FAQ
1.General
1.1 What is Intrusion Detection?
1.2 Why
is an Intrusion Detection System (IDS) important?
1.3 What
is the difference between a Firewall and a Intrusion Detection
System?
1.4 If
an IDS device cannot prevent a hack, then why have IDS devices?
1.5 What
is a network based IDS system?
1.6 Are
there other types of IDS besides network based?
1.7 What
is the difference between Host based (HIDS) and Network
based IDS (NIDS)?
1.8 Are
there are any draw backs of host based IDS systems?
1.9
Why, when and where to use host based IDS systems?
1.10
What are the common types of attacks and signatures?
1.11
What is Sax2?
1.12
What can I do through Sax2?
2. Installation & deployment
2.1 Iinstalled Sax2 will affect
net speed?
2.2
Capture Nothing. Top
2.3
Why I can only capture the local traffic? Top
2.4 HUB
or mirror switches on the recommendation models.
2.5 Whether
the company will leak privacy by using Sax2?
2.6 What
is principle to realize Sax2?
2.7 Can
Sax2 monitor Active Directory domain network?
2.8
When re-install, whether need to backup configuration and
log?
3. Usage
3.1
How to determine the name of worker who uses a computer?
3.2
How can I see a machine's MAC address?
3.3 Can
I monitor MSN after it use plug-in encryption?
3.4 Can
Sax2 detect the traffic occupation in the network?
3.5
Why do 3.4not show the email which I sent from web page
in the mail logs?
3.6
Email log list capturing the e-mail message, but I double-click
the message to see the original information, failed. Why?
3.7Can
Sax2 identify the worm infected machines in network?
3.8 When
we manage firewall through web interface, need to add 10,081
port behind the URL, but then I have not seen the information
in the HTTP logs, what is the problem?
3.9 If
access the Web site by https, can it analyze the accessing
server information?
3.10
When capture packets, find some adapter have a number of
IP addresses. Why? Is this normal?
3.11
Why I can only capture the packets sent , can not capture
the packets received ?
4. Purchase
4.1 Can I install
a Single User License on both my PC and laptop?
4.2 Do
I have to purchase a maintenance?
4.3
My maintenance has expired but I am interested in your latest
release, how can I get it?
4.4 Is
it really secure to order online?
4.5 What
currencies do you accept?
4.6 What
payment options are available?
4.7 How
can I place a purchase order?
4.8 How
will I receive my invoice?
4.9 How
can I cancel my order after I paid the amount?
4.10
When will I receive my product?
4.11
Can I have a Backup CD?
4.12
Can I enter different billing and shipping addresses?
4.13
What will happen after I place my order online?
4.14
What Is the Subscription Version?
1.1
What is Intrusion Detection?
Intrusion Detection is the active process to document
and catch attackers and malicious code on a network. It
is described in two types of software: Host based software
and Network based software.
Top
1.2
Why is an Intrusion Detection System (IDS) important?
Computers connected directly to the Internet are subject
to relentless probing and attack.
While protective measures such as safe configuration, up-to-date
patching, and firewalls are all prudent steps they are difficult
to maintain and cannot guarantee that all vulnerabilities
are shielded. An IDS provides defense in depth by detecting
and logging hostile activities. An IDS system acts as "eyes"
that watch for intrusions when other protective measures
fail.
Top
1.3
What is the difference between a Firewall and
a Intrusion Detection System?
A firewall is a device installed normally at the perimeter
of a network to define access rules for access to particular
resources inside the network. On the firewall anything that
is not explicitly allowed is denied. A firewall allows and
denies access through the rule base.
An Intrusion Detection System is a software or hardware
device installed on the network (NIDS) or host (HIDS) to
detect and report suspicious activity.
In simple terms you can say that while a firewall is a gate
or door in a superstore, a IDS device is a security camera.
A firewall can block connection, while a IDS cannot block
connection. An IDS device can however alert any suspicious
activities.
An Intrusion Prevention System is a device that can start
blocking connections proactively if it finds the connections
to be of suspicious in nature.
Top
1.4
If an IDS device cannot prevent a hack, then
why have IDS devices?
Agreed that an IDS device cannot prevent a hack and can
only alert any suspicious activities. However, if we are
to go by past experiences, hacks and system compromises
are not something that happens over night. Planned compromise
attempts can take several days, weeks, months and in some
cases even years. So a IDS device can alert you so that
you can take the desired precaution in protecting the resources.
Top
1.5
What is a network based IDS system?
An IDS is a system designed to detect and report unauthorized
attempts to access or utilize computer and/or network resources.
A network-based IDS collects, filters, and analyzes traffic
that passes through a specific network location.
Top
1.6
Are there other types of IDS besides network
based?
The other common type of IDS is host-based. In host-based
IDS each computer (or host) has an IDS client installed
that reports either locally or to a central monitoring station.
