TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
ALL
You can throttle RealSecure in many ways. One being you can set various
parameters for many signatures. Inthe case of SynFlood you can set
Highwater Mark - Being the number of SYN's 0 Half Open Connections
Packets Per Event - Being the number of Syn Flood packets seen before an
event is triggered and sent to eh Console and or Dataabase.
In addition, As of version 3.2 of RelSecure all Signatures have an ADVANCED
Button that allows you to throttle each signature. meaning you decide how
you want it to propagate an event. These parameters include, SRC Address,
SRC Port, DES Address, DES Port. You can also set Flood Protection and only
send one or any number of events that match a specific criteria in a
configurable amount of time. These parameters and others will allow you to
protect yourself from overflows.
Very shortly we will be publishing a RealSecure Resource Center off of the
ISS home page with numerous Advanced Utilities, Tips and Tricks, and Tech
Note types papers that help address these and other issues that SE's,
Professional Services and various Customers have developed to enhance
certain features of RealSecure.
Any further questions please let me know.
Mark - I see by your E-Mail address you have gone to NetworkICE, Still
responding to ISS Forum EMail?? Give me a call.
John
-----Original Message-----
From: Mark Teicher [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 07, 2000 4:35 PM
To: ISS Technical Support; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]';
'[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
Cc: Droski, Sheila (ISS Texas)
Subject: Re: SYNFLOOD
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
The simplest trick would to add an incremental counter for those SYNFlood
attacks that are possibly from the same spoofed address
The issue within ISS RealSecure is that every event is logged as an unique
event. Great for recording purposes but bad for event correlation .
/cheers
/m
At 12:28 PM 7/7/00 -0400, ISS Technical Support wrote:
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
>---------------------------------------------------------------------------
-
>
>***Note- I am not a member of the forum, but I was asked to post this for
>clarification.
>
>
> In a SYNFlood attack, the attacker is likely to be using a tool
>capable of spoofing the source address for each SYN packet (since no
>connection is required and it is fairly easy to spoof addresses.) If the
>attacker used an entire Class A as the source and the detector reported
>every address to the console, the console would quickly become overwhelmed
>and the event buffer would be forced to cycle several times. The reason
>that we always report the source as 0.0.0.0 is to protect the console from
>being flooded in case of a real attack. The real IP addresses can still be
>seen if the event is accessed in one of two ways. First, you can right
>click on the event in the Activity Tree and look in the info field.
>Secondly, you can see the real addresses if the Db is synced and you open
>rsntclientlog.mdb in MSAccess. Under 'forms' you will find the event
>inspector. The event inspector will give you a great deal of information
on
>all RSevents. It includes ports, addresses, and MAC addresses. In the
>bottom of the event inspector, there is a tag section that will show you
the
>translated value of decode specific information. In the case of a
SYNFlood,
>the tag is SPOOFEDSRC and the value is the actual address.
> One other point to note: the thread that was emailed to me stated
>that the 0.0.0.0 made it hard to filter SYNFlood. SYNFlood (along with a
>few other decodes) is not filterable. The reason for this is simple-
>performance. In a real SYNFlood, thousands of packets are going to be
>involved. If the engine passed all of these up and evaluated them against
>all of the filters, performance on the engine would be effected. If you
>have any questions about using the Event Inspector, SYNFlood, or any other
>RS questions, feel free to drop us a line. Our support numbers and email
>address can be found below. Thanks for using RealSecure.
>
>=================================================================
>John Pierce Internet Security Systems, Inc.
>IDS Team Lead Phone - (678) 443-6400
>Tech Support - 1-888-447-4861
>[EMAIL PROTECTED] Fax - (678) 443-6485
>www.iss.net ftp.iss.net
>
>Privacy Statement: http://www.iss.net/tech/support.php3
>PGP Public Keys:
>http://www.iss.net/customer_care/resource_center/sensitive.php
>
>=================================================================
