IPS anomaly detection knowledge base

Hello
i have configured my IPS device anomaly detection policy for learning accept mode for 48 hours.
and after finishing learning i see knowledge base file which is only 88 bytes in size. Is this normal ?  

Depending on your network complexity, you may want to have anomaly detection in learning accept mode for longer than the default 24 hours Yes  the knowledge base will replace with new knowledge base.
Regards
Rajeswar

Similar Messages

  • Anomaly Detection Knowledge Base

    the only way to build a anomaley detection knowlege base is put IPS in learning mode for a time like 72 hours or is there any file or resource to download? I mean KB file and put into sensor something like that. Anomaley Detection Knowledge Base page ?!

    Arash
    Your IPS Sensors need to build this database on their own, based on the traffic they see. There is no reference database to install. Here are the configuration details:
    http://www.cisco.com/en/US/docs/security/security_management/cisco_security_manager/security_manager/4.0/user/guide/ipsanom.html#wp530821
    - Bob

  • Anomaly Detection in IPS

    Hi,
    I am going to configure ad0 in IPS ver 7.0 using IME. If there is any guide to configure ad0 using IME then please share...

    Configuring Anomaly Detection (AD) using IME 7.1

  • How to test anomaly detection in IPS6 ?

    Hi!
    Does anybody have experience with AD in IPS6? I tried to test it today with 3 nmap sessions each scanning 100 different IPs. I saw the Sig 13003-0 (single scanner) fired:
    signature: description=AD - External TCP Scanner id=13003 version=S262
    alertDetails: . adExtraData: numDestIps=150; currentThreshold=150; destPort=80
    The scanner threshold was indeed set to 150:
    S1# sh ad-knowledge-base vs0 thresholds current
    External Zone
    TCP Services
    Default
    Scanner Threshold
    User Configuration = 150
    Threshold Histogram - User Configuration
    Low = 10
    Medium = 3
    High = 1
    UDP Services
    This is ok. The problem is that the Sig 13003-1 (warm) didn't fire, however the number of scanned IPs was very high:
    S1# sh statistics anomaly-detection vs0
    Statistics for Virtual Sensor vs0
    Attack in progress
    Detection - ON
    Learning - OFF
    Next KB rotation at 10:00:00 MSK Fri Dec 28 2007
    Internal Zone
    TCP Protocol
    UDP Protocol
    Other Protocol
    External Zone
    TCP Protocol
    Service 80
    Source IP: 10.0.1.1 Num Dest IP: 280
    Questions:
    - what does Low/Medium/High exactly mean in threshold histogram?
    - how does the sensor detect worms? When the Sig 13003-1 fires? What sequence of events should happen?
    - how can I test it?

    The sensor constantly watches for scanners on each port.
    There are 3 categories of scanners:
    Low scanners - scanners that are only scanning a low number of hosts.
    Medium scanners - scanners that are scanning a medium number of hosts
    High scanners - scanners that are scanning a high number of hosts
    NOTE: I can't remember for sure how many hosts must be scanned for it to be a "Low" number of hosts, or "Medium" or "High". But it may be something like 5 hosts scanned is a "Low" scanner, 20 for Medium and 100 for High. Once again I am not sure of those numbers.
    Also be aware that the number of hosts scanned is not the Total numner of hosts scanned, but is instead the number of hosts scanned THAT did not respond.
    If you connect to 100 web servers and all web servers respond then it does not count that as a scan. If you try to connect to 100 web servers and 92 respond, then for the 8 that don't respond you would be categorized as a Low scanner.
    But just because a scanner is counted in a category does not mean an alert will be generated.
    There are 2 types of alerts (subsig 0 alerts, and subsig 1 alerts)
    Subsig 0 alerts are for a scanner that is scanning enough hosts that you want an alert for it even when no worm has been declared.
    This is the "scanner Threshold / User Configuration = 150" that you see in the "show ad-knowledge-base vs0 thresholds current" output.
    If a scanner scans more than 150 hosts then a specific alert is generated even though no worm has been declared.
    Any scanners scanning less than 150 hosts are still categorized but do not have alerts generated for them when no worm has been declared.
    The subsig 1 alerts are for when a Worm has been declared.
    Here is how a worm gets declared:
    The Thesholds for Low, Medium, and High that you see in "show ad-knowledge-base vs0 thresholds current" is the number of active scanners in each category that are allowed to normally be seen on your network (this is the number of scanners that will be seen on your network even when there are no worms).
    A worm gets declared when the number of scanners in any one of the 3 catgeories goes above the threshold for that category.
    Let's take for example Medium=3 as the threshold for port 21. And let's assume it takes a scan of 20 hosts to be categorized as a Medium scanner.
    This means normally you could have up to 3 scanners on your network where each scanner is scanning 20 or more non-responding hosts on port 21.
    (Maybe these are 3 network administrators periodically checking to see which machines have port 21 open)
    Suddenly you have 5 scanners that start scanning on port 21 and each of the 5 winds up with 20 or more non-responding hosts.
    That 5 has broken the threshold of 3, and a worm is declared. Now any Medium Category scanner on port 21 will begin being declared a scanner under a worm condition (subsig 1).
    So for your testing.
    Instead of running a scan of 100 hosts from just one machine, I would recommend you scan the same 100 hosts from 2 or 3 machines (NOTE: Only need to scan a single port across those 100 hosts).
    Scanning 100 hosts should get them categorized as High scanners. And having 3 High Scanners should push it over the threshold of 1.
    BUT keep in mind that it needs to be 100 hosts not responding on the scanned port.
    Then you will also want to try it with fewer hosts being scanned (like say 25), but with say 5 machines running nmap doing the scanning.

