TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Robert,
If you modify your policies on the console with such parameters as listed in
my original email, it will keep anytime it is pushed to the console.
You can modify the "preset policies" as well by simply removing the
read-only feature, adding the parameters and setting it back to read-only.
Any policy you derive from that point out should include http on 80 and
8080.
Cheers,
==================================
Brian Fitch, IDS Support Engineer
Internet Security Systems, Inc.
Phone - 404-236-2700 / 1-888-447-4861
Email - [EMAIL PROTECTED]
==================================
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, December 01, 2000 3:26 AM
To: Fitch, Brian (ISSAtlanta); [EMAIL PROTECTED]
Subject: RE: http-attack-signatures on another TCP port
Hi
Would you need to apply this fix every time you modified the policy
using the console? Or is it just a 'hidden' option that is not
configurable by the interactive console?
(But I'm very pleased to see that the option is there at all!)
Robert
| Robert Turner
| Intruder-NET Senior Analyst
| [EMAIL PROTECTED]
Brian Fitch (ISSAtlanta) wrote:
> Sent: 30 November 2000 19:28
> To: 'Marcel Engel'; [EMAIL PROTECTED]
> Subject: RE: http-attack-signatures on another TCP port
>
> Open your policy with a text editor (like WordPad)
>
> Scroll down to the very bottom to this area:
>
> [\template\protocols\];
> http =S 80;
> ftp =S 21;
> smtp =S 25;
> pop =S 109-110;
> imap =S 143 220;
> nntp =S 119;
>
> after 80 add a space and 8080 so it will look like this
>
> http =S 80 8080;
>
> Save the policy (note you can do this with current.policy on
> sensor or with your console based policies) and apply to sensor.
>
> Your sensor should now look for http_* signatures over port
> 8080 as well as 80
>
> Greetings,
>
