We had the same problem a while back with our multihomed 6.5 ServerSensors.
Here are the details:
Possible solution.
Stop the daemon on the sensor
Under \ISS\issSensors\Server_sensor_1\ , edit the issCSF.policy file to
look like the following:
-- Common Sensor Framework 1 --
[\];
[\Config\];
SensorIP <tab> =S <tab> xxx.aaa.bbb.zzz; ----------> This is the IP
address you wish the sensor would send events on.
Use_Old_Event_Format =B 0;
[\Plugin\Sensor\];
Plugin_Name =S ServerSensor
Now save the changes , and restart the issdaemon.
This should now tie you events to the specified IP.
I also have a script that ISS created for me, that can be used to swing
events from one component id over to the one associated with the correct IP
address. Let me know if you would like it.
Leslie A Ragan
Information Security Services
Threat & Vulnerability Management
503-401-4909
877-705-2402 pager
[EMAIL PROTECTED]
"Anderson, Mike"
<[EMAIL PROTECTED] To: 'Talisker' <[EMAIL
PROTECTED]>
nology.net> cc: "'[EMAIL
PROTECTED]'" <[EMAIL PROTECTED]>
Sent by: Subject: RE: [ISSForum]
Distinguishing Between Multiple Interfaces RealSec ure
[EMAIL PROTECTED] Network Sensor 7
03/12/2003 09:47 AM
Are you running multiple instances of RS7 on the box?
To provide reports on your multiple instances, as far as I know you would
need multiple instances of Network Sensor installed on the box..
-----Original Message-----
From: Talisker [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 11, 2003 9:59 AM
To: [EMAIL PROTECTED]
Subject: [ISSForum] Distinguishing Between Multiple Interfaces
RealSecure Network Sensor 7
Hi
I'm playing with RS7 with multiple interfaces and was wondering, whether
there is a way to indicate on the console which interface on a particular
sensor is reporting an event, other than the old fashioned way of knowing
which IP addresses are where or the other option of RTFM ;o). Specifically
I would like to label one interface internal and the other external, if you
get my drift
Thanks for taking the time to read this mail, or more importantly saving me
from reading those infernal pdf's
take care
-andy
Taliskers Network Security Tools
http://www.networkintrusion.co.uk
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
