Hi Jack Chan wrote: > Can anyone kindly suggest which tables/fields I can find the > intruder and victim in ISSED?? > > As I am writing code (using odbc) to extract out attackers > and other info. The code works for HIDS, but NIDS data will > look a bit funny if my web server is rated as Top ten attackers > for the month :)
I have moaned about this behaviour off and on for a couple of years now. All credit to ISS - there was a new tuning parameter introduced in XPU 20.13 for RSNS7.0 that fixes the 'source' and 'destination' addresses to mean what we expect them to mean, rather than what is technically correct! >From the .ini file for XPU 20.13: ---------------------------------- a) Normally, sensors report and consoles show source and destination as the source and destination of the packet that triggered the event. As an alternative, you can enable the Boolean tuning parameter, pam.report.intruder-as-source, to change the semantics of source and destination. When enabled, sensors will report and consoles will show source and destination as the source of the attack and destination of the attack respectively (for attack events). Likewise, for audits, source and destination will be the source and destination of the client request. That is, source will be the client and destination will be the server. ---------------------------------- Obviously, this will only help for alerts that come in after you make the change, but should help matters from here on in! Robert PS - if you are scripting results, "additional" details are in the EventParams table, but are not that easy to extract! -- Robert Turner GCIA Security Solutions Designer & Analyst BT Secure Business Services T: +44 (0)113 244 5951 F: +44 (0)113 244 5657 [EMAIL PROTECTED] == # include std.disclaimer ===================================== British Telecommunications plc Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no. 1800000 This electronic message contains information from British Telecommunications plc which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address above) immediately. Activity and use of the British Telecommunications plc E-mail system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes. ================================================================= _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
