issforum-adminiss.net
Date: Wed Jul 02 2003 - 16:16:36 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Michael, The RSKILL is enabled by default on a lot of the signatures in
the policy files. I simply used those settings. If you want to enable or
disable the RSKILL option on certain signatures, you WILL have to open
the policy and check/uncheck the RSKILL option on each signature (same
as the email). The response file enables the sensor to respond to the
RSKILL option. It is not a global setting for each signature but rather
a setting that dictates whether the sensor will actually perform the
RSKILL. In other words - If the RSKILL option is checked on a signature
in the policy and the signature is triggered but the RSKILL option is
not selected in the sensor response file, the sensor won't perform an
RSKILL. On the other hand, if the RSKILL is checked in the response file
and a signature is triggered that does not have the RSKILL option
checked, the sensor still won't perform the RSKILL.
 
I think ISS set it up this way so that you can install a policy on
multiple sensors and then specify per sensor how to respond. The same
goes with the email option as well as all of the other options that are
configurable in the policies and response files.
 
Hope this helps.
 
P.S. I am rather new to the ISS platform myself but I think I have a
handle on this part of the configuration. If I am wrong, someone please
let me know!!!!
 
-----Original Message-----
From: issforum-adminiss.net [mailto:issforum-adminiss.net]
Sent: Tuesday, July 01, 2003 2:08 PM
To: issforumiss.net
Subject: RE: [ISSForum] Attack Policy Best Practice
 
Hello Eric,
 
Thank you for the response. I am still confused. Don't you have to go
through each attack signature (rule) to enable RSKILL like you have to
with the email/pager option? Or can you do it from a different location
like the response ?? I guess my real question is .....do you enable the
RSKILL from the policy or from the response ?? And what are the
differences ?? My assumption is the response can do it globally and the
policy can do it individually?? How off am I ?
 
Michael
 
 
 
 
>>> issforum-adminiss.net 07/01/03 07:56AM >>>
Michael, I simply used the defaults that were already in the policy and
have had good successes with it blocking attacks that warrant such
actions. Don't forget to configure a response file for the sensors and
enable RSKILL. The thing I didn't like is that, in order to send
emails/pages when being attacked, you have to go through each policy and
rule and enable emails if you wish to be notified about such attacks. I
realize that a person can accidentally create a flood of emails if they
are not careful but, at a minimum, I want to be notified if anything
suspicious is taking place without constantly monitoring the
SiteProtector console (or am I dreaming??)...
 
Good Luck!!
 
Eric
 
-----Original Message-----
From: issforum-adminiss.net [mailto:issforum-adminiss.net]
Sent: Monday, June 30, 2003 4:32 PM
To: issforumiss.net
Subject: [ISSForum] Attack Policy Best Practice
 
Hi All,
 
Quick question on creating (or 'deriving new') policy from ISS's default
'Attack Detector' policy. What are the recommended signatures to
configure RSKILLS for to protect the internal network with a version 7
network sensor? Or do I have to go through the whole list and either
guess at which ones I should be protected from or do I go through the
present analysis and whatever tag names show up I configure the policy
to send RSKILLS to. The latter seems a little backwards, as in
configuring the protection AFTER the attack....Sorry if this is a dumb
question OR the wrong place to ask this question but I am new with the
ISS IDS.

Thanks in advance!
 
Michael

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]