RE: [ISSForum] Attack Policy Best Practice

[issforum-admin]

Hello Eric,   Thank you for the response.  I am still confused.  Don't you have to go through each attack signature (rule)  to enable RSKILL like you have to with the email/pager option?  Or can you do it from a different location like the response ??  I guess my real question is .....do you enable the RSKILL from the policy or from the response ?? And what are the differences ??  My assumption is the response can do it globally and the policy can do it individually??  How off am I ?   Michael         >>> [EMAIL PROTECTED] 07/01/03 07:56AM >>> Michael, I simply used the defaults that were already in the policy and have had good successes with it blocking attacks that warrant such actions. Don�t forget to configure a response file for the sensors and enable RSKILL. The thing I didn�t like is that, in order to send emails/pages when being attacked, you have to go through each policy and rule and enable emails if you wish to be notified about such attacks. I realize that a person can accidentally create a flood of emails if they are not careful but, at a minimum, I want to be notified if anything suspicious is taking place without constantly monitoring the SiteProtector console (or am I dreaming??)�   Good Luck!!   Eric   -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Monday, June 30, 2003 4:32 PM To: [EMAIL PROTECTED] Subject: [ISSForum] Attack Policy Best Practice   Hi All,   Quick question on creating (or 'deriving new') policy from ISS's default 'Attack Detector' policy.  What are the recommended signatures to configure RSKILLS for to protect the internal network with a version 7 network sensor? Or do I have to go through the whole list and either guess at which ones I should be protected from or do I go through the present analysis and whatever tag names show up I configure the policy to send RSKILLS to.  The latter seems a little backwards,  as in configuring the protection AFTER the attack....Sorry if this is a dumb question OR the wrong place to ask this question but I am new with the ISS IDS. Thanks in advance!   Michael