TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Paul,
In my experience with 5.0, there were a lot of false positives
coming across for TFN2K. I believe the latest patch fixes this error. If
you would really like to know what is causing this scenario...throw snort or
TCPdump on there and snag some packets. My experience was that they were
just simple ICMP pings. Just make sure to download all of the xpress
updates and that should fix a lot of problems.
> -----Original Message-----
> From: Paul Van Gurp [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, July 10, 2001 8:33 AM
> To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
> Subject: TFN2K
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
> problems!
> --------------------------------------------------------------------------
> --
>
> Hi all.
>
> I have RealSecure 5.0 and I'm pretty new to the IDS field and was
> wondering
> if the TFN2K has any false positives. The documentation describes the
> attack and lists there are no false positives. Does that mean if I see
> it,
> I "almost" definitely have a "zombie" on my network? Are there tools to
> check a system to see if a zombie exists or do I have to do a manual
> search
> on the device?? What about a DNS server...with the UDP traffic going to
> and
> coming from this device, could it be mistaken for a UDP attack from a
> TFN2K
> zombie, thus triggerring the signature in the RealSecure database.
>
> Sorry if my questions seem basic, but this is all new to me.....
>
> Thanks,
>
> Paul
>
