RE: Updating Enterasys Dragon NIDS signature...

From: Hazel, Scott A. (Scott.Hazel_at_unisys.com)
Date: 08/09/05

  • Next message: snort user: "TCP Sack processing"
    Date: Tue, 9 Aug 2005 05:57:45 -0400
    To: "Jean-Pierre Denis" <jp@webglobe.ca>, <focus-ids@securityfocus.com>
    
    

    Hello Jean-Pierre.

    I know you can manually download the entire Dragon IDS signature set in
    .tgz format from the Enterasys support site. Do you have a requirement
    to perform this update automatically from the DPM? If they don't have
    Internet access then it seems you'll have to sneaker-net the updated
    signature set in each time. Do you have an account on their support site
    and if so, do you know where to look for the manual signature download?
    If not GTAC can point you to this information (provided you're talking
    with someone in the Dragon group).

    Also, if your DPM and Forensics Console are on different server
    machines, then you'll have to put the updated signatures and the
    dragon.conf (I think that's the right file) on both machines. Otherwise
    when the new signatures are pushed to the sensors and start firing, they
    show up in the Unknown group.

    Hope this helps.

    Scott Hazel
    Unisys Managed Security Services
    Scott.hazel@unisys.com

    -----Original Message-----
    From: Jean-Pierre Denis [mailto:jp@webglobe.ca]
    Sent: Saturday, August 06, 2005 8:13 PM
    To: focus-ids@securityfocus.com
    Subject: Updating Enterasys Dragon NIDS signature...

    Hi everyone,

      I have a bunch of Dragon NIDS to update but they don't have internet
      connection to do so. Since it's a closed network the update screw up
      everytime because enterasys designed it to access their site.

      Does someone have this type of experience with Dragon appliance?

      Enterasys is not very helpful and I don't know where to start.

    Merci,
    Jean-Pierre Denis
     (LPIC1 - LPIC2)
    WebGlobe Solutions TI
    email: jp@webglobe.ca
    tel.: (819) 246-0WWW (0999)
    www: http://www.webglobe.ca

    -----------------------------------------
     WebMail Powered by WebGlobe.
     http://www.webglobe.ca

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------

    ------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it
    with real-world attacks from CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    ------------------------------------------------------------------------


  • Next message: snort user: "TCP Sack processing"

    Relevant Pages

    • RE: Where is Ron Gula? (was "Changes in IDS Companies?")
      ... This answer is coming from someone on the Dragon team (who already gets enough spam in his ... Enterasys account - so I apologize in advance for using the @yahoo.com addy. ... If you read the "Dragon Newsletter" that I put out on the Dragon IDS users list, ... Subject: Where is Ron Gula? ...
      (Focus-IDS)
    • RE: Dragon IDS & Enterasys Equipment
      ... Dragon is simply the IDS part which will work ... The Secure network will use Enterasys Switches ... with the Dragon IDS to basically build FIREBREAKS on the network. ...
      (Focus-IDS)
    • Re: Re: port mirroring for two targets
      ... appliance from Enterasys (Dragon IDS). ... Test Your IDS ...
      (Focus-IDS)
    • Re: Zone Alarm versus Sygate
      ... Not only is BlackIce looking at ... You see an attack will not ... IDS engine to be extremely elementary. ... So Sygate as well as BlackIce use a Signature Analysis IDS engine ...
      (comp.security.firewalls)
    • Re: How to choose an IDS/FW MSS provider
      ... What is the best way to evade an IDS? ... Open sigs for an IDS/IPS does more harm then good IMO. ... IE a SKILLED attacker wants to attack my network, ... what is out there, a closed signature set, and the ABILITY to add your ...
      (Focus-IDS)