RE: to RealSecure_Kill or Not

Thu, 26 Apr 2001 18:40:19 -0700 


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

What is meant by "You must replace/merge with each sensor" (or wording very close to 
this) when you uncheck the kill tag option?

Thanks
George Lewis

>>> "Laing, Brian (ISS Reading)" <[EMAIL PROTECTED]> 04/24/01 04:00PM >>>

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

When using the realsecure make sure to untick the box that says tag
realsecure kills in the sensor properties.  If you do this the kill will
look like a standard reset rather than initiated by realsecure.

brian


-------------------------------------------------------------------
Brian Laing
Product Manager - Intrusion Detection Technologies
Internet Security Systems
UK Cellphone: +44 (0)771 264 5559
US Cellphone: +1     404 391 0589
UK Telephone: +44 (0)199 253 5918
US Telephone: +1     404 236 2709
US eFax:             208.575.1374
Internet Security Systems -- The Power to Protect

http://www.iss.net 
-------------------------------------------------------------------

 -----Original Message-----
From:   [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
Sent:   Monday, April 23, 2001 6:17 PM
To:     [EMAIL PROTECTED] 
Subject:        to RealSecure_Kill or Not


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------

Is it a good thing to use RealSecure_Kill, or is it just letting the bad
guys know the IDS I am running without any value.

I would be interested in knowing the conditions under which compainies are
triggering RealSecure_Kill.  We have what I consider an aggressive stance.
If the attack is ranked high and it is against a service or OS we run I kill
it.  After an extensive set of HTTP_HEAD alerts recording someone attempting
various HTTP and cgi attacks I am considering RealSecure_Killing all
HTTP_HEAD attempts.  I am concerned it would be a "feel good" act that would
tell more to the bad guy then I would deny them?

----------------------------------------------------------------
Get your free email from AltaVista at http://altavista.iname.com

Reply via email to