TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
>John,
Yes, I just started with NetworkICE and have promised the many readers of
the list that I will continue to post somewhat realistic or plausible
answers.. :)
I am still as "neutral" as one can be these days..
SYNFLOOD as John states is a very interesting attack signature. Supressing
events or in the case of Axent NetProwler, one can prevent an overbearing
alert from annoying the admin of the IDS system in place. But true
counting of an event has always been a problem with a majority of the IDS
systems. What is a unique event versus an event happening many many times.
/mark
>Mark - I see by your E-Mail address you have gone to NetworkICE, Still
>responding to ISS Forum EMail?? Give me a call.
>
>John
>
>-----Original Message-----
>From: Mark Teicher [mailto:[EMAIL PROTECTED]]
>Sent: Friday, July 07, 2000 4:35 PM
>To: ISS Technical Support; '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]';
>'[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
>Cc: Droski, Sheila (ISS Texas)
>Subject: Re: SYNFLOOD
>
>
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
>problems!
>----------------------------------------------------------------------------
>
>The simplest trick would to add an incremental counter for those SYNFlood
>attacks that are possibly from the same spoofed address
>The issue within ISS RealSecure is that every event is logged as an unique
>event. Great for recording purposes but bad for event correlation .
>
>/cheers
>
>/m
>
>At 12:28 PM 7/7/00 -0400, ISS Technical Support wrote:
>
> >TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
> >[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
>problems!
> >---------------------------------------------------------------------------
>-
> >
> >***Note- I am not a member of the forum, but I was asked to post this for
> >clarification.
> >
> >
> > In a SYNFlood attack, the attacker is likely to be using a tool
> >capable of spoofing the source address for each SYN packet (since no
> >connection is required and it is fairly easy to spoof addresses.) If the
> >attacker used an entire Class A as the source and the detector reported
> >every address to the console, the console would quickly become overwhelmed
> >and the event buffer would be forced to cycle several times. The reason
> >that we always report the source as 0.0.0.0 is to protect the console from
> >being flooded in case of a real attack. The real IP addresses can still be
> >seen if the event is accessed in one of two ways. First, you can right
> >click on the event in the Activity Tree and look in the info field.
> >Secondly, you can see the real addresses if the Db is synced and you open
> >rsntclientlog.mdb in MSAccess. Under 'forms' you will find the event
> >inspector. The event inspector will give you a great deal of information
>on
> >all RSevents. It includes ports, addresses, and MAC addresses. In the
> >bottom of the event inspector, there is a tag section that will show you
>the
> >translated value of decode specific information. In the case of a
>SYNFlood,
> >the tag is SPOOFEDSRC and the value is the actual address.
> > One other point to note: the thread that was emailed to me stated
> >that the 0.0.0.0 made it hard to filter SYNFlood. SYNFlood (along with a
> >few other decodes) is not filterable. The reason for this is simple-
> >performance. In a real SYNFlood, thousands of packets are going to be
> >involved. If the engine passed all of these up and evaluated them against
> >all of the filters, performance on the engine would be effected. If you
> >have any questions about using the Event Inspector, SYNFlood, or any other
> >RS questions, feel free to drop us a line. Our support numbers and email
> >address can be found below. Thanks for using RealSecure.
> >
> >=================================================================
> >John Pierce Internet Security Systems, Inc.
> >IDS Team Lead Phone - (678) 443-6400
> >Tech Support - 1-888-447-4861
> >[EMAIL PROTECTED] Fax - (678) 443-6485
> >www.iss.net ftp.iss.net
> >
> >Privacy Statement: http://www.iss.net/tech/support.php3
> >PGP Public Keys:
> >http://www.iss.net/customer_care/resource_center/sensitive.php
> >
> >=================================================================
