Enabling trust.myself basically turns off the IDS for outbound traffic. Personally I would recommend enabling it since it will save you from seeing a fair amount of false positives.
I don't think you loose much by doing this for two reasons. If you have other IDS's on your network picking up this traffic should not be that difficult. Also if an agent is already infected with some sort of malware I would not completely trust any information coming from that machine. Many of the malware programs out there currently target Desktop Protector along with countless other personal firewall / IDS agents. It really depends on your network / environment though. (: - Adrian -----Original Message----- From: [EMAIL PROTECTED] On Behalf Of Bob Erwin Sent: Wednesday, December 24, 2003 2:04 PM To: [EMAIL PROTECTED] Subject: RE: [ISSForum] Desktop Protector Reporting URL Hey, If I could ask one more question dealing with this Desktop Protector IDS. What is the theory with trust.myself? Is this a good thing to implement? It cuts down on a lot of false postitives when I enable this setting. I think I understand the concept of disabling this: If a user is trying to replicate an exploit worm, IDS will Prevent it? Is my thinking right there? However, if the worm infratrates the machine over the network, then it will probably be able to go outbound as well? You are definitely pointing me in the right direction and technically I see what I need to do, I'm just wondering about the theory of it. Thanks again for your help! Bob -----Original Message----- From: Corman, Joshua D. (ISS New Hampshire) [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 24, 2003 10:38 AM To: Bob Erwin; [EMAIL PROTECTED] Subject: RE: [ISSForum] Desktop Protector Reporting URL In response to your 2nd question... There are 2 other options besides Trusting an entire IP. Both are described in the documentation. Trust.pair will trust a particular IssueID against a particular IP. --This is very effective in eliminating IDS events from legitimate sources -(e.g. your DNS Servers, Mail Servers, etc.) -the bulk of the Events are tripped by only a handful of systems Trust.issue is handy to shut of IDS and Event for a particular check --This will apply to all addresses --Use this to get rid of Suspicious Events you may not care about Trusting an address or address range is overkill and risky for the reasons you've stated. Judicious use of both Trust.Issue and Trust.Pair is a far better way to eliminate the "noise" while keeping up your defenses. -----Original Message----- From: [EMAIL PROTECTED] On Behalf Of Bob Erwin Sent: Wednesday, December 24, 2003 10:34 AM To: [EMAIL PROTECTED] Subject: [ISSForum] Desktop Protector Reporting URL Hey, I have been setting up the Desktop Protector for this client and have an issue that I cannot find any settings for. The Reporting URL is showing up as an IP address instead of a DNS Name. Where do I change that at the server level? I have checked the templates and can't find it... Also, on another note, I was wondering how other people are setting up their desktop protection. At first I thought that I would include the local network as a trusted network, however, I discovered that once you do that, those IP's pretty much bypass the IDS. Which means that if you get a vulnerability expliot worm in your network it can replicate without problem. However, if you take out the trusting network, you get a ton of false alarms. I guess I'm just looking for strategy here.... Thanks for your help, Bob _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
