Did something change in the behaviour of Network Sensor connection events from version 6.5 to 7.0?
Connection events used to trigger when an attacker would attempt to connect to a network device on a given connection port (source ip any, source service any, dest ip any, dest service ssh) - even if there were no ssh service listening on that device. Now, in version 7.0, the event appears to trigger only if the connection is established with a system that is running ssh, and the three way handshake is established. The policy manual regarding connection events for both 6.5 and 7.0 look the same. Similarly, we used to have an connection event trigger when someone attempted to connect to one of our unused ip addresses (source ip/service any, dest ip=unused ip, service any). After the upgrade to 7.0, this event no longer triggers when trying to connect to this ip. Anyone know why? __________________________________ Do you Yahoo!? Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes http://hotjobs.sweepstakes.yahoo.com/signingbonus _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
