TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Paul,
So how does not publishing your algorithms and signatures make ISS
more competitive? How does keeping information from your customers, make
your customers more secure? Is it your opinion that Snort is/will not be
"competitive" because they publish their algorithms and signatures?
Alot of trojans, peer2peer applications, etc have the ability to
change the default port number. So everytime another one is released, we
have to ask ISS technical support whether they are only looking on the
default port or if they are looking on any port? This is a rather
simplistic example, but hopefully it makes the point.
Reminds me of the time I was informed by an ISS Support Engineer
that the GNUtella connect signature was looking for the string "GNUTELLA
CONNECT" on any port. Of course that just begged the question why I was not
receiving events for the e-mail that was going back and forth between us...
;)
Once we have information on a particular signature, can we share
that information with this list?
-jim
-----Original Message-----
From: Palmer, Paul (ISSAtlanta) [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 28, 2002 10:17 AM
To: [EMAIL PROTECTED]
Subject: RE: Real Secure logs
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
----------------------------------------------------------------------------
ISS does not publish its algorithms in detail, because we operate in a very
competitive industry. However, specific customer requests for detailed
information are frequently considered and honored. Contact technical
support. High level descriptions of an algorithm are generally included in
the on-line help.
-----Original Message-----
From: Emil D Skrdla/cis/evp/Okstate [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 27, 2002 7:17 PM
To: Palmer, Paul (ISSAtlanta); [EMAIL PROTECTED]
Subject: RE: Real Secure logs
Paul (and anyone else),
Where may we turn to gain knowledge of how the many signatures are
implemented?
>>Use the information from Victim IP and Intruder IP and you will be
much less likely to be confused, since to use Source and
>>Destination properly requires knowledge of how the signature is
implemented.
David Skrdla
Senior Systems Technician
CIS/Network Operations
Oklahoma State University
(405) 744-7806 (ph)
(405) 744-3323 (fax)
"Palmer, Paul (ISSAtlanta)" <[EMAIL PROTECTED]> Sent by:
[EMAIL PROTECTED] 08/26/2002 08:22 PM To: <[EMAIL PROTECTED]>,
<[EMAIL PROTECTED]> cc: <[EMAIL PROTECTED]>, (bcc: Emil D
Skrdla/cis/evp/Okstate) Subject: RE: Real Secure logs
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Actually, RealSecure does perform stateful inspection for the majority of
signatures. However, for legacy reasons, the Source IP and Destination IP
always show the IP addresses of the last packet received when the signature
triggered. It is a bit ironic that many of the better signatures (those with
fewest false positives) trigger not on the initial request from the attacker
to the victim, but only after the victim's response has been factored into
the signature. Therefore, the last packet seen will often be going the
opposite direction of the attack. To help clarify this, RS 7.0 also provides
the notion of Victim IP and Intruder IP. Use the information from Victim IP
and Intruder IP and you will be much less likely to be confused, since to
use Source and Destination properly requires knowledge of how the signature
is implemented.
Again, Source IP and Destination IP are still provided so that the scripts
and reports for long-time customers do not break. However, I would recommend
the use of Victim IP and Intruder IP instead whenever possible.
