Frequently Asked Questions


General Question

What is Intrusion Detection?

Intrusion Detection is the active process to document and catch attackers and malicious code on a network. It is described in two types of software: Host based software and Network based software.

Why is an Intrusion Detection System (IDS) important?

Computers connected directly to the Internet are subject to relentless probing and attack.
While protective measures such as safe configuration, up-to-date patching, and firewalls are all prudent steps they are difficult to maintain and cannot guarantee that all vulnerabilities are shielded. An IDS provides defense in depth by detecting and logging hostile activities. An IDS system acts as “eyes” that watch for intrusions when other protective measures fail.

What is the difference between a Firewall and a Intrusion Detection System?

A firewall is a device installed normally at the perimeter of a network to define access rules for access to particular resources inside the network. On the firewall anything that is not explicitly allowed is denied. A firewall allows and denies access through the rule base.
An Intrusion Detection System is a software or hardware device installed on the network (NIDS) or host (HIDS) to detect and report suspicious activity.
In simple terms you can say that while a firewall is a gate or door in a superstore, a IDS device is a security camera. A firewall can block connection, while a IDS cannot block connection. An IDS device can however alert any suspicious activities.
An Intrusion Prevention System is a device that can start blocking connections proactively if it finds the connections to be of suspicious in nature.

If an IDS device cannot prevent a hack, then why have IDS devices?

Agreed that an IDS device cannot prevent a hack and can only alert any suspicious activities. However, if we are to go by past experiences, hacks and system compromises are not something that happens over night. Planned compromise attempts can take several days, weeks, months and in some cases even years. So a IDS device can alert you so that you can take the desired precaution in protecting the resources.

What is a network based IDS system?

An IDS is a system designed to detect and report unauthorized attempts to access or utilize computer and/or network resources. A network-based IDS collects, filters, and analyzes traffic that passes through a specific network location.

Are there other types of IDS besides network based?

The other common type of IDS is host-based. In host-based IDS each computer (or host) has an IDS client installed that reports either locally or to a central monitoring station. The advantage of a host-based IDS is that the internal operation and configuration of the individual computers can be monitored.

What is the difference between Host based (HIDS) and Network based IDS (NIDS)?

HIDS is software which reveals if a machine is being or has been compromised. It does this by checking the files on the machine for possible problems. Software described as host based IDS could include File Integrity checkers (TripWire), Anti-virus software (Norton AV, MacAfee), Server Logs (Event viewer or syslog), and in some ways even backup software can be a HIDS.

NIDS is software which monitors network packets and examines them against a set of signatures and rules. When the rules are violated the action is logged and the Admin could be alerted. Examples of NIDS software are Sax2.

Are there are any draw backs of host based IDS systems?

There are three primary drawbacks of a host-based ID:

(1) It is harder to correlate network traffic patterns that involve multiple computers;
(2) Host-based IDSs can be very difficult to maintain in environments with a lot of computers, with variations in operating systems and configurations, and where computers are maintained by several system administrators with little or no common practices;
(3) Host-based IDSs can be disabled by attackers after the system is compromised.

Why, when and where to use host based IDS systems?

Host based IDS systems are used to closely monitor any actions taking place on important servers and machines. Host based IDS systems are used to detect any anomalies and activities on these important and critical servers. You use Host based IDS systems when you cannot risk the compromise of any server. The server has to be very important and mission critical to use Host based IDS systems on these servers. Host based IDS systems are agents that run on the critical servers. The agent is installed on the server that is being monitored.

What are the common types of attacks and signatures?

There are three types of attacks:
Reconnaissance These include ping sweeps, DNS zone transfers, e-mail recons, TCP or UDP port scans, and possibly indexing of public web servers to find cgi holes.
Exploits Intruders will take advantage of hidden features or bugs to gain access to the system.
Denial-of-service (DoS) attacks Where the intruder attempts to crash a service (or the machine), overload network links, overloaded the CPU, or fill up the disk. The intruder is not trying to gain information, but to simply act as a vandal to prevent you from making use of your machine.
The signatures are written based on these types of attacks.

What is Sax2?  

Sax2 is is a professional network intrusion detection and prevention system (NIDS) which excels at real-time packet capture, 24/7 network monitor, advanced protocol analysis and automatic expert detection. you can detect network attacks, and interfere with its implementation once discovered, thereby protecting networks against attacks.

What can I do through Sax2? 

If you are:

【Network  Manager】 – – Detecting network attacks, find infected machines, count network traffic, find potential security flaws in network …

【Executives】- – – — — — View the company’s internal Web access, test whether e-mail is safety , detect illicit server log …

【Security Manager】- — — Perspective on the specific content of network transmission, analyze network anomalies, to find potential security risks in network…

【Security adviser】- – – — -Analyze network, help customers to resolve address security vulnerabilities, optimize network performance …

Installation & deployment

I installed Sax2 will affect net speed?

