I have a 4210 sensor behind the PIX firewall. I have had just a few alarms so far and of course they come from inside the network. An example was a 5232 when and internal private address was accessing a website. I understand what would be happening if this was from the outside to the inside but when it is someone on the inside simply accessing a website, what is actually happening. I also checked the NSDB and it said there were no benign triggers. Please forgive my niavity but I am just learning security and IDS so bear with me.
Do you know of any good white papers, check lists, or documented processes to familiarize yourself with that would ultimately help you investigate suspicious activity? It would certainly help a newbie.
I haven't been able to find anything but have been looking. I only got CSPM and the sensor about two weeks ago. I used the Cisco Press book to install but it of course doesn't tell me what to do with it now that I have it installed and working.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...