TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
ISS does not publish its algorithms in detail, because we operate in a very
competitive industry. However, specific customer requests for detailed information are
frequently considered and honored. Contact technical support. High level descriptions
of an algorithm are generally included in the on-line help.
-----Original Message-----
From: Emil D Skrdla/cis/evp/Okstate [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 27, 2002 7:17 PM
To: Palmer, Paul (ISSAtlanta); [EMAIL PROTECTED]
Subject: RE: Real Secure logs
Paul (and anyone else),
Where may we turn to gain knowledge of how the many signatures are implemented?
>>Use the information from Victim IP and Intruder IP and you will be much less
likely to be confused, since to use Source and
>>Destination properly requires knowledge of how the signature is implemented.
David Skrdla
Senior Systems Technician
CIS/Network Operations
Oklahoma State University
(405) 744-7806 (ph)
(405) 744-3323 (fax)
"Palmer, Paul (ISSAtlanta)" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED]
08/26/2002 08:22 PM To: <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]> cc:
<[EMAIL PROTECTED]>, (bcc: Emil D Skrdla/cis/evp/Okstate) Subject: RE: Real Secure
logs
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Actually, RealSecure does perform stateful inspection for the majority of signatures.
However, for legacy reasons, the Source IP and Destination IP always show the IP
addresses of the last packet received when the signature triggered. It is a bit ironic
that many of the better signatures (those with fewest false positives) trigger not on
the initial request from the attacker to the victim, but only after the victim's
response has been factored into the signature. Therefore, the last packet seen will
often be going the opposite direction of the attack. To help clarify this, RS 7.0 also
provides the notion of Victim IP and Intruder IP. Use the information from Victim IP
and Intruder IP and you will be much less likely to be confused, since to use Source
and Destination properly requires knowledge of how the signature is implemented.
Again, Source IP and Destination IP are still provided so that the scripts and reports
for long-time customers do not break. However, I would recommend the use of Victim IP
and Intruder IP instead whenever possible.