The advantage of a host-based IDS is that the internal operation
and configuration of the individual computers can be monitored.
Top
1.7
What is the difference between Host based (HIDS)
and Network based IDS (NIDS)?
HIDS is software which reveals if a machine is being
or has been compromised. It does this by checking the files
on the machine for possible problems. Software described
as host based IDS could include File Integrity checkers
(TripWire), Anti-virus software (Norton AV, MacAfee), Server
Logs (Event viewer or syslog), and in some ways even backup
software can be a HIDS.
NIDS is software which monitors network packets and examines
them against a set of signatures and rules. When the rules
are violated the action is logged and the Admin could be
alerted. Examples of NIDS software are Sax2.
Top
1.8
Are there are any draw backs of host based IDS systems?
There are three primary drawbacks of a host-based ID:
(1) It is harder to correlate network traffic patterns
that involve multiple computers;
(2) Host-based IDSs can be very difficult to maintain in
environments with a lot of computers, with variations in
operating systems and configurations, and where computers
are maintained by several system administrators with little
or no common practices;
(3) Host-based IDSs can be disabled by attackers after the
system is compromised.
Top
1.9
Why, when and where to use host based IDS systems?
Host based IDS systems are used to closely monitor any
actions taking place on important servers and machines.
Host based IDS systems are used to detect any anomalies
and activities on these important and critical servers.
You use Host based IDS systems when you cannot risk the
compromise of any server. The server has to be very important
and mission critical to use Host based IDS systems on these
servers. Host based IDS systems are agents that run on the
critical servers. The agent is installed on the server that
is being monitored.
Top
1.10
What are the common types of attacks and signatures?
There are three types of attacks:
Reconnaissance These include ping sweeps, DNS zone transfers,
e-mail recons, TCP or UDP port scans, and possibly indexing
of public web servers to find cgi holes.
Exploits Intruders will take advantage of hidden features
or bugs to gain access to the system.
Denial-of-service (DoS) attacks Where the intruder attempts
to crash a service (or the machine), overload network links,
overloaded the CPU, or fill up the disk. The intruder is
not trying to gain information, but to simply act as a vandal
to prevent you from making use of your machine.
The signatures are written based on these types of attacks.
Top
1.11
What is Sax2?
Sax2 is is a professional network intrusion detection
and prevention system (NIDS) which excels at real-time packet
capture, 24/7 network monitor, advanced protocol analysis
and automatic expert detection.
you can detect network attacks, and interfere
with its implementation once discovered, thereby protecting
networks against attacks.
Top
1.12 What can I
do through Sax2?
If you are:
【Network Manager】 - - Detecting network attacks,
find infected machines, count network traffic, find potential
security flaws in network ...
【Executives】- - - -- -- --- View the company's internal
Web access, test whether e-mail is safety , detect illicit
server log ...
【Security Manager】- -- -- Perspective on the specific
content of network transmission, analyze network anomalies,
to find potential security risks in network...
【Security adviser】- - - -- -Analyze network, help customers
to resolve address security vulnerabilities, optimize network
performance ...
Top
2.1
Iinstalled
Sax2 will affect net speed?
Sax2
is the bypass monitoring mode; only analyze the copy of
the packets, so it will not affect the existing communications
and network speed. Is the choice of hub (HUB) or switch
to monitor? we recommend using HUB (Please note the Hub’s
connection), otherwise needing to use the mirror switch,
when the export bandwidth of less is than 4 M.
Top
2.2
Capture
Nothing.
Maybe not
choose the right adapter.
Click "Detection \ Adapter" menu to pop-up adapter
settings window,All supported adapters are listed
in the Adapter page,
if there are two or more adapters
, check whether
the selected adapter
is the
adapter
you are using.
If did not find any adapter
or information
is not correct, that means you have the installation problems.
Please re-install. If after the re-installation, we also
can not find the adapter
, then it
is possible that the adapter
does not
support.
Top
2.3
Why I can only capture
the local traffic?
This means your computer
is connected with the switch. In order to capture
other computer’s traffic, we need to increase
a HUB or a switch which support mirror port. If the
connect Internet through the server, it also can be installed
directly on the server. Please refer to specific "Installation
& deployment "
Top
2.4
HUB or mirror switches on the recommendation models.
Recommended HUB (hub)
models: TL-HP5MU of the Tplink, ( five port 10 M Ethernet
hub).
Recommended mirror switch
models: TL-SF2005 of the Tplink, ( five port mirror switches).
Top
2.5
Whether the company will leak privacy by using Sax2?
Sax2
only run in your company's operating within the LAN, do
not have any data exchange with Interne except checking
for updated version. Information is in the local archive,
will not cause the leakage of information.
Top
2.6
What is principle to realize Sax2?
