Chin,
If the
Event Cllector (EC) is down, the sensor continues working exactly as before. The
only impact is that your events are not being written to the
database.
The
only function of the EC)is to receive events. They do not influence the
behaviour of a sensor in any way. Sensors operate according to the policy you
set, using WGM (or SiteProtector), which, of course, is related to the
signatures available.
If a
policy includes sending an RSKill for a particular signature, the sensor will
send an RSKill on the designated RSKill interface immediately when the signature
is detected - independently of the EC. The event is then placed in a queue
for transmission to the EC.
If the
EC is already in contact with the sensor, that event will be sent right
away. If not, the queue keeps growing up to size you configure (maximum of
15Mb). When the EC comes back online and is able to establish a
session with the sensor, events are retrieved from the
queue.
Regards,
Robert
-----Original
Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Chin Wan
Sent: 04 December 2003 04:13
To: [EMAIL PROTECTED]
Subject: [ISSForum] Can IDS - network/server sensor - kill traffic?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Chin Wan
Sent: 04 December 2003 04:13
To: [EMAIL PROTECTED]
Subject: [ISSForum] Can IDS - network/server sensor - kill traffic?
Hi everyoneI'm using Realsecure Network & Server sensors, Workgroup Manager. I have a few questions here, so hope you all can help me.I know tht these sensors are to detect intrusion and log down events via Event Controller. However, do the sensors really kill an 'illegal' traffic if I have the approprite policy applied to the sensors? How does the sensor kill the traffic? Does the sensor still monitoring the traffic/system even though the Event Collector is kinda 'down'?Thanks everyone.. in advance for your help.RegardsChinSystem Engineer
Download Yahoo! Messenger now for a chance to WIN Robbie Williams "Live At Knebworth DVD"
