Hi All. SPAN port on which NetworkSensor is sniffing is configured to monitor ports in number of VLANs, so if packet is routed from one VLAN to another (and Sensor is sniffing both VLANs) IP_Duplicate will be triggered for legitimate packets, because transmitted to router packet contains workstation IP and _workstation_ MAC and reseived from router packet contains workstation IP and _router_ MAC. The solusion, I think, is in creation event filter for IP_Duplicate: not to trig IP_Duplicate when one of MACs is MAC of router. But as I see, ISS is not able to create such a filter, because all filters are working on lever not lower then IP. Am I wrong? Are any onther means to adjust signatures on MAC level?
Thanks. --- Best regards, Sergey V. Soldatov Department of information security, TNK-BP. tel/fax +7 095 745 89 50 (2663) _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