  • MFP Anomaly Detected Access Points are moving from one wlc to another and vice versa

    Hi together,
    a customer has lost some Access Points to another WLC with 7.2  and then they come back after 15 minutes to the origin WLC with 7.5
    Attached the messages
    MFP Protection is configured as optional
    152
    Wed Nov 27 05:33:26 2013
    MFP Anomaly Detected - 1 Not encrypted event(s) found as   violated by the radio 58:bf:ea:0f:67:4a and detected by the dot11 interface   at slot 1 of AP 58:bf:ea:0f:67:40 in 300 seconds when observing . Client's   last source mac 70:11:24:e4:43:0f
    153
    Wed Nov 27 05:31:40 2013
    AP Disassociated. Base Radio MAC:88:43:e1:56:91:d0
    154
    Wed Nov 27 05:31:40 2013
    AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:88:43:e1:56:91:d0 Cause=New Discovery Status:NA
    155
    Wed Nov 27 05:31:33 2013
    AP Disassociated. Base Radio MAC:58:bf:ea:0f:73:d0
    156
    Wed Nov 27 05:31:33 2013
    AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:58:bf:ea:0f:73:d0 Cause=New Discovery Status:NA
    157
    Wed Nov 27 05:31:33 2013
    AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:58:bf:ea:0f:73:d0 Cause=New Discovery Status:NA
    158
    Wed Nov 27 05:31:28 2013
    AP Disassociated. Base Radio MAC:58:bf:ea:0f:fc:20
    159
    Wed Nov 27 05:31:28 2013
    AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:58:bf:ea:0f:fc:20 Cause=New Discovery Status:NA
    160
    Wed Nov 27 05:31:28 2013
    AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:58:bf:ea:0f:fc:20 Cause=New Discovery Status:NA
    161
    Wed Nov 27 05:31:17 2013
    AP Disassociated. Base Radio MAC:b4:e9:b0:e4:02:20
    162
    Wed Nov 27 05:31:17 2013
    AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:b4:e9:b0:e4:02:20 Cause=New Discovery Status:NA
    163
    Wed Nov 27 05:31:17 2013
    AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:b4:e9:b0:e4:02:20 Cause=New Discovery Status:NA
    164
    Wed Nov 27 05:31:15 2013
    AP Disassociated. Base Radio MAC:a4:18:75:eb:da:b0
    165
    Wed Nov 27 05:31:15 2013
    AP's Interface:1(802.11a) Operation State Down: Base Radio   MAC:a4:18:75:eb:da:b0 Cause=New Discovery Status:NA
    166
    Wed Nov 27 05:31:15 2013
    AP's Interface:0(802.11b) Operation State Down: Base Radio   MAC:a4:18:75:eb:da:b0 Cause=New Discovery Status:NA
    167
    Wed Nov 27 05:28:26 2013
    MFP Anomaly Detected - 35 Not encrypted event(s) found as   violated by the radio d8:24:bd:2f:df:6f and detected by the dot11 interface   at slot 1 of AP d8:24:bd:2f:df:60 in 300 seconds when observing Deauth.   Client's last source mac 00:23:14:a7:e3:54
    168
    Wed Nov 27 05:23:26 2013
    MFP Anomaly Detected - 23 Not encrypted event(s) found as   violated by the radio f8:4f:57:a5:40:b2 and detected by the dot11 interface   at slot 0 of AP f8:4f:57:a5:40:b0 in 300 seconds when observing . Client's   last source mac 44:4c:0c:ba:27:77
    Don´t know at the moment how to handle it.
    Regards
    Alex

