TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Tim,
It's possible that the other side of the connection actually had
the RealSecure RSKILL event triggered, you know.... I've seen this twice
now myself.
Some of the signatures are prone to a lot of false positives. It
may be that this is what happened. For example, the Email_Wiz signature
gets so flooded with false positives that I'd recommend turning it off in
*any* RealSecure installation. Especially when you consider that this
signature detects an attack that hasn't been current in about a decade....
-Mike Wilson
-Sr. Network Computing Pure Scientist
-UNIFIED Technologies
-Troy, NY
On Tue, 18 Apr 2000 [EMAIL PROTECTED] wrote:
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
> ----------------------------------------------------------------------------
>
> I have received a RealSecure_Kill event that took place between a source address
> outside of our domain and a destination address within our domain. The
> information provided was CUSTID: 1234 and nothing further. I was able to
> determine the hostname of the external source.
>
> Can someone explain to me what could potentially have triggered this. Because
> the engine is fairly new, I have not set the box up to perform any TCP resets.
> We have other engines that do, but not this one. It may be an isolated incident,
> but I truly like to understand what transpired.
>
> There was only one event recorded for this source address so I am a bit
> confused. Are there any default configs that perform TCP resets for certain
> events?
>
>
> Thanks,
>
>
> Tim..........
>
>
>
>
>
