To all
I have a couple of questions about the Stream Dos signature in RealSecure 6.0.
I have looked at the threshold parameters for this signature and find that by
default is as follows:
Ack Threshold 3000
Ack ThresholdDescription Number of Ack Packets within Delta to trigger
event
Delta 5
Delta Description Time delta. This should be a small
value in order to mitigate
False positives
Poolsize 245
PoolsizeDescription Memory pool size for this decode in kilobytes.
Setting this tool
high can cause your engine to crash.
What is the unit of Delta? Is it seconds or minutes? Is the above set to 5
seconds or 5 minutes?
Secondly, Here is a copy of a StreamDos event captured by one of our network
sensors:
Alert Type suspicious TCP
AlertPriority 1
AlertID NVAC4BGKT8SDB6FL8VSVEVLJUY
Source IPAddress Name xx.xx.xx.xx
Destination IPAddress Name yy.yy.yy.yy
Source Ethernet Address aa:aa:aa:aa:aa:aa
Destination Ethernet Address bb:bb:bb:bb:bb:bb
Source Port 2965
Source Port Name 2965
Destination Port 139
Destination Port Name Netbios-ssn
Protocol Id TCP(6)
Client Raw Data
Server idle 556 seconds
What does the Server idle of 556 seconds mean?
Thanks
Dan Wangler, GIAC Certified Intrusion Analyst
IT Security Response Team, Texas Instruments, Inc.
Spring Creek Bldg 1, C196,
6500 Chase Oaks, Blvd, MS 8417, Plano, Texas, 85023
Tel #; 214-567-8304; Email:; [EMAIL PROTECTED]