    Hi lAlex,
    Disable Client MFP under WLAN advanced tab & see if  this still occur
    Regards
    Rasika
    **** Pls rate all useful responses *****

  • Anomaly Detection Internal Zones

    Hello,
    I have specified my corporate full IP subnet in internal zone, but i have not configured any TCP or UDP port for any destination also i have kept the default thresholds,
    Is it necessary to configure  destination port for the TCP and UDP protocol.???????????????
    Thanks

    Hello,
    Uptill now i m not facing any issues with IPS but i want IPS to monitor all the ports for the Internal zone so this is the reason i m asking that while configuring the Internal zone we have to mentioned specific port of tcp and udp for anomaly detection.
    If i m not specifying any port than what does it monitor?? is it this incomplete configuration OR it monitors all the ports (1-65535)
    Thanks

  • Anomaly Detection not detecting host machines (learned OS)

    I have an ASA5540X firewall with the internal (software based) IPS module. The module has the up-to-date signatures and seems to be running correctly. However, after enabling anomaly detection (ad0), and specifying the internal zones, I don't see any "Learned OS" in IME
    My settings are pretty basic for the sensor
    access-list ips_traffic extended permit ip any any
    access-list ips_traffic extended permit udp any any
    class-map ips_class
     match access-list ips_traffic
    policy-map global_policy
     class ips_class
     ips inline fail-open
    not sure why it isn't learning the OSs

    Learned OS maps—OS maps observed by the sensor through the fingerprinting of TCP packets with the SYN control bit set. Learned OS maps are local to the virtual sensor that sees the traffic.
    can you verify the OS finger printing from
    sensor# show os-identification learned
    Enable passive-traffic-analysis {enabled | disabled}

  • Anomaly Detection syntax/options

    I want to configure anomaly detection on my IPS, but was a little unclear on the syntax for the zones.
    Looks like I can configure the internal/service zone as
    172.25.13.1-172.25.13.254,172.25.20.1-172.25.13.254
    What if I want to make a very general internal zone (because I have a lot of subnets). Would I do something like this?
    172.25.1.1-172.25.255.255
    I want to define pretty mcuh everything in 172.25.0.0 /16 as internal, but not sure about the syntax here

    Anomaly Detection Zones
    By subdividing the network into zones, you can achieve a lower false negative rate. A zone is a set of destination IP addresses. There are three zones, each with its own thresholds: internal, illegal, and external.
    The external zone is the default zone with the default Internet range of 0.0.0.0-255.255.255.255. By default, the internal and illegal zones contain no IP addresses. Packets that do not match the set of IP addresses in the internal or illegal zone are handled by the external zone.
    We recommend that you configure the internal zone with the IP address range of your internal network. If you configure it in this way, the internal zone is all the traffic that comes to your IP address range, and the external zone is all the traffic that goes to the Internet.
    You can configure the illegal zone with IP address ranges that should never be seen in normal traffic, for example, unallocated IP addresses or part of your internal IP address range that is unoccupied. An illegal zone can be very helpful for accurate detection, because we do not expect any legal traffic to reach this zone. This allows very low thresholds, which in turn can lead to very quick worm virus detection.

  • Can UCE communicate to the Universal Knowledge Base and Universal Software

    Question
    Can UCE communicate to the Universal Knowledge Base and Universal Software Component Repository through a company proxy server?
    Answer
    During the install process of the OnStage Management Server, the OnStage EZ-installer will detect your local proxy server whilst establishing communications with the Aduva Universal Servers.
    In this instance, the user is prompted for the proxy parameters, including IP address of the proxy or proxy server name if DNS is present, proxy user name and password.
    This information is stored locally in the .director.rc file and is never communicated to Aduva or any other 3rd party.
    Once the proxy settings have been correctly inputed during installation, OnStage will indeed work through the proxy server.