1). Protocol
Analysis of Principles
Through the mirror port
or switch HUB radio communications, can receive the communication
data packets from other control host. And then revert data
package by software, extracted the data from it.
2). Blocking Principles
TCP communication is the
connection-oriented, so can disconnect the TCP connection
d by sending some disguise packets. This is the blocking
principle of
Sax2.
Top
2.7 Can Sax2 monitor Active
Directory domain network?
Sax2
can monitor the
computer in domain , but can not support monitoring by domain
account, only can monitor based on the MAC address and IP
address.
Top
2.8 When
re-install, whether need to backup configuration and log?
When uninstall,
we will delete the profile, but does not delete the log
file, so before you re-install, you better back up the previous
configuration (installation directory’s the "data" directory
is that).
Top
3.1
How
to determine the name of worker who uses a computer?
1). Sax2 monitor under the MAC address (LAN address,
the user can not be changed) by default. In a single network
environment, MAC address and the computer are one-to-one
relationship, according to MAC address to judge the corresponding
staff.
2) In the multi- segment network environment, MAC
address and computer are not one-to-one relationship, and
need to monitor through IP addresses. Therefore, only through
IP address to judge the user, we recommend using IP and
MAC bundled technology in cases of multi- segment network
environment, to prevent employees to evade monitoring through
the revision of IP.
Top
3.2
How can I see a machine's MAC address?
MAC address
is the adapter address Click the "Start" -> "Run",
input "cmd”, click enter, and then input "ipconfig / all"
to cmd window. To see all the configuration information
of the adapter, the "Physical Address" is the MAC address.
Top
3.3
Can
I monitor MSN after it use plug-in encryption?
Yes, you
can. But you will see the content is encrypted (it will
be messy code.)
Top
3.4
Can Sax2
detect the traffic occupation in the network?
Sax2
can count the entire network or a single network node,
including the total traffic, traffic per second, the average
traffic in detail.
Top
3.5
Why do not show the
email which I sent from web page in the mail logs?
Sax2’s
mail analysis functions support the protocol is SMTP and
POP3, while sending e-mail based on web use the HTTP protocol,
and submits with form style, so it will not be displayed
in the email log automatically.
Top
3.6
Email
log list capturing the e-mail message, but I double-click
the message to see the original information, failed. Why?
Sax2
did not keep copies of e-mail message by default. In this
case, you will not see the original information directly.
To enable this feature, Please refer to help document.
Top
3.7
Can
Sax2 identify the worm infected machines in
network?
Yes it can.
There are two kinds worm. One is based on e-mail worm; the
other one is based on operating system. The first worm’s
the performance of the main characteristics is high frequency
sending a message, similar content in the message headers,
the same e-mail attachments. The second worm’s the performance
of the main characteristics is trying to work with all host
LAN connection, linking the port are consistent and link
between the gap between short time, greater flow of occupation.
Sax2’s email logs can
capture analysis and reorganize sending and receiving mail
in the network. According to e-mail log information and
the features of e-mail worm, user
can identify the worm infected machines in network.
Through packet view and conversation view, you can easily
identify infected machines within vulnerabilities worm.
Top
3.8
When we manage firewall through web interface, need to add
10,081 port behind the URL, but then I have not seen the
information in the HTTP logs, what is the problem?
By default,
Sax2 analyze the HTTP accessing based on the 80 port.
Analyze the web accessing based on other port (such as the
10,081) , Please refer to help document.
Top
3.9
If access the Web site by https, can it analyze
the accessing server information?
No, it can
not. Https is encrypted transmission. Sax2
or even all of the protocol software can only capture communications
packets of https, but can not analyze and restrict its specific
accessing information.
Top
3.10
When
capture packets, find some adapter have a number of IP addresses.
Why? Is this normal?
Generally,
a adapter has a number of IP addresses, as followings:
Under normal
circumstances, a adapter targeted a number of IP.
Gateway:
When data communicates, each of the three-tier equipment
will change the source address of the packet into his own,
and send to the next equipment, so a gateway matching a
number of IP is normal.
ARP attacks:
when do ARP attacks, generally there will have a host of
intermediaries, this host will match a number of IP because
of the needs to deceive the client and gateway together.
Therefore,
when the adapter matches a number of IP address, we need
to analyze. If it belongs to segment 1 and 2, it is normal,
but if it is the third one, which means the network is in
the attacks, and the current adapter corresponding to the
host which is the attack source, should immediately conduct
a thorough investigation.
Top
3.11
Why I can only capture the packets sent , can not capture
the packets received ?
This phenomenon
is due to your wrong HUB connection or incorrect switch
ports mirror configured. If you are using the HUB with the
uplink, the port which connects uplink port can not connect
to any network lines. If it still does not work, you can
try another port. If you are using the switch, please make
sure whether have done mirrors in send and receive data.
