Problems in 5.x – need help

DSmirnov · ‎04-09-2005

Please help if you know the solution… may be I updated to 5.x too early.

Had few cases then sensor starts to generate thousands of alerts for a single signature all of the sudden. False-positive alerts for sure. The only solution is to disable the signature.

Still can’t use IP Logging – Ethereal reports that dump files are damaged after the download from sensor.

5.x will accepts non-standard netmasks in “Never-Block ranges” (during upgrade) but will ignore them and apply standard masks only. Means you can block your own ranges.

“Aggregation” works in the interesting way – for example you have an attack against IP range. After 50 addresses scanned the IDS will produce an alert with target filled as IP #50. How can I find if 49 first addresses were attacked as well?

The biggest and most annoying problem – sensor blocks IP addresses w/o corresponding alerts. How can I find out why?

scothrel · ‎04-15-2005

There is a known issue that occurs after an HTTP signature is tuned...it starts to false positive wildly. Updating the 5.0(2) service pack will fix that problem. I don't feel qualified to comment on your other issues other than to say that sending an alert is now a configurable action...that is, you can configure drop/block or other actions without having to have the "Produce Alert". This is a side-effect of the META engine, which allows you to make an alert of alerts (a custom signature whose components are other signature events). This was done to allow you to create a META signature that produces an alert without having to see the components signature events that triggered it. You should check your signature configuration for signatures that have been tuned to have the Produce Alert or Produce Verbose Alert action removed.

Problems in 5.x  need help

Problems in 5.x need help