Re: RS console 5.5 loose display ?:!

Brian Fitch Fri, 09 Feb 2001 09:19:30 -0800

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

I'm not exactly clear on what you're discussing here, but I will take a stab
at it.

It seems like you're referring to the console's display of certain
repetitive - high volume - attacks such as a port_scan, Synflood, ping
flood, smurf, etc, correct?

Well the RS software will not report every instance of this to the console.
Why?  Let's say someone hits your network with 100,000 pingfloods.  Now, in
order to report that to the console, the RS sensor must send 100,000
notices.  So in effect, the pingflood effect is much worsened by the RS
sensor flooding the network as well with it's communication.

The RS sensor has a timeout value of, I think 6 minutes, on displaying a
continous attack as such.  However, these instances are all logged to the
DB.  Also take note of what you can manually configure in the Advanced
properties for many RS signatures.

It makes sense to have such flood protection for just such an occasion.

When you're hit with something like this, use the console for a "heads up"
and the DB for your forensics.

-Brian

----- Original Message -----
From: "[EMAIL PROTECTED]" <[EMAIL PROTECTED]>
To: "Issforum@Iss. Net" <[EMAIL PROTECTED]>
Sent: Wednesday, February 07, 2001 5:50 PM
Subject: RS console 5.5 loose display ?:!



TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------

hi all

We've just installed a RS Console 5.5 a one RS Network Sensor 5.0.1 and we
seem to have a problem

Sensor and console look good but when we make some testing like portscan,
ping scan, smurf ... the console display only one event even we do this
testing huge. We think the console only display the event when src, dst
address are different from previous event.

does RS console 5.5 loose traffic or have a new undocumented feature
filtering display ???

All software are on NT4 SP6.0a US
Sensor is in stealth mode with one of its NIC connected to a lan where there
is a console.

Monitored Network
|
|---RS NetWork-----
| |   RS Console
|   | |
     ====================


anyone got this already ?
any solution ???

Thks in advance !
Re: RS console 5.5 loose display ?:!

Reply via email to
