TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Hi all
Don't forget that there is a level of fine tuning available for RealSecure
signatures that may provide assistance in cases like this. In the case of
the SYNflood signature you can tune both the number of SYN's and the
relevant time period that triggers this event. Downside with this tuning is
that you may tune out positives.... Has anyone collected any data regarding
SYNfloods that may provide a better indication as to appropriate values for
this signature?
Another possibility is to recognise traffic flows that are normal within
your environment and filter them out completely. e.g. your mail server often
triggers the SYNflood signature so you simply filter out any SMTP
connections originating from your mail server. Downside with this solution
is that you blind all signatures from seeing SMTP traffic leaving your mail
server.
What would be real nice would be the ability to register filters (or
exceptions - choose your favourite terminology) per signature. High
overhead (possibly?) but at least you wouldn't blind the rest of the system.
Just a few thoughts........
-Cameron
Cameron Humphries
Enterprise IT Security Engineer
iSecure Pty Ltd
-----Original Message-----
From: Bartholomew, Brian J
To: '[EMAIL PROTECTED]'
Sent: 7/19/2001 10:20 PM
Subject: Spoofed IP Address
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
------------------------------------------------------------------------
----
Neil,
In my experience, SYNfloods are one of the worst false positives
known to man. This is one signature that I have had to turn off on many
occasions because it doesn't work. Even with the xpress updates
installed,
we still have always received these alerts. Check with ISS to be sure,
but
I am almost certain that this is an admitted (by ISS) false positive
with no
known resolution. Hope this helps.
Brian J. Bartholomew
U.S. Dept of State, Bureau of Diplomatic Security
Computer Incident Response Team
(202)663-2304
