|
Michael, I simply used the defaults that
were already in the policy and have had good successes with it blocking attacks
that warrant such actions. Don’t forget to configure a response file for
the sensors and enable RSKILL. The thing I didn’t like is that, in order
to send emails/pages when being attacked, you have to go through each policy
and rule and enable emails if you wish to be notified about such attacks. I
realize that a person can accidentally create a flood of emails if they are not
careful but, at a minimum, I want to be notified if anything suspicious is taking
place without constantly monitoring the SiteProtector console (or am I
dreaming??)… Good Luck!! Eric -----Original Message----- Hi All, Quick question on creating (or
'deriving new') policy from ISS's default 'Attack Detector' policy. What
are the recommended signatures to configure RSKILLS for to protect the internal
network with a version 7 network sensor? Or do I have to go through the whole
list and either guess at which ones I should be protected from or do I go
through the present analysis and whatever tag names show up I configure the
policy to send RSKILLS to. The latter seems a little backwards, as
in configuring the protection AFTER the attack....Sorry if this is a dumb question OR the wrong place
to ask this question but I am new with the ISS IDS. Michael |
- [ISSForum] Attack Policy Best Practice issforum-admin
- RE: [ISSForum] Attack Policy Best Practice issforum-admin
- RE: [ISSForum] Attack Policy Best Practice issforum-admin
- RE: [ISSForum] Attack Policy Best Practice issforum-admin
- RE: [ISSForum] Attack Policy Best Practice issforum-admin
