Thanks to 4 of you with the prompt response! So it is "working by design", as some signatures are detected in the reply packets.
Can anyone kindly suggest which tables/fields I can find the intruder and victim in ISSED?? As I am writing code (using odbc) to extract out attackers and other info. The code works for HIDS, but NIDS data will look a bit funny if my web server is rated as Top ten attackers for the month :) Thanks, Jack -----Original Message----- From: Chan, Jack Sent: Tuesday, 17 June 2003 11:21 a.m. To: [EMAIL PROTECTED] Subject: [ISSForum] NIDS 7.0 source and destination fields Hi, I have done a Network IDS 7.0 installation recently. (NIDS sensor NIC on a hub with external FW interface, attackdetector policy applied) It is picking up quite a lot of HTTP code red, nimba etc FROM my internal web server. I am 120% sure that the webserver is patched, and checked the configurations, vulnerability alerts etc. Double click on an HTTP code red II event will show: ..... Source IP address: a.b.c.d (my web server), confused..... Destination IP address: w.x.y.z (some external Internet address), confused..... Victim's IP address: a.b.c.d (my web server), looks correct.... Intruder IP address: w.x.y.z (some external Internet address), looks correct.... ...... I am unsure of why the NIDS picking up the "wrong" Source and Destination IP address as my webserver? Any ideas or advices??? Or which table in the ISSED can I find victim/intruder's IP address?? (Doesn't look like they are in Events table). Thanks alot, Jack, Security analyst _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
