Below are my findings with Site Protector when used in conjunction with Network Sensor 7.0. In order to successfully duplicate this bug, an existing network policy provided by site Protector must be used to derive a new custom policy. Name the custom policy whatever is desired and then select specific attacks and modify by selecting "viewsession" and/or "logwithraw". The purpose for this is to confirm that other individuals are able to duplicate this behavior.
When using the default or any other Network Sensor policy that already comes provided with Site Protector, this behavior does not take place and all events show up in the console as anticipated. When using an existing network policy from Site Protector to derive a new custom policy, there a 3 distinct possible outcomes: (please note that "display" must always be selected for any of the selected attacks) 1) on specific attacks, if "viewsession" and "logwithraw" are both selected for any specific attack, and this new custom policy is applied to the network sensor, the result will be that only 3 different alerts show in the console and no more...regardless. 2) on specific attacks, if only "viewsession" is selected for any specific attack, and this new custom policy is applied to the network sensor, the result will be that "0" (none) different alerts show in the console and no more...regardless. 3) on specific attacks, if only "logwithraw" is selected for any specific attack, and this new custom policy is applied to the network sensor, the result will be that all alerts show in the console and the behavior is as expected It appears that the issue gravitates around the selection of "viewsession" in any Network Sensor 7.0 policy that has either been imported or derived from an existing Site Protector Network Sensor policy. Tim Slighter Security Consultant NRCS/USDA [EMAIL PROTECTED] _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
