10-21-2005 08:22 AM - edited 03-10-2019 01:42 AM
How do I see if the TCP reset is working,
I have IDM, IEV, IDS MC, and for some reason I cannot locate the information
Thanks in advance
10-23-2005 10:06 PM
Hi,
Beside logging direct to IDM or using IDS MC, you may use IEV to view the tcp reset action taken by the IDS.
1. Launch your IEV
2. Under 'View', double-click the "Sig Name Group".
2. Right-click the log associated to the signature you've selected, for example "TCP Segment Overwrite" (SID 1300)
I assumed you have already set the "EventAction" under your selected signature (tcp-based) to include 'reset'.
3. Back to IEV, right-click the signature log and choose 'Expand Whole Details'. A window will popup with details on the attack log.
4. Right-click this event, and choose 'View Alarms'.
5. Scroll to the right, and look under 'TCP Reset Sent'. If the stated value is 'true', the IDS has performed the tcp reset to the attack event.
Cheers!
AK
10-26-2005 05:05 AM
Thanks for the information, very helpful
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: