TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
The RSKill is TCP resets designed to sever a TCP session. If you put a
sniffer on the wire, I'm sure you'll see the RST packets being sent, however
the nimda worm is such a small session that it is over before the TCP RSTs
can be sent.
Brian Fitch
ISS IDS Named Accounts Engineer
-----Original Message-----
From: Anderson, Mike [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, September 19, 2001 4:38 PM
To: '[EMAIL PROTECTED]'; ISS Technical Support
Subject: HTTP_Windows_Executable and HTTP_IIS_Unicode_Translation
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
Hello,
We have a network sensor with the RSKILL response set to
HTTP_Windows_Executable and HTTP_IIS_Unicode_Translation, to aid in
protecting from the new nimda worm. However, our web site admin notifies me
that his logs show those connections actually getting through. The RS
console logs these SPECIFIC events as being killed. Any help/ideas?
Thanks.
