Hi, I have done a Network IDS 7.0 installation recently. (NIDS sensor NIC on a hub with external FW interface, attackdetector policy applied)
It is picking up quite a lot of HTTP code red, nimba etc FROM my internal web server. I am 120% sure that the webserver is patched, and checked the configurations, vulnerability alerts etc. Double click on an HTTP code red II event will show: ..... Source IP address: a.b.c.d (my web server), confused..... Destination IP address: w.x.y.z (some external Internet address), confused..... Victim's IP address: a.b.c.d (my web server), looks correct.... Intruder IP address: w.x.y.z (some external Internet address), looks correct.... ...... I am unsure of why the NIDS picking up the "wrong" Source and Destination IP address as my webserver? Any ideas or advices??? Or which table in the ISSED can I find victim/intruder's IP address?? (Doesn't look like they are in Events table). Thanks alot, Jack, Security analyst _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
