I was under the impression that "viewsession" was going to be disable or eliminated starting with Network Sensor 7.0 Perhaps this behavior is related to a partial removal of the option. I think somebody from ISS will clarify this for us. On the other hand I will try to duplicate the behavior. Regards Eduardo Palacio Osorio ASARSA Tel 5528-7930 Mov 044-55-5965-5705
----- Original Message ----- From: <[EMAIL PROTECTED]> To: "[EMAIL PROTECTED] net (E-mail)" <[EMAIL PROTECTED]> Sent: Tuesday, July 08, 2003 1:36 PM Subject: [ISSForum] Proposing a potential bug in Site Protector > Below are my findings with Site Protector when used in conjunction with > Network Sensor 7.0. In order to successfully duplicate this bug, an > existing network policy provided by site Protector must be used to derive a > new custom policy. Name the custom policy whatever is desired and then > select specific attacks and modify by selecting "viewsession" and/or > "logwithraw". The purpose for this is to confirm that other individuals are > able to duplicate this behavior. > > When using the default or any other Network Sensor policy that already comes > provided with Site Protector, this behavior does not take place and all > events show up in the console as anticipated. > > When using an existing network policy from Site Protector to derive a new > custom policy, there a 3 distinct possible outcomes: > > (please note that "display" must always be selected for any of the selected > attacks) > > > 1) on specific attacks, if "viewsession" and "logwithraw" are both selected > for any specific attack, and this new custom policy is applied to the > network sensor, the result will be that only 3 different alerts show in the > console and no more...regardless. > > 2) on specific attacks, if only "viewsession" is selected for any specific > attack, and this new custom policy is applied to the network sensor, the > result will be that "0" (none) different alerts show in the console and no > more...regardless. > > 3) on specific attacks, if only "logwithraw" is selected for any specific > attack, and this new custom policy is applied to the network sensor, the > result will be that all alerts show in the console and the behavior is as > expected > > It appears that the issue gravitates around the selection of "viewsession" > in any Network Sensor 7.0 policy that has either been imported or derived > from an existing Site Protector Network Sensor policy. > > > Tim Slighter > Security Consultant > NRCS/USDA > [EMAIL PROTECTED] > > _______________________________________________ > ISSForum mailing list > [EMAIL PROTECTED] > > TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
