NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > ISS> 2003-q3

RE: [ISSForum] Attack Policy Best Practice

issforum-adminiss.net
Date: Tue Jul 01 2003 - 14:08:21 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Eric,

Thank you for the response. I am still confused. Don't you have to go
through each attack signature (rule) to enable RSKILL like you have to
with the email/pager option? Or can you do it from a different location
like the response ?? I guess my real question is .....do you enable the
RSKILL from the policy or from the response ?? And what are the
differences ?? My assumption is the response can do it globally and the
policy can do it individually?? How off am I ?

Michael

>>> issforum-adminiss.net 07/01/03 07:56AM >>>

Michael, I simply used the defaults that were already in the policy and
have had good successes with it blocking attacks that warrant such
actions. Don’t forget to configure a response file for the sensors and
enable RSKILL. The thing I didn’t like is that, in order to send
emails/pages when being attacked, you have to go through each policy and
rule and enable emails if you wish to be notified about such attacks. I
realize that a person can accidentally create a flood of emails if they
are not careful but, at a minimum, I want to be notified if anything
suspicious is taking place without constantly monitoring the
SiteProtector console (or am I dreaming??)… Good Luck!! Eric
-----Original Message-----
From: issforum-adminiss.net [mailto:issforum-adminiss.net]
Sent: Monday, June 30, 2003 4:32 PM
To: issforumiss.net
Subject: [ISSForum] Attack Policy Best Practice Hi All,

Quick question on creating (or 'deriving new') policy from ISS's
default 'Attack Detector' policy. What are the recommended signatures
to configure RSKILLS for to protect the internal network with a version
7 network sensor? Or do I have to go through the whole list and either
guess at which ones I should be protected from or do I go through the
present analysis and whatever tag names show up I configure the policy
to send RSKILLS to. The latter seems a little backwards, as in
configuring the protection AFTER the attack....Sorry if this is a dumb
question OR the wrong place to ask this question but I am new with the
ISS IDS.

Thanks in advance!

Michael

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]