TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Hello,
I have seen this same behaviour and have called into ISS Technical
support regarding this matter. I have seen this with both Nortel
Contivity VPN's and CheckPoint SecureRemote VPN happening over a segment
that has a RealSecure Network Sensor (versions 5.0 & 6.0). The only
workaround I have seen is to disable the check, or at least the
alerting. There is no way to filter this event according to the
following article from the ISS Knowledgebase:
Why don't filters work for some RealSecure events?
Question
Attempts to filter certain RealSecure events have no effect.
This information applies to:
RealSecure Network Sensor 3.2.x and higher
Fix version:
N/A
Related Articles:
001222-0008
Knowledgebase Article
There are some RealSecure events which are not affected by User
Defined Filters in the RealSecure product. There are two main reasons
for this:
1) Some RealSecure decodes (such as the IP level checks and UDP Bomb)
take place so early in packet parsing that not enough of the packet has
been discovered to reliably apply a filter.
2) Performance consideration. A real SYNFlood and PingFlood can often
result in a huge packet load for the network sensor. Bypassing the
filtering sub-routines allows RealSecure to more reliably report the
events without dropping packets.
Below you will find a list of Non-Filterable Events in RealSecure.
IP Level:
IPProtocolViolation
IPFrag
IPUnknownProtocol
SourceRoute
PingOfDeath
TearDrop
TCP Level:
SYNFlood
UDP Level:
UDPBomb
ICMP Level:
PingFlood
I hope that this helps!
Ryan Krukoski
VP Technical & Security Solutions
Net Cyclops Inc.
"Your eye on Network Security"
27-2150 Winston Park Drive
Oakville, ON Canada L6H 5V1
Tel: (905) 829-5579
Pager: (416) 753-1439
Text Messaging: [EMAIL PROTECTED]
Cell: (416) 888-1520
Fax: (905) 829-0017
Email: [EMAIL PROTECTED]
Web: www.netcyclops.com
-----Original Message-----
From: Cecoban S.A. de C.V. Oswaldo Espinosa Cuervo
[mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 27, 2001 8:25 AM
To: '[EMAIL PROTECTED]'
Subject: Filter for IpUnknownProtocol
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
------------------------------------------------------------------------
----
Hi all.
I don't know how to put a filter in real secure for IPUnknownProtocol,
the
protocol i want to filter is Protocol 50 (ESP).
Thanks in advanced.
**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or the
sender immediately and do not disclose the contents to any one or make copies.
** eSafe scanned this email for viruses, vandals and malicious content **
** www.netcyclops.com **
**************************************************************************************************
