This is because there are many "signatures" that
trigger on a victim responses, which means that the
source of the attack is the destination of the packet.
In other cases, rather than reversing the IP
addresses, the intruder/victim might not correspond to
the IP addresses in the packet altogether.
For example,portscans. Portscans do not trigger on the
request packet. They trigger on TCP RST packets or
ICMP unreachable packets coming back from the
"victim". It makes for a more reliable signature, but
also a less obvious one. Therefore, if you want to
prevent the portscan event from triggering (instead of
filtering it after it triggers) you will need to
filter some or all of the traffic from the victim to
the intruder .
Advance Happy Holidays
(",)
--- Philip Veilleux <[EMAIL PROTECTED]>
wrote:
> Hi everyone,
>
> I'm pretty new to ISS and I have a weird issue, I've
> got 5 sensors (4
> solarid and 1 win). I push policies with event
> filter(ex:
> SNMP_Community) but the Console still shows the
> events :-S Seems like
> the sensors have the right policy as per the policy
> file on the sensor
> after a policy push. They're just not effective.
>
> Am I missing something?
>
> Thanks in advance for all the help
>
> Philip
> _______________________________________________
> ISSForum mailing list
> [EMAIL PROTECTED]
>
> TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
=====
Glenn I. Marquez
If any man desire to be first, the same shall be last of all, and servant of all- Mark
9:35
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
