I have ISS support working on this, but I haven't heard from them in like two days, so who knows what's going on.
I have the following problem. I have exchanged keys using opsec_putkey, fw putkey, and the IDS sensor and the SmartCenter appear to talk properly, no errors. However, when I configure a rule to utilize OPSEC and to notify -> block service. I see the following in my /var/log/messages. May 21 17:47:51 ids_1 ISS[4125]: (network_sensor_1) - send_sam_action( 4, 4, FW_Cluster, 32, 60, 0x0, 0x0, 0, 6 ) On my firewall I see SAM request, notify, src=0.0.0.0 dst=0.0.0.0 srv=0, which means any,any,any. Why isn't the IDS sending over the particular source/destination/service? Is there a flag somewhere, or something I need to change? I also read the SAM configuration guide, no help. I also found another document that suggested that you need 4.1 backward compatability installed, however, I don't really think this is necessary, since the IDS and FW are communicating, it's just that the IDS is not sending the appropriate information. Thanks, Derek O'Flynn Enterprise Information Security LSU Health Sciences Center [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> (504)568-6130 _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