Sax2 is the bypass monitoring mode; only analyze the copy of the packets, so it will not affect the existing communications and network speed. Is the choice of hub (HUB) or switch to monitor? we recommend using HUB (Please note the Hub’s connection), otherwise needing to use the mirror switch, when the export bandwidth of less is than 4 M.

Capture Nothing.

Maybe not choose the right adapter. Click “Detection \ Adapter” menu to pop-up adapter settings window, All supported adapters are listed in the Adapter page, if there are two or more adapters , check whether the selected adapter is the adapter you are using. If did not find any adapter or information is not correct, that means you have the installation problems. Please re-install. If after the re-installation, we also can not find the adapter , then it is possible that the adapter does not support.

Why I can only capture  the local traffic?

This means your computer is connected with the switch. In order to capture other computer’s traffic, we need to increase a HUB  or a switch which support mirror port. If the connect Internet through the server, it also can be installed directly on the server. Please refer to specific “ Installation & deployment

HUB or mirror switches on the recommendation models.

Recommended HUB (hub) models: TL-HP5MU of the Tplink, ( five port 10 M Ethernet hub).

Recommended mirror switch models: TL-SF2005 of the Tplink, ( five port mirror switches).

Whether the company will leak privacy by using Sax2?

Sax2 only run in your company’s operating within the LAN, do not have any data exchange with Interne except checking for updated version. Information is in the local archive, will not cause the leakage of information.

What is principle to realize Sax2?

1). Protocol Analysis of Principles

Through the mirror port or switch HUB radio communications, can receive the communication data packets from other control host. And then revert data package by software, extracted the data from it.

 2). Blocking Principles

TCP communication is the connection-oriented, so can disconnect the TCP connection d by sending some disguise packets. This is the blocking principle of Sax2.

Can Sax2 monitor Active Directory domain network?

Sax2 can monitor the computer in domain , but can not support monitoring by domain account, only can monitor based on the MAC address and IP address.

When re-install, whether need to backup configuration and log?

When uninstall, we will delete the profile, but does not delete the log file, so before you re-install, you better back up the previous configuration (installation directory’s the “data” directory is that).


I installeCan I install a Single User License on both my PC and laptop?

 No, a Single User License is just for used on one computer. If you would like to install the Software on two computers, you should order two Single User license.

Do I have to purchase a maintenance?

No, maintenance is optional. However, we recommend user to take maintenance. With maintenance, you can be able to get the free upgrades for latest releases.

My maintenance has expired but I am interested in your latest release, how can I get it?

 You can purchase the renewal maintenance for your product, which is priced much cheaper than regular products and contains 1 year’s free upgrades. 

What currencies do you accept?

You can buy our products in the following currencies:
US Dollars, Euro, Pound Sterling, Australian Dollars, Japanese Yen, Canadian Dollars, or Swiss Francs.

There are also display currencies, which allow you to see product prices converted into additional currencies during the online order process for reference purposes.

What payment options are available?

Payment by credit or debit card provides the fastest order processing. We accept Visa, MasterCard, American Express, JCB and Diners Club, as well as UK debit cards Solo and Switch/Maestro.

We also accept the payment by wire transfer, check, PayPal or cash.

How can I place a purchase order?

Business customers can generally place a purchase order (PO) through our payment processor. Private customers are not eligible for this type of order. All POs must include the following information so that your order can be processed without delay:

  • The product name and, if known, the 6-digit product ID number
  • The number of units you wish to order
  • The name to which the product should be licensed
  • Your company’s billing address and, if applicable, a different delivery address
  • Contact name, phone number and fax number
  • The e-mail address for the order confirmation and invoice and, if different, the e-mail address for delivery
  • The currency you would like to order in (if applicable)

How will I receive my invoice?

When ordering online, you have the option of printing your own invoice. Click on “Print Invoice Version” in the lower left corner of the page displayed last.

You will also receive an e-mailed invoice together with your order confirmation.

If you need a printed invoice, go to your order overview in “My Account” to print it out.

How can I cancel my order after I paid the amount?

If you placed order within 30 days, you can cancel your order and request refund. Please directly contact us via email, including a brief explanation of why you wish to cancel your order. Refunds must be approved. Generally approved refunds will be issued within 2 business days, and will be confirmed by email. In the event that the refund does not be authorized, you will be notified by email.

When will I receive my product?

HTML clipboard

Our products are delivered electronically via email. After we receive your payment, the license information and download URL for your product will be sent to you immediately. If you do not receive your product within a reasonable time (usually one business day for credit card payment or two weeks for other payments), please notify us.

Can I have a Backup CD?

Yes. When place order, you can choose to purchase the Backup CD for your product with a small additional amount (e.g. $18.00/CD). Backup CDs are generally produced and mailed to you within one business day following receipt of payment. Saturdays and Sundays are not business days.

