TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- RealSecure 5.0 with no updates applied will false positive TFN2k on DNS traffic (port 53). Upgrading to Service Release 1.1 should reduce or eliminate the TFN2k false positives. Cheers, Brian Fitch, IDS Named Accounts Engineer Internet Security Systems, Inc. -----Original Message----- From: Paul Van Gurp [mailto:[EMAIL PROTECTED]] Sent: Tuesday, July 10, 2001 8:33 AM To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' Subject: TFN2K TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hi all. I have RealSecure 5.0 and I'm pretty new to the IDS field and was wondering if the TFN2K has any false positives. The documentation describes the attack and lists there are no false positives. Does that mean if I see it, I "almost" definitely have a "zombie" on my network? Are there tools to check a system to see if a zombie exists or do I have to do a manual search on the device?? What about a DNS server...with the UDP traffic going to and coming from this device, could it be mistaken for a UDP attack from a TFN2K zombie, thus triggerring the signature in the RealSecure database. Sorry if my questions seem basic, but this is all new to me..... Thanks, Paul
