It was explained to me by ISS Support that ViewSession is a feature from
the good old days of Network Ice that is no longer implemented in 6.5 or
7.0 RealSecure. You can select it in a policy because the Policy Editor
does not understand the difference between sensor versions. If you edit
the 7.0 Sensor Response (you must configure and apply this for responses
such as LogEvidence to work), you will notice that there is no option for
ViewSession. This confirms what ISS told me about ViewSession being
discontinued. However, there is an option for LogEvidence and I have not
had any trouble with it, even when using custom policies derived from
canned policies.
If I am wrong about ViewSession not being supported in RealSecure 7.0,
please tell me. The absence of this feature is my biggest problem with the
product.
Ryan Thomas
Network Security Consultant
|---------+--------------------------->
| | [EMAIL PROTECTED]|
| | ss.net |
| | |
| | 07/08/2003 11:36|
| | AM |
| | Please respond |
| | to issforum |
| | |
|---------+--------------------------->
>---------------------------------------------------------------------------------------------------------------|
|
|
| To: "[EMAIL PROTECTED] net (E-mail)" <[EMAIL PROTECTED]>
|
| cc:
|
| Subject: [ISSForum] Proposing a potential bug in Site Protector
|
>---------------------------------------------------------------------------------------------------------------|
Below are my findings with Site Protector when used in conjunction with
Network Sensor 7.0. In order to successfully duplicate this bug, an
existing network policy provided by site Protector must be used to derive a
new custom policy. Name the custom policy whatever is desired and then
select specific attacks and modify by selecting "viewsession" and/or
"logwithraw". The purpose for this is to confirm that other individuals
are
able to duplicate this behavior.
When using the default or any other Network Sensor policy that already
comes
provided with Site Protector, this behavior does not take place and all
events show up in the console as anticipated.
When using an existing network policy from Site Protector to derive a new
custom policy, there a 3 distinct possible outcomes:
(please note that "display" must always be selected for any of the selected
attacks)
1) on specific attacks, if "viewsession" and "logwithraw" are both
selected
for any specific attack, and this new custom policy is applied to the
network sensor, the result will be that only 3 different alerts show in the
console and no more...regardless.
2) on specific attacks, if only "viewsession" is selected for any specific
attack, and this new custom policy is applied to the network sensor, the
result will be that "0" (none) different alerts show in the console and no
more...regardless.
3) on specific attacks, if only "logwithraw" is selected for any specific
attack, and this new custom policy is applied to the network sensor, the
result will be that all alerts show in the console and the behavior is as
expected
It appears that the issue gravitates around the selection of "viewsession"
in any Network Sensor 7.0 policy that has either been imported or derived
from an existing Site Protector Network Sensor policy.
Tim Slighter
Security Consultant
NRCS/USDA
[EMAIL PROTECTED]
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
