RE: to RealSecure_Kill or Not

Fitch, Brian (ISSAtlanta) Wed, 25 Apr 2001 13:25:18 -0700

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

The RealSecure kill is just a pair of TCP RSTs sent to both parties to the
TCP session.  I fail to see how this can bring down an innocent server.

Brian Laing raises a good point in that you can uncheck the "tag RealSecure
kills" button in your responses.  In such cases, the party on the other end
would get a message like "the connection has been reset"...not much more.

Another option involving RealSecure would be to use it's ability to
reconfigure a Check Point Firewall-1.

Cheers,

Brian

-----Original Message-----
From: Paul Van Gurp [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 24, 2001 3:40 PM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]
Subject: RE: to RealSecure_Kill or Not



TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------

I am personally against these types of counterattacks, because often the IP
address is spoofed.  Unless you know you are hitting the attacker, you could
bring down an innocent server which will cause headaches, or worse could
involve legal action.

It could also really tick off the hacker, which may make them seek
revenge...

Good luck.

Paul

> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, April 23, 2001 1:17 PM
> To:   [EMAIL PROTECTED]
> Subject:      to RealSecure_Kill or Not
> 
> 
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> to
> [EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
> problems!
> --------------------------------------------------------------------------
> --
> 
> Is it a good thing to use RealSecure_Kill, or is it just letting the bad
> guys know the IDS I am running without any value.
> 
> I would be interested in knowing the conditions under which compainies are
> triggering RealSecure_Kill.  We have what I consider an aggressive stance.
> If the attack is ranked high and it is against a service or OS we run I
> kill it.  After an extensive set of HTTP_HEAD alerts recording someone
> attempting various HTTP and cgi attacks I am considering
> RealSecure_Killing all HTTP_HEAD attempts.  I am concerned it would be a
> "feel good" act that would tell more to the bad guy then I would deny
> them?
> 
> ----------------------------------------------------------------
> Get your free email from AltaVista at http://altavista.iname.com
>
RE: to RealSecure_Kill or Not

Reply via email to
