TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
***Note- I am not a member of the forum, but I was asked to post this for
clarification.
In a SYNFlood attack, the attacker is likely to be using a tool
capable of spoofing the source address for each SYN packet (since no
connection is required and it is fairly easy to spoof addresses.) If the
attacker used an entire Class A as the source and the detector reported
every address to the console, the console would quickly become overwhelmed
and the event buffer would be forced to cycle several times. The reason
that we always report the source as 0.0.0.0 is to protect the console from
being flooded in case of a real attack. The real IP addresses can still be
seen if the event is accessed in one of two ways. First, you can right
click on the event in the Activity Tree and look in the info field.
Secondly, you can see the real addresses if the Db is synced and you open
rsntclientlog.mdb in MSAccess. Under 'forms' you will find the event
inspector. The event inspector will give you a great deal of information on
all RSevents. It includes ports, addresses, and MAC addresses. In the
bottom of the event inspector, there is a tag section that will show you the
translated value of decode specific information. In the case of a SYNFlood,
the tag is SPOOFEDSRC and the value is the actual address.
One other point to note: the thread that was emailed to me stated
that the 0.0.0.0 made it hard to filter SYNFlood. SYNFlood (along with a
few other decodes) is not filterable. The reason for this is simple-
performance. In a real SYNFlood, thousands of packets are going to be
involved. If the engine passed all of these up and evaluated them against
all of the filters, performance on the engine would be effected. If you
have any questions about using the Event Inspector, SYNFlood, or any other
RS questions, feel free to drop us a line. Our support numbers and email
address can be found below. Thanks for using RealSecure.
=================================================================
John Pierce Internet Security Systems, Inc.
IDS Team Lead Phone - (678) 443-6400
Tech Support - 1-888-447-4861
[EMAIL PROTECTED] Fax - (678) 443-6485
www.iss.net ftp.iss.net
Privacy Statement: http://www.iss.net/tech/support.php3
PGP Public Keys:
http://www.iss.net/customer_care/resource_center/sensitive.php
=================================================================
