TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
1) Both, inside and outside
2) I don't know how to answer that one. Here's a sample alert:
TFN2000' event detected by the RealSecure sensor.
Details:
Source Address: 128.9.0.107
Source Port: DNS (53)
Source MAC Address: 00:30:94:97:3A:C0
Destination Address: our.dns.server.address
Destination Port: DNS (53)
Destination MAC Address: our.dns.server.mac.address
Time: Wednesday, August 02, 2000 16:53:47
Protocol: UDP (17)
Priority: high
Actions mask: 0x4c
Event Specific Information:
Server Address: our.dns.server.address
I assume the "Action mask" tells me what the DNS action was, but I don't know how to
interpret it.
>>> "Anderson, Mark H." <[EMAIL PROTECTED]> 08/02/00 03:12PM >>>
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Just out of curiosity...is this all internal traffic that you're seeing...or
are you seeing any inbound and/or outbound traffic? Also is the DNS traffic
that you're seeing - is it largely related to DNS XFERs?
-----Original Message-----
From: Joe Blow [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 02, 2000 2:51 PM
To: Anderson, Mark H.
Subject: RE: RealSecure v5.0 and False Positives
I'm seeing DNS traffic too. I wish there existed the capability to tweak
the attack signatures. This is creating my work for everyone.
------Original Message------
From: "Anderson, Mark H." <[EMAIL PROTECTED]>
To: 'Joe Blow' <[EMAIL PROTECTED]>
Sent: August 2, 2000 6:27:18 PM GMT
Subject: RE: RealSecure v5.0 and False Positives
I have not this relating to realaudio, but I am definitely seeing alot of
TFN2K events related to UDP port 53 traffic. I'm in the info gathering mode
right now and will send some of my event logs (IP scrubbed of course) to ISS
soon and see what they say about the probability of false positives.
Mark
-----Original Message-----
From: Joe Blow [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 02, 2000 1:45 PM
To: [EMAIL PROTECTED]
Subject: RealSecure v5.0 and False Positives
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Recently I have implemented the new version of RealSecure and have noticed
that all of our realaudio traffic along with anything else that generates a
lot of noisy udp traffic is generating TFN2000 events. Is anyone else
noticing this?
Sincerely,
Scott
-----------------------------------------------
FREE! The World's Best Email Address @email.com
Reserve your name now at http://www.email.com
-----------------------------------------------
FREE! The World's Best Email Address @email.com
Reserve your name now at http://www.email.com
