OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: [ISSForum] False data and time for events

From: Sergey V Soldatov (SVSoldatovtnk.ru)
Date: Thu Jan 29 2004 - 09:15:21 CST

My EC always was throtting alerts, adition of another one didn't help! And
how can I solve that problem I have not find! Installation one EC per each
sensor is not a solution, because SiteProtector (SP) supports up to 5 EC.

But I suppose that the problem is in Security Fusion Module (SFM), because
before I'd installed SFM the number of events per secont was approximately
the same, but time, showed in alerts was right. Now, with SFM, alert always
has time 30-90 min behind current time!
Please, someone from ISS, tell me, am I right? Is the problem in SFM?

Thank you all.
---
Best regards, Sergey V. Soldatov
Department of information security,
TNK-BP

                                                                                                                       
              "Soda, Marcantonio"
              <Marcantonio.Sodancogroup.c To: "'Ayden Nash'" <Aydenearthwave.com.au>, issforumiss.net
              om> cc:
              Sent by: Subject: RE: [ISSForum] False data and time for events
              issforum-adminiss.net
                                                                                                                       
                                                                                                                       
              28.01.2004 17:44
                                                                                                                       
                                                                                                                       

I had this issue when my Event Collector became overloaded because of too
many alerts per second (I believe the max is 500). Look for EC warnings
that mention throttling.

If that's the issue you'll need to add another EC or lessen your alerts.

Hope this helps.

--
Marc Soda, CISSP
Information Security Engineer
NCO Group
215.441.2127
marc.sodancogroup.com

-----Original Message-----
From: Ayden Nash [mailto:Aydenearthwave.com.au]
Sent: Tuesday, January 27, 2004 7:49 PM
To: issforumiss.net
Subject: [ISSForum] False data and time for events

Hi all,

Alerts seen in siteprotector all have wrong date/time's associated with
them, even though the operating systems they
run on have the correct time. Is seems the run time's of sensor updates
etc. are ~9 hours behind. Where are these false times

coming from?

Thanks,
Ayden

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo

_______________________________________________
ISSForum mailing list
ISSForumiss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo