TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
The response back from the web svr happened to hit the client on his port of
12754. So anytime it sees this port Mstream_Master flags.
------Original Message------
From: "Lindley, Jim (ISSAtlanta)" <[EMAIL PROTECTED]>
To: 'Joe Blow' <[EMAIL PROTECTED]>
Sent: August 4, 2000 12:18:31 PM GMT
Subject: RE: RealSecure v5.0 and False Positives
J.B.:
"just some user accessing one of my web servers" where the "destination port
happened to be 12754"? Just what service are you running on your web server
that uses port 12754?
Now if the SOURCE port had "happened to be 12754", that might be reasonable.
But the DESTINATION port identifies the location of the running service. So
once again, just what WEB SERVICE is running on port 12754?
James R Lindley
Anomaly Detection Xpert
X-Force Surveillance and Response Unit
Managed Security Services
Internet Security Systems Inc
Vox: 678-443-6323
Fax: 678-443-6482
An unquenchable thirst for Pierian Waters.
Internet Security Systems - The Power To Protect.
-----Original Message-----
From: Joe Blow [mailto:[EMAIL PROTECTED]]
Sent: Thursday, August 03, 2000 3:58 PM
To: Neil Long; Jared Tabb; [EMAIL PROTECTED]
Subject: Re: RealSecure v5.0 and False Positives
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
I just had a Mstream_Master pop up on my console so I was a little concerned
when I saw it. After looking at the event info it was just some user
accessing one of my web servers. The destination port happened to be 12754
(port 12754 is used for mstream).
Is port 12754 all this attack signature looks for?
-Joe
------Original Message------
From: "Neil Long" <[EMAIL PROTECTED]>
To: Jared Tabb <[EMAIL PROTECTED]>, Joe Blow <[EMAIL PROTECTED]>,
[EMAIL PROTECTED]
Sent: August 3, 2000 10:19:17 AM GMT
Subject: Re: RealSecure v5.0 and False Positives
Just to confirm a similar blizzard of false TFN2000 alerts - again a
mix of genuine DNS udp requests and audio/video streams (bbc.co.uk does
it here).
How does anyone get hold of the Xpress Updates if the management
console is on a non-routeable network (i.e. secure out of band)?
If I use a non-master console which I could temporarily connect to
routeable feed then the Xpress_Updates option disappears off the sensor
menu.
Is the MicroUpdate 1.1 for v5.0 available other than via the console
app?
Thanks
Neil
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dr Neil J Long, Computing Services, University of Oxford
13 Banbury Road, Oxford, OX2 6NN, UK Tel:+44 1865 273232 Fax:+44 1865 273275
EMail: [EMAIL PROTECTED]
PGP: ID 0xE88EF71F OxCERT: [EMAIL PROTECTED] PGP: ID 0x4B11561D
-----------------------------------------------
FREE! The World's Best Email Address @email.com
Reserve your name now at http://www.email.com
-----------------------------------------------
FREE! The World's Best Email Address @email.com
Reserve your name now at http://www.email.com