    Welcome to Apple Discussions.
    I assume you have already tried what has been said in this: iPod shows up in Windows Explorer but not in iTunes, iPod Service Error or Please reinstall iTunes and Fast User Switching in Windows XP is not supported?
    Sorry if you have, but have to know first.

  • CAS & Primary site repl group "Asset Intelligence Knowledge Base" sync error - Link failed

    My environment: SCCM 2012 SP1, CAS + 1 Primary site works exellent - everything replicated and works fine.
    I install one more primary site KP0. At first sync i have an error at replication group "Asset Intelligence Knowledge Base", and link state become failed. (by the way, i DONT use asset intelligence and have no such role on CAS)
    What i'v done:
    1. Look at "replication link analyzer" - nothing usefull but
    Initialization is failed for replication group Asset Intelligence Knowledge Base. 
    RLA detected no re-initialization for the group Asset Intelligence Knowledge Base in last 24 hours. 
    BCP out failed for Asset Intelligence Knowledge Base for tables Unknown.
    at xml view -
    -<Description><Detail Value="Replication initialization is in progress for replication groups MDM_Site, MDM_SiteSpecial, Hardware_Inventory_1, Hardware_Inventory_2, Hardware_Inventory_3, Hardware_Inventory_4, Hardware_Inventory_5, Hardware_Inventory_6,
    Hardware_Inventory_7, Hardware_Inventory_8, Hardware_Inventory_9, Hardware_Inventory_10, Hardware_Inventory_11, Hardware_Inventory_12, Hardware_Inventory_13, Hardware_Inventory_14, Hardware_Inventory_15, Hardware_Inventory_16, Hardware_Inventory_17, Hardware_Inventory_18,
    Hardware_Inventory_19, Hardware_Inventory_20, Hardware_Inventory_21, Hardware_Inventory_22, Hardware_Inventory_23, Hardware_Inventory_24, Hardware_Inventory_25, Operational_Data, High_Priority_Site, Collection_Membership, Medium_Priority_Site, EndpointProtection_Site,
    General_Site_Data, CI_Compliance_Rule_Details, CI_Compliance_Status_Details_and_History, Software_Inventory_and_Metering, Status_Messages, Hardware_Inventory.
    Found replication groups Asset Intelligence Knowledge Base that needs to be re-initialized. Reason code: ReinitializePackageCreationFailed.
    " Name="result"/></Description></IsSiteActive>-<RuleRemediationSteps>-<RuleRemediationStep Name="CallForInitializationIssues"><Parameter Value="CAS" Index="0"/><Parameter
    Value="KP0" Index="1"/><Parameter Value="MDM_Site, MDM_SiteSpecial, Hardware_Inventory_1, Hardware_Inventory_2, Hardware_Inventory_3, Hardware_Inventory_4, Hardware_Inventory_5, Hardware_Inventory_6, Hardware_Inventory_7, Hardware_Inventory_8,
    Hardware_Inventory_9, Hardware_Inventory_10, Hardware_Inventory_11, Hardware_Inventory_12, Hardware_Inventory_13, Hardware_Inventory_14, Hardware_Inventory_15, Hardware_Inventory_16, Hardware_Inventory_17, Hardware_Inventory_18, Hardware_Inventory_19, Hardware_Inventory_20,
    Hardware_Inventory_21, Hardware_Inventory_22, Hardware_Inventory_23, Hardware_Inventory_24, Hardware_Inventory_25, Operational_Data, High_Priority_Site, Collection_Membership, Medium_Priority_Site, EndpointProtection_Site, General_Site_Data, CI_Compliance_Rule_Details,
    CI_Compliance_Status_Details_and_History, Software_Inventory_and_Metering, Status_Messages, Hardware_Inventory" Index="2"/></RuleRemediationStep>-<RuleRemediationStep Name="ReinitializePackageCreationFailed"><Parameter
    Value="KP0" Index="0"/><Parameter Value="CAS" Index="1"/><Parameter Value="Asset Intelligence Knowledge Base" Index="2"/></RuleRemediationStep>
    2. Look at rcmctrl.log at CAS + KP0 (enable logging level = 2) - just one error
    Processing replication group Asset Intelligence Knowledge Base. 
    Current status is Failed.
    ERROR: Replication group "Asset Intelligence Knowledge Base" has failed to initialize for subscribing site KP0, setting link state to Error. 
    3. Look at sql at KP0-
    select * from RCM_DrsInitializationTracking where ReplicationGroup = 'Asset Intelligence Knowledge Base'
    SiteRequesting SiteFulfilling ReplicationGroup RequestTrackingGUID InitializationStatus IsPartialInit CreatedTime ModifiedTime TryCount InitializationPercent
    KP0 CAS Asset Intelligence Knowledge Base 0FC575F9-5C07-46FD-B384-000B38CEDCD8 7 0 2013-04-03 15:17:03.080 2013-04-08 08:32:03.213 0 0
    KP0 CAS Asset Intelligence Knowledge Base B39F39C2-7FFF-424E-B5DD-52FE82B1E12D 99 0 2013-04-08 08:32:03.217 2013-04-08 08:34:59.650 0 21
    KP0 CAS Asset Intelligence Knowledge Base 9E93E7AE-4823-4B3D-B67F-78CFD53404F1 7 0 2013-04-08 08:09:18.117 2013-04-08 08:32:03.213 0 0
    KP0 CAS Asset Intelligence Knowledge Base 01D49D3C-D2AE-4699-9E5C-8D3DC5C3CEF7 7 0 2013-04-08 07:58:55.523 2013-04-08 08:32:03.213 0 0
    Then try to change 99 error status to 7 -> replication starts and fall to error again
    All this time primary site KP0 is in maintainence mode... any ideas?

