TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
This is the answer. The ISS KB say this: When monitoring a sensor through a firewall utilizing NAT, the Console is unable to connect to the event channel for the sensor. This results from the sensor passing the wrong Event Collector IP address to the Console. You will receive an error stating that the connection attempt has timed out. This information applies to: RealSecure Network Sensor 6.0 ONLY RealSecure Server Sensor 6.0 ONLY Windows NT 4.0/2000 ONLY Fix Version: RealSecure 6.5 Related Articles: How do I configure my RealSecure 6.5 Event Collector if I am using NAT? (Answer ID# 743) WARNING!: This solution requires advanced knowledge of both RealSecure and Windows NT. Care should be taken when performing the steps below to avoid possible damage to your system. If you are unsure about any of the steps, please contact your system administrator before making these changes. To implement this workaround on Windows NT/2000 follow the instructions below. 1. Open the attached fwnat.txt file in Notepad. You will see the following at the beginning of the file: 'Please Read 'Set IP = to the IP of your EventCollector 'Set filespec to the path of your common.policy 'To stop script open Task Manager and End Process wscript.exe Option Explicit On Error Resume Next 'Settings '################################################################# Dim IP DIM filespec IP="10.10.60.111" filespec="C:\Program Files\ISS\issSensors\network_sensor_1\common.policy" '################################################################# 2. Edit the Settings section of the file to reflect the appropriate information for your installation. IP should be set to the "real" IP address of your Event Collector, and filespec should be set to the path to your sensor's common.policy. 3. Save the file, then rename it as fwnat.vbs 4. You can launch the script by double-clicking it in Windows Explorer, however, to ensure that it is always running, you will need to implement some way to launch it at system startup. You can do this by creating an AT job (NT 4.0) or a Scheduled Task (2000), or by running it as a service. Microsoft provides a utility to register applications as services in the Windows NT 4.0 and 2000 Resource Kits, available from the link below: -----Original Message----- From: Mokkapati Rao Venkat [mailto:[EMAIL PROTECTED]] Sent: Monday, September 16, 2002 10:40 PM To: 'Jaeger'; 'Alex Holstead '; ''[EMAIL PROTECTED]' ' Subject: RE: Network sensor TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ------------------------------------------------------------------------ ---- Hi, I don't think it's the problem with NAT, Cause I have used the same setup for 1 year before upgrading it to realsecure 6.5. Regards Venkat -----Original Message----- From: Jaeger [mailto:[EMAIL PROTECTED]] Sent: Monday, September 16, 2002 2:19 PM To: 'Alex Holstead '; ''[EMAIL PROTECTED]' ' Subject: AW: Network sensor Hi Alex, if you have NAT in place on your firewall, this muzs fail. Please upgrade to wgm and netsensor 6.5, which fixes this problem. BR Karl -----Originalnachricht----- Von: Alex Holstead An: '[EMAIL PROTECTED]' Gesendet: 13.09.02 12:32 Betreff: Network sensor TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ------------------------------------------------------------------------ ---- This shouldn't be rocket science I am trying to set up a Realsecure 6.00 IDS, and have the event collector and console running from a single system, trying to connect to a single network sensor outside the local firewall. The setup went very smoothly, keys are copied and there is traffic between the two systems, but the error " Error trying to connect to network sensor, connection refused. No connection could be made because the target machine actively refused it." keeps appearing. Any assistance would be most welcome. ________________________________________________________________________ This e-mail has been scanned for all viruses by Star Internet. The service is powered by MessageLabs. For more information on a proactive anti-virus service working around the clock, around the globe, visit: http://www.star.net.uk ________________________________________________________________________ ********************************************************************** The information in this message is confidential and may be legally privileged. It is intended solely for the addressee. Access to this message by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, or distribution of the message, or any action or omission taken by you in reliance on it, is prohibited and may be unlawful. Please immediately contact the sender if you have received this message in error. ********************************************************************** >From [EMAIL PROTECTED] Tue Sep 17 14:49:58 2002 Return-Path: <[EMAIL PROTECTED]> Received: from phoenix.iss.net (phoenix.iss.net [209.134.161.8]) by email.iss.net (8.9.3+Sun/8.9.3) with ESMTP id OAA25106 for <[EMAIL PROTECTED]>; Tue, 17 Sep 2002 14:49:57 -0400 (EDT) From: [EMAIL PROTECTED] Received: by phoenix.iss.net (Postfix) id 999841602C; Tue, 17 Sep 2002 14:49:57 -0400 (EDT) Delivered-To: [EMAIL PROTECTED] Received: from atla-mx1.iss.net (atla-mx1.iss.net [209.134.161.6]) by phoenix.iss.net (Postfix) with ESMTP id 6FF4B1600F for <[EMAIL PROTECTED]>; Tue, 17 Sep 2002 14:49:57 -0400 (EDT) Received: from poste.coelba.com.br ([200.223.9.53]) by atla-mx1.iss.net (8.12.2/8.12.2) with ESMTP id g8HInsgC023810; Tue, 17 Sep 2002 14:49:55 -0400 (EDT) Received: from Sede_Dom_H02.coelbanet ([10.0.64.66]) by poste.coelba.com.br (Lotus Domino Release 5.0.10) with ESMTP id 2002091715460359:71217 ; Tue, 17 Sep 2002 15:46:03 -0300 Received: from Sede_Dom_C01.Coelbanet ([10.0.64.65]) by Sede_Dom_H02.coelbanet (Lotus Domino Release 5.0.10) with ESMTP id 2002091715510282:49294 ; Tue, 17 Sep 2002 15:51:02 -0300 To: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Changing network card that sensor is monitoring. X-Mailer: Lotus Notes Release 5.0.5 September 22, 2000 Message-ID: <OFEC54813D.6FED7E6A-ON03256C37.006657F8@Coelbanet> Date: Tue, 17 Sep 2002 15:49:25 -0300 X-MIMETrack: Serialize by Router on Sede_Dom_C01/Coelba(Release 5.0.5 |September 22, 2000) at 09/17/2002 03:49:28 PM, Serialize complete at 09/17/2002 03:49:28 PM, Itemize by SMTP Server on Sede_Dom_H02/Coelba(Release 5.0.10 |March 22, 2002) at 09/17/2002 03:51:02 PM, Serialize by Router on Sede_Dom_H02/Coelba(Release 5.0.10 |March 22, 2002) at 09/17/2002 03:51:06 PM, Serialize complete at 09/17/2002 03:51:06 PM, Itemize by SMTP Server on Sede_Dom_M03/Coelba(Release 5.0.10 |March 22, 2002) at 09/17/2002 03:46:03 PM, Serialize by Router on Sede_Dom_M03/Coelba(Release 5.0.10 |March 22, 2002) at 09/17/2002 03:46:08 PM, Serialize complete at 09/17/2002 03:46:08 PM MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="=_alternative 00678D2603256C37_=" Status: RO Content-Length: 746 Lines: 23 This is a multipart message in MIME format. --=_alternative 00678D2603256C37_Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1" How can i change the network card that sensor is monitoring? I have o network sensor 6.5 running in a windows NT 4.0 with two network cards, when i installed the network sensor it didn�t ask me in with interface card i wanted to monitore. Regards Marcelo Martinho Vitorio --=_alternative 00678D2603256C37_Content-Type: message/external-body; access-type=x-mutt-deleted; expiration="Tue, 17 Sep 2002 15:53:30 -0400"; length97 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset="iso-8859-1" --=_alternative 00678D2603256C37_=--
