TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Actually, RealSecure does perform stateful inspection for the majority of signatures. However, for legacy reasons, the Source IP and Destination IP always show the IP addresses of the last packet received when the signature triggered. It is a bit ironic that many of the better signatures (those with fewest false positives) trigger not on the initial request from the attacker to the victim, but only after the victim's response has been factored into the signature. Therefore, the last packet seen will often be going the opposite direction of the attack. To help clarify this, RS 7.0 also provides the notion of Victim IP and Intruder IP. Use the information from Victim IP and Intruder IP and you will be much less likely to be confused, since to use Source and Destination properly requires knowledge of how the signature is implemented. Again, Source IP and Destination IP are still provided so that the scripts and reports for long-time customers do not break. However, I would recommend the use of Victim IP and Intruder IP instead whenever possible. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Saturday, August 24, 2002 1:04 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Real Secure logs TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- This is because RealSecure (and most other IDSs) do not do stateful inspection -- which means it only knows the true single connection's source and destination. Normal IDSs typically do not look at entire sessions. On Fri, 23 August 2002, "Rodel Calvario" wrote: > > > TO UNSUBSCRIBE: email "unsubscribe issforum" in the > body of your message to > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for > help with any problems! > ---------------------------------------------------------------------------- > > Hi All, > > Am a little confused in interpreting the RS logs that I > have and comparing > them with the firewall logs. > > As an example, I find an IP address from my RS logs to > be the "source" but > when I go and check on the firewall logs, the same IP > address doing the same > service is now the "destination". Can anybody clarify > this? > > Thanks, > > Rodel > > _________________________________________________________________ > Send and receive Hotmail on your mobile device: > <a href="http://mail.space.com//jump/http://mobile.msn.com";>http://mobile.msn.com</a> ___________________________________________________________________ Join the Space Program: Get FREE E-mail at http://www.space.com.
