Chris Brown wrote:
I have been trialling Intrushield and it logs and displays packet info
just fine, have you installed Ethereal and pointed Intrushield to it's
location? Also Intrushield tells you what sig it has fired on in the
alert viewer.......
I assume you mean you have to use ethereal to get at packets for events.
How do you "point" intrushield to Ethereal?
1) Does it rewrite the destination and retransmit the packets to some
destination?
2) Do you designate a physical port in the intrushield appliance to make
the packets available on that you would then capture using ethereal?
If it is #2 how do you perform analysis if you do not have physical
access to the system?
If it is #1 what good is a packet that has been rewritten?
If it is either would any of the vulnerabilities in Ethereal be
retransmitted to the analysis station? What about vulnerabilities in the
analysis platform itself? If you block a "Ping of Death"" would that PoD
take out the analysis system upon analysis? UPnP Broadcast? MSSQL
Discovery? ...
If it is none of these please clarify what you mean. Unfortunately I've
never sat in front of an intrushield and do not have one available to me
to play with or I would just go get the answers.
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
