[prev in list] [next in list] [prev in thread] [next in thread] 

List:       issforum
Subject:    [ISSForum] Adjust IP_Duplicate signature...
From:       "Sergey V Soldatov" <SVSoldatov () tnk ! ru>
Date:       2003-11-27 13:14:13
[Download RAW message or body]

Hi All.

SPAN port on which NetworkSensor is sniffing is configured to monitor ports
in number of VLANs, so if packet is routed from one VLAN to another (and
Sensor is sniffing both VLANs) IP_Duplicate will be triggered for
legitimate packets, because transmitted to router packet contains
workstation IP and _workstation_ MAC and reseived from router packet
contains workstation IP and _router_ MAC.
The solusion, I think, is in creation event filter for IP_Duplicate: not to
trig IP_Duplicate when one of MACs is MAC of router. But as I see, ISS is
not able to create such a filter, because all filters are working on lever
not lower then IP. Am I wrong? Are any onther means to adjust signatures on
MAC level?

Thanks.
---
Best regards, Sergey V. Soldatov
Department of information security,
TNK-BP.
tel/fax +7 095 745 89 50 (2663)


_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
[prev in list] [next in list] [prev in thread] [next in thread]