RE: Fate Research Labs posting: RealSecure or Real"un"Secure

Tue, 07 Nov 2000 07:21:20 -0800 

User defined signatures is a tab in the RealSecure Network Sensor Policy.  I
have attached the picture.  Please check the links below for the specific
regular expression we defined for each of the exploit alerts questioned in
the Fate Research posting.  Our documentation tells you how to use user
defined signatures.  A formal response is being sent to BugTraq and will be
posted on ISS Forum shortly.

Audra


-----Original Message-----
From: John L. Driggers [mailto:[EMAIL PROTECTED]]
Sent: Monday, November 06, 2000 6:31 PM
To: Eng, Audra; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: RE: Fate Research Labs posting: RealSecure or Real"un"Secure 


Audra -
         Please clarify your statement #1.  I am not aware of my ability to 
create a "signature" - I can create a custom filter that allows me to 
listen for a connection on a specific port to a destination.
         To the best of my knowledge, I can not, for example, have RS 
identify  a connection on port 25 that sends more than 255 characters after 
the "user" command is issued.

Please correct me if I'm mistaken -
         jld


At 03:35 PM 11/6/00 -0500, Eng, Audra wrote:

>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
problems!
>---------------------------------------------------------------------------
-
>
>We are getting ready to craft a response to this.  The Fate Research
>advisory is incorrect and there is no vulnerability described.
>
>1.  We do support user-defined signatures in RS
>
>2.  We released alerts for RDS and IIS Unicode
>
>User-defined signature for RDS hole, August 9, 1999:
>http://xforce.iss.net/alerts/advise32.php
>
>User-defined signature for Unicode hold, October 26, 2000:
>http://xforce.iss.net/alerts/advise68.php
>
>3.  The advisory describes a method for 'script kiddies' to detect
>RealSecure on port 2998.  When RS is in stealth mode, this is not possible
>
>4.  X-Force was not contacted to my knowledge about this vulnerability
>before it hit bugtraq.
>
>Audra Eng
>
>
>-----Original Message-----
>From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
>Sent: Monday, November 06, 2000 8:12 AM
>To: [EMAIL PROTECTED]
>Cc: [EMAIL PROTECTED]
>Subject: Fate Research Labs posting: RealSecure or Real"un"Secure
>
>
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
>problems!
>---------------------------------------------------------------------------
-
>
>http://www.f8labs.com>/f8-103100-realsecure.txt  Has anyone from ISS
>responded to this??

realsecure.bmp

Reply via email to