TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
RealSecure 7 can handle 500k sessions by default, and you can configure it up to 3-million conncurrent TCP sessions. Every vendor is "stateful": it just depends upon your definition of "state". Since everyone does some IP and TCP reassembly, they call that "state". The next level up in TCP "state" is watching which direction the original SYN packet traveled. For example, I can establish an HTTP connection from port 21 to port 80. Even though a response on this connection will be sent to port 21 (normally reserved for FTP), the packet is still an HTTP packet because the original connection was created against port 80. (Likewise, if I choose port 80 as the client and port 21, response from the server are still FTP even though they are sent to port 80). The next level of state is at the application layer. For example, when you look at many HTTP attacks in RealSecure 7, you'll see a "response code". This comes not from the original attack packet, but from the response packets coming from the opposite direction. An even further level of state is unrelated connections. For example, one of the signatures in RealSecure 7 is the a directory-climbing (../..) attack by FTP servers against clients. The directory climbing information is in a separate TCP connection from the original FTP control connection that was established on port 21. RealSecure 7 tracks more state than any other IDS. Cisco does a couple of application-layer things, Snort 1.9 is adding TCP connection state "flows", and Dragon has some interesting secondary triggers, but nobody really comes close to the amount of state that RealSecure keeps. --- Chan Kien Eng <[EMAIL PROTECTED]> wrote: > > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! > ---------------------------------------------------------------------------- > > I though Realsecure 7.0 can keep track of 100K session. > Is this consider stateful? > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf > Of > > [EMAIL PROTECTED] > > Sent: Sunday, August 25, 2002 1:04 AM > > To: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subject: Re: Real Secure logs > > > > > > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your > message > > to > > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any > > problems! > > > ------------------------------------------------------------------------ > -- > > -- > > > > This is because RealSecure (and most other IDSs) do not > > do stateful inspection -- which means it only knows the > > true single connection's source and destination. > > Normal IDSs typically do not look at entire sessions. > > > > > > On Fri, 23 August 2002, "Rodel Calvario" wrote: > > > > > > > > > > > TO UNSUBSCRIBE: email "unsubscribe > > issforum" in the > > > body of your message to > > > [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for > > > help with any problems! > > > > > > ------------------------------------------------------------------------ > -- > > -- > > > > > > Hi All, > > > > > > Am a little confused in interpreting the RS logs that > > I > > > have and comparing > > > them with the firewall logs. > > > > > > As an example, I find an IP address from my RS logs to > > > be the "source" but > > > when I go and check on the firewall logs, the same IP > > > address doing the same > > > service is now the "destination". Can > > anybody clarify > > > this? > > > > > > Thanks, > > > > > > Rodel > > > > > > > > _________________________________________________________________ > > > Send and receive Hotmail on your mobile device: > > > <a > > > href="http://mail.space.com//jump/http://mobile.msn.com";>http://mobile.m > sn > > .com</a> > > > > ___________________________________________________________________ > > Join the Space Program: Get FREE E-mail at http://www.space.com. > > > > > > ===== Robert Graham play[http://www.robertgraham.com] work[http://iss.net] "Security is mostly a superstition, it does not exist in nature" -- H. Keller __________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com