    I found the issue with my site was because the site I added into the Hierarchy didn't have the replication link properties  site data for distributed views set.  Enabling these and running the link analyser again.  After a little time everything
    showed up green for me.

  • Since cahnging FIOS Internet provider, which required a router to go in front of "AirPort" I have a blinking yellow on the AirPort and suggested editing in AirPort utility to cahnge from Double NAT to "Bridge Mode" my knowledge base is not clear as t

    How do I clean up my new FIOS connection? I just cahnged ISP Fios and they reqquired a router of thier own in front of my AirPort Extreme. Since then I have blinking yellow light on the AirPort and AirPort utility keeps promting for an edit. Suggests canging from NAT to "Bridge mode". Obviuosly U have some internet or this post would not go anywhere, my knowledge base is not enought to feel comfortable with changing the settings. Correctly editing can be tricky, so how do I make necessary changes?

    How do I clean up my new FIOS connection?
    The FIOS router needs to be in Bridge Mode to prevent the Double NAT error from occurring when two routers are both fighting with each other for control of the network.
    Unfortunately, the likely problem from the FIOS side is that FIOS support will either tell you that their router cannot be configured to operate in Bridge Mode, or if it can, they will not tell you how to do it.
    But, it could not hurt to check with FIOS to see if anything might have changed recently in this regard, so your first call would be to FIOS support.
    If you cannot change the FIOS router to Bridge Mode, the alternate plan would be to change the AirPort Extreme to Bridge Mode. If you are using the Guest Network feature on the AirPort Extreme at this time, that feature will not work correctly when the AirPort is set up in Bridge Mode.

  • Update Knowledge base on Production with Dev Server

    Hi Friends,
    I have a knowledge base on my dev server and we imported same knowledge base to Prod server.
    So here my questions is, we have created some rules in the dev knowledge base so we need to replicate same rules to prod  knowledge base? how to overwrite prod knowledge base with Dev knowledge?
    Can anyone guide me how to do that please?
    Thanks,
    RK

    Hi Samir,
    Stopping the e-mails to be sent out shouldn't be a problem in this system I think. You can still test everything, without the business getting confused. If you want to see if an e-mail is correct you can still check it in transaction SOST without it being sent.
    Otherwise inform the business about e-mails sent form different systems and add the system name in the e-mail message so they know from which system the e-mail is comming and if they have to respond.
    Regards,
    Martin

  • I have the problem described in /forums/knowledge-base-articles/704725. (Firefox is already running but not responding). My only solution is to use Task Manager to end the firerfox process. I am the only user and there are no other profiles on my system

    Occasionally I have the problem discussed in /forums/knowledge-base-articles/704725 , Firefox is already running. My only fix is to use Task Manager to end the firefox process. At such tmes, I have no other instances running.

