TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
First I want to thank all of you for the helpful input. Since this was an
isolated event(having found no other related suspicious activity) I have a
feeling this is probably a false positive related to a system or
application. I have a couple of follow-on questions concerning this.
The event description indicates that false positives may result due to
"malfunctioning h/w or s/w". The target was a mail gateway box running
SendMail, and I wonder if a particular SendMail configuration tripped this
signature? Has anyone had similar experience and it turned out to be
hardware or software (SendMail)? If so, what kind of h/w or s/w
configuration did you find that caused this? I'm not sure how h/w could
cause this problem...can someone enlighten me (maybe dual NIC...IP
forwarding)?
Mark
>
> Hello all,
>
> I have been monitoring this list silently for a while now, and want all to
> know that I have learned a lot from those who post here. I recently
posted
> a question to this list, but I was remiss to introduce myself...my
> apologies. I am a security administrator for a fairly large company and
> responsible for managing our intrusion detection systems. I have
RealSecure
> 3.2.1 (recently upgraded to 3.2.2)implemented on NT platforms.
>
> The question I have for the experts on this board is this: I currently
have
> a RS network sensor monitoring our DMZ and I discovered a
> "IPProtocolViolation" event that I need help to decipher. Particulars are
> as follows:
>
> Source Addr: 205.x.x.x (Internet)
> Dest Addr: 10.x.x.x (a mail gateway server located on the same DMZ as the
> sensor)
> Protocol: TCP
> Source Port: 44822
> Dest Port: email
>
> RealSecure identifies the reason as a "unusual TCP flag combination" with
a
> value of 21. Can anyone help me to understand the meaning of what I am
> seeing? I do not understand what the "value 21" means. I have run a
number
> of reports and I can't find any other related events that would indicate
an
> attack from the same IP range of the source. Any help in answering this
> puzzling question would be highly appreciated.
>
>
> Mark H. Anderson
> Security Specialist
