > > > > [success] > > > > > 2. But if connect a Notebook on Cisco Switch > > (B) > > > > and > > > > > perform a "port scan" attack. NS sensor > > 6.5 > > > > cannot > > > > > be captured this attack [Fail] > > > > > 3. Then I try to make a "connection events" > > policy > > > > to > > > > > capture all TCP events. NS sensor 6.5 > can > > be > > > > > captured this event, but it's not show as > a > > > > "port > > > > > scan" attack. It's show this event as a > > > > (suspicous > > > > > tcp). > > > > > > > > > > I appreciate that if you can give me any > > > > suggestion. > > > > > > > > > > thank you, > > > > > Jaeson > > > > > > > > > > > > __________________________________________________ > > > > > Do you Yahoo!? > > > > > HotJobs - Search new jobs daily now > > > > > http://hotjobs.yahoo.com/ > > > > > > > _______________________________________________ > > > > > ISSForum mailing list > > > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > === message truncated === __________________________________________________ Do you Yahoo!? HotJobs - Search new jobs daily now http://hotjobs.yahoo.com/ --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.410 / Virus Database: 231 - Release Date: 31/10/2002 _______________________________________________ ISSForum mailing list [EMAIL PROTECTED]
