Hi Jack, I'm having this problem too but found it on another signature "TCP_Probe_HTTP".Basically,the addresses reflected in source and destination does not tally with victim and intruder.I have opened a case and apparently its cause by XPU 20.13.If you wish to change how the source and destination IP are reported without using the New Tuning Parameters in X-Press Update 20.13. Please set this value: You would need to do the following from your RealSecure Workgroup Manager: 1) Right click the affected sensor and select Properties. 2) Navigate to the Advance Tab and select 'Add' 3) The parameters are: Name = pam.report.intruder-as-source Type = Boolean Value = True 4) Click Ok to apply the setting. With this configuration, the sensor will report the SourceIP as the attackerip and the DestinationIP as the victimip.
Hope this helps.... :) ----- Original Message ----- From: "Chan, Jack" <[EMAIL PROTECTED]> Date: Tue, 17 Jun 2003 09:20:36 +1000 To: [EMAIL PROTECTED] Subject: [ISSForum] NIDS 7.0 source and destination fields > Hi, > > I have done a Network IDS 7.0 installation recently. (NIDS sensor NIC on a > hub with external FW interface, attackdetector policy applied) > > It is picking up quite a lot of HTTP code red, nimba etc FROM my internal > web server. I am 120% sure that the webserver is patched, and checked the > configurations, vulnerability alerts etc. > > Double click on an HTTP code red II event will show: > ..... > Source IP address: a.b.c.d (my web server), confused..... > Destination IP address: w.x.y.z (some external Internet address), > confused..... > Victim's IP address: a.b.c.d (my web server), looks correct.... > Intruder IP address: w.x.y.z (some external Internet address), > looks correct.... > ...... > > I am unsure of why the NIDS picking up the "wrong" Source and Destination IP > address as my webserver? Any ideas or advices??? > Or which table in the ISSED can I find victim/intruder's IP address?? > (Doesn't look like they are in Events table). > > Thanks alot, > > Jack, > Security analyst > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to > https://atla-mm1.iss.net/mailman/listinfo -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup CareerBuilder.com has over 400,000 jobs. Be smarter about your job search http://corp.mail.com/careers _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