    '''https://support.mozilla.org/questions/997866?esab=a&s=&r=1&as=s'''.<BR>
    This is not a cure but will make it easier if Firefox locks up.

  • Problem in creating a new knowledge base file

    Dear experts,
    I should like to create a new knowledge base file. I use the Oracle version 9.2 and the OS is Windows 2000. I have created the thesaurus with
    ctxload -user ctxsys/ctxsys -thes -thescase y -name DEFAULT -file xx.xx
    and the language setting:
    NLS_LANG=HUNGARIAN_HUNGARY.EE8MSWIN1250
    During the compile operation
    ctxkbtc -user ctxsys/ctxsys -name DEFAULT
    i get the following error message:
    DRG-52110: Error in writing extended knowledge base
    DRG-11101: drelcHU.dat open error
    Before the ctxkbtc command execution, I have created an empty directory for the expected .dat file:
    ctx/data/hulx
    with full control for every OS users.
    What is missing or false in the commands? Where could I learn more on this special topic?
    Many thanks for any help.
    Best regards
    Laszlo

    meanwhile i have found the solution :-), The name of the empty directory must be
    xxlx
    and not
    hulx
    Laszlo

  • Repair Disk Permissions utility stalled - I have read the knowledge base

    I have researched the knowledge base and search for posts on this and cannot find answer: Running 10.4 at the latest version. used the original install 1 disc I received with Tiger to repair disc permissions (like Apple support has told me to do in the past, but my current research said I do not need to do this unless certain parameters are met, and none of the parameters applied, but oh well, I am here anyway). Cold Boot from the original install disc 1 and slected the start up disk I use (I only have one start up disc/drive). Did a repair disc permissions and got a long running routine that reporting a lot of fixes, then the utility has stalled -- no progress on the progress bar. I "stopped" the process using the "stop repair" button (three times). The log reflected the utility stopped, but the progress bar still is blue and not moving (for a couple of hours). When I go to quity File >Disk Utility, it warns me that Disk Utility is running and this may make my system unstable/unsuable.
    QUESTION: CAN I JUST QUIT DISK UTILITY AND NOT HAVE ANY ADVERSE AFFECT ON MY IMAC DRIVE?

    Thanks for your advice, I still have an issue:
    -after the first repair disk permission "stalled" process, I exited Disk Utility and cold booted the machine after I had disconnected all external devices other than the original iMac keyboard
    -obtained the combo patch for 10.4.7 from the Apple download site (it had already been installed but I reinstalled per your advice)
    -re-applied the combo patch and then did another cold boot
    -ran Disk Utility from the original Tiger install #1 disk, and then selected "repair disk permissions" for my start up disk (I only have one)
    - process ran for 10 minutes or so then gave the following error message: "Disk Utility Error: Disk Utility has lost its connection with disk utility management tool and cannot continue. Please quit disk utility and re-launch disk utility"
    - I pushed the "stop disk permission repair" button, then quit disk utility, then cold booted the machine again.
    -re-applied combo patch as above, then cold booted the machine
    -ran disk utility from the original iMac install #1 disk, ran "repair disk permissions", and then received the same error message as above.
    - I then just quit Disk Utility and cold booted the machine again and went about my business. There does not seem to be any problem with the machine (was not before, but I ran repair permissions thinkging this was a routine maintenance taks that should be run)
    - in my prior search of the knowledge base, I found the following information about repair disk permissions:
    Location: http://discussions.apple.com/thread.jspa?messageID=607495&#607495
    How often should I Repair Permissions?
    You do not need to Repair Permissions on a regular basis.
    There are only three occasions you need to do this:
    1. When you have just installed something that required you to run an Installer, rather than just copying some software to a folder. This should be done for both Apple and non-Apple software.
    2. When you have been working on your OS X files or folders while booted from OS 9, or remotely connected via a non-OS X machine, since OS 9 and other systems do not handle OS X's permissions correctly.
    3. The other case is if your system is behaving strangely, when you should run Disk Repair from your CD followed by Repair Permissions. This is just to eliminate these things before going on to further trouble-shooting.
    Otherwise you can happily forget about Permissions!"
    So, it would appear I do not need to do anything else; the machine seems to be working properly. Is there anything else I need to do? thanks for the help! Bob

Maybe you are looking for