TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
>If we hook up Real Secure to one output (D) of the Tap, we can
>only monitor the inbound traffic. Since Real Secure only sees
>packets going into the network certain attacks can't be
>detected. I know of the following three
>attacks: unanswered ARP's, IPduplicate and Synflood.
Actually its only ARP and IPduplicate.
SYNFlood can still be detected, but will have a slight false positive
problem if someone repeatedly touches some port that is not open on one of
your boxes. This is because the sensor won't see the RESET packet that
comes back off the port, so it won't know not to count that SYN in its
totals.
The false positives will be easy to see because they will only occur
occasionally one at a time. Whenever you have a real SYNflood on your
hands, you will get REPEATED reports on a regular basis, like one every 15
seconds (depending on the rate of attack and the way you have your engine
tuned).
=====================================
Tim Farley
X-Force Researcher
Internet Security Systems
[EMAIL PROTECTED]
(678) 443-6000 / Direct Dial (678) 443-6189 / fax (678) 443-6498
http://www.iss.net
Internet Security Systems - The Power to Protect
=====================================