Can I enter different billing and shipping addresses?

Yes, you can enter two different addresses when ordering online, as well as when ordering through our customer service.

All correspondence relating to the order and payment will be sent by e-mail to the billing address. The product will be delivered (usually by e-mail) to the address given as the delivery address.

What will happen after I place my order online?

You will receive a confirmation for your transaction immediately after you place your order online. You will also receive a confirmation by e-mail that will contain all of your order data including your invoice or receipt.

If you chose to pay by credit/debit card or transferred the funds online during the order process, your order will be processed immediately. If your product is to be delivered to you electronically, it will be done immediately if we deliver the product, or within 48 hours if the software publisher ships their product directly to you. If your product is a physical product, shipment by mail or parcel service will be initiated immediately.

If you chose a different payment option, you will receive detailed information with your order confirmation that explains how to effect payment. Orders are processed once payment has been received.

If you do not receive an order confirmation after you have submitted your order, please contact customer service.

What Is the Subscription Version?

Subscription Version offers priority of technical support via chat, e-mail or fax, free product updates, including new editions, free policy knowledge base updates, free documentation updates and access to pre-release product, during the term of the subscription.  


How to determine the name of worker who uses a computer?

 1). Sax2 monitor under the MAC address (LAN address, the user can not be changed) by default. In a single network environment, MAC address and the computer are one-to-one relationship, according to MAC address to judge the corresponding staff.

   2) In the multi- segment network  environment, MAC address and computer are not one-to-one relationship, and need to monitor through IP addresses. Therefore, only through IP address to judge the user, we recommend using IP and MAC bundled technology in cases of multi- segment network environment, to prevent employees to evade monitoring through the revision of IP.

How can I see a machine’s MAC address?

MAC address is the adapter address  Click the “Start” -> “Run”, input “cmd”, click enter, and then input “ipconfig / all” to cmd window. To see all the configuration information of the adapter, the “Physical Address” is the MAC address.

Can I monitor MSN after it use plug-in encryption?

Yes, you can. But you will see the content is encrypted (it will be messy code.)

Can Sax2 detect the traffic occupation in the network?

Sax2 can count the entire  network or a single network node, including the total traffic, traffic per second, the average traffic in detail.

Why do not show the email which I sent from web page in the mail logs?

Sax2 ’s mail analysis functions support the protocol is SMTP and POP3, while sending e-mail based on web use the HTTP protocol, and submits with form style, so it will not be displayed in the email log automatically.

Email log list capturing the e-mail message, but I double-click the message to see the original information, failed. Why?

Sax2 did not keep copies of e-mail message by default. In this case, you will not see the original information directly. To enable this feature, Please refer to help document.

Can Sax2  identify the worm infected machines in  network?

Yes it can. There are two kinds worm. One is based on e-mail worm; the other one is based on operating system. The first worm’s the performance of the main characteristics is high frequency sending a message, similar content in the message headers, the same e-mail attachments. The second worm’s the performance of the main characteristics is trying to work with all host LAN connection, linking the port are consistent and link between the gap between short time, greater flow of occupation. Sax2 ’s email logs can capture analysis and reorganize sending and receiving mail in the network. According to e-mail log information and the features of e-mail worm, use r can identify the worm infected machines in  network. Through packet view and conversation view, you can easily identify infected machines within vulnerabilities worm.

When we manage firewall through web interface, need to add 10,081 port behind the URL, but then I have not seen the information in the HTTP logs, what is the problem?

By default, Sax2 analyze the HTTP accessing based on the 80 port. Analyze the web accessing based on other port (such as the 10,081) , Please refer to help document.

If access the  Web site  by https, can it analyze the accessing server information?

No, it can not.  Https is encrypted transmission. Sax2 or even all of the protocol software can only capture communications packets of https, but can not analyze and restrict its specific accessing information.

When capture packets, find some adapter have a number of IP addresses. Why? Is this normal?

Generally, a adapter has a number of IP addresses, as followings:

Under normal circumstances, a adapter targeted a number of IP.

Gateway: When data communicates, each of the three-tier equipment will change the source address of the packet into his own, and send to the next equipment, so a gateway matching a number of IP is normal.

ARP attacks: when do ARP attacks, generally there will have a host of intermediaries, this host will match a number of IP because of the needs to deceive the client and gateway together.

Therefore, when the adapter matches a number of IP address, we need to analyze. If it belongs to segment 1 and 2, it is normal, but if it is the third one, which means the network is in the attacks, and the current adapter corresponding to the host which is the attack source, should immediately conduct a thorough investigation.

Why I can only capture the packets sent , can not capture the packets  received ?

This phenomenon is due to your wrong HUB connection or incorrect switch ports mirror configured. If you are using the HUB with the uplink, the port which connects uplink port can not connect to any network lines. If it still does not work, you can try another port. If you are using the switch, please make sure whether have done mirrors in send and receive data.