|
Michael, The RSKILL is enabled by default
on a lot of the signatures in the policy files. I simply used those settings.
If you want to enable or disable the RSKILL option on certain signatures, you
WILL have to open the policy and check/uncheck the RSKILL option on each
signature (same as the email). The response file enables the sensor to respond
to the RSKILL option. It is not a global setting for each signature but rather
a setting that dictates whether the sensor will actually perform the RSKILL. In
other words – If the RSKILL option is checked on a signature in the
policy and the signature is triggered but the RSKILL option is not selected in
the sensor response file, the sensor won’t perform an RSKILL. On the
other hand, if the RSKILL is checked in the response file and a signature is
triggered that does not have the RSKILL option checked, the
sensor still won’t perform the RSKILL. I think ISS set it up this way so that you
can install a policy on multiple sensors and then specify per sensor how to
respond. The same goes with the email option as well as all of the other
options that are configurable in the policies and response files. Hope this helps. P.S. I am rather new to the ISS platform myself
but I think I have a handle on this part of the configuration. If I am wrong,
someone please let me know!!!! -----Original Message----- Hello Eric, Thank you for the response. I am still
confused. Don't you have to go through each attack signature (rule)
to enable RSKILL like you have to with the email/pager option? Or
can you do it from a different location like the response ?? I guess my
real question is .....do you enable the RSKILL from the policy or from the
response ?? And what are the differences ?? My assumption is the response
can do it globally and the policy can do it individually?? How off am I ? Michael >>> [EMAIL PROTECTED] 07/01/03 07:56AM
>>> Michael, I simply used the defaults that
were already in the policy and have had good successes with it blocking attacks
that warrant such actions. Don’t forget to configure a response file for
the sensors and enable RSKILL. The thing I didn’t like is that, in order
to send emails/pages when being attacked, you have to go through each policy
and rule and enable emails if you wish to be notified about such attacks. I
realize that a person can accidentally create a flood of emails if they are not
careful but, at a minimum, I want to be notified if anything suspicious is
taking place without constantly monitoring the SiteProtector console (or am I dreaming??)…
Good Luck!! Eric -----Original
Message----- Hi
All, Quick
question on creating (or 'deriving new') policy from ISS's default 'Attack
Detector' policy. What are the recommended signatures to configure
RSKILLS for to protect the internal network with a version 7 network sensor? Or
do I have to go through the whole list and either guess at which ones I should
be protected from or do I go through the present analysis and whatever tag
names show up I configure the policy to send RSKILLS to. The latter seems
a little backwards, as in configuring the protection AFTER the attack....Sorry if this is a dumb question
OR the wrong place to ask this question but I am new with the ISS IDS. Michael |
- [ISSForum] Attack Policy Best Practice issforum-admin
- RE: [ISSForum] Attack Policy Best Practice issforum-admin
- RE: [ISSForum] Attack Policy Best Practice issforum-admin
- RE: [ISSForum] Attack Policy Best Practice issforum-admin
- RE: [ISSForum] Attack Policy Best Practice issforum-admin