Top
4.1 Can
I install a Single User License on both my PC and laptop?
No, a Single User License
is just for used on one computer. If you would like to install
the Software on two computers, you should order two Single
User license.
Top
4.2 Do
I have to purchase a maintenance?
No, maintenance is optional.
However, we recommend user to take maintenance. With maintenance,
you can be able to get the free upgrades for latest releases.
Top
4.3 My
maintenance has expired but I am interested in your latest
release, how can I get it?
You can purchase the
renewal maintenance for your product, which is priced much
cheaper than regular products and contains 1 year's free
upgrades.
Top
4.4 Is
it really secure to order online?
Yes. Our order process
is protected via a secure connection so that the data sent
to the recipient can only be read by the recipient. Important
information such as credit card numbers, addresses, etc.
is sent to the recipient securely via the Internet. All
of the data entered on the protected pages is encrypted
using the SSL (Secure Socket Layer) protocol. Our servers
support SSL Version 3 and 168-bit Triple DES encryption.
The RSA module and SSL sessions feature 1024-bit encryption.
Top
4.5 What
currencies do you accept?
You can buy our products in
the following currencies:
US Dollars, Euro, Pound Sterling, Australian Dollars, Japanese
Yen, Canadian Dollars, or Swiss Francs.
There are also display currencies, which allow you to
see product prices converted into additional currencies
during the online order process for reference purposes.
Top
4.6 What
payment options are available?
Payment by credit or debit
card provides the fastest order processing. We accept Visa,
MasterCard, American Express, JCB and Diners Club, as well
as UK debit cards Solo and Switch/Maestro.
We also accept the payment by wire transfer, check, PayPal
or cash.
Top
4.7 How
can I place a purchase order?
Business customers can generally
place a purchase order (PO) through our payment processor.
Private customers are not eligible for this type of order.
All POs must include the following information so that your
order can be processed without delay:
- The product name and, if known, the 6-digit product
ID number
- The number of units you wish to order
- The name to which the product should be licensed
- Your company's billing address and, if applicable,
a different delivery address
- Contact name, phone number and fax number
- The e-mail address for the order confirmation and
invoice and, if different, the e-mail address for delivery
- The currency you would like to order in (if applicable)
Top
4.8 How
will I receive my invoice?
When ordering online, you have
the option of printing your own invoice. Click on "Print
Invoice Version" in the lower left corner of the page displayed
last.
You will also receive an e-mailed invoice together with
your order confirmation.
If you need a printed invoice, go to your order overview
in "My Account" to print it out.
Top
4.9 How
can I cancel my order after I paid the amount?
If you placed order within
30 days, you can cancel your order and request refund. Please
directly contact us via email,
including a brief explanation of why you wish to cancel
your order. Refunds must be approved. Generally approved
refunds will be issued within 2 business days, and will
be confirmed by email. In the event that the refund does
not be authorized, you will be notified by email.
Top
4.10 When
will I receive my product?
Our products are delivered
electronically via email. After we receive your payment,
the license information and download URL for your product
will be sent to you immediately. If you do not receive your
product within a reasonable time (usually one business day
for credit card payment or two weeks for other payments),
please notify us.
Top
4.11 Can
I have a Backup CD?
Yes. When place order, you
can choose to purchase the Backup CD for your product with
a small additional amount (e.g. $18.00/CD). Backup CDs are
generally produced and mailed to you within one business
day following receipt of payment. Saturdays and Sundays
are not business days.
Top
4.12 Can
I enter different billing and shipping addresses?
Yes, you can enter two different
addresses when ordering online, as well as when ordering
through our customer service.
All correspondence relating to the order and payment will
be sent by e-mail to the billing address. The product will
be delivered (usually by e-mail) to the address given as
the delivery address.
Top
4.13 What
will happen after I place my order online?
You will receive a confirmation
for your transaction immediately after you place your order
online. You will also receive a confirmation by e-mail that
will contain all of your order data including your invoice
or receipt.
If you chose to pay by credit/debit card or transferred
the funds online during the order process, your order will
be processed immediately. If your product is to be delivered
to you electronically, it will be done immediately if we
deliver the product, or within 48 hours if the software
publisher ships their product directly to you. If your product
is a physical product, shipment by mail or parcel service
will be initiated immediately.
If you chose a different payment option, you will receive
detailed information with your order confirmation that explains
how to effect payment. Orders are processed once payment
has been received.
If you do not receive an order confirmation after you have
submitted your order, please contact customer service.
Top
4.14 What Is the Subscription
Version?
Subscription Version offers
priority of technical support via chat, e-mail or fax, free
product updates, including new editions, free policy knowledge
base updates, free documentation updates and access to pre-release
product, during the term of the subscription.
Top
|
