<snip>
You can filter on any combination of:
Src/dst IP address (maskable)
Protocol
Src/dst port
Packets matching a filter will be completely ignored by the sensor.
</snip>
It is supposed to work that way, but it's not entirely true. Packet filters
don't work on several signatures, namely:
IP Level: IPProtocolViolation, IPFrag, IPUnknownProtocol, SourceRoute,
PingOfDeath, TearDrop
TCP Level: SYNFlood, UDP Level, UDPBomb, TCPPortScan
ICMP Level: PingFlood, Smurf
In other words if you do a port scan from a host that is within the range
of a packet filter you will still get killed (your response will be
triggered). I found this out the hard way...
There is currently no fix for the behavior. ISS simply recommends disabling
the aforementioned signatures entirely, so you will have to deal with such
attacks with a router and/or firewall.
Cory Bys
CISSP, TICSA, GSEC, CCSE, CCSA, TCP, CNST
First Services
[EMAIL PROTECTED]
******************* N O T I C E *******************
The information contained in this e-mail, and in any accompanying
documents, may constitute confidential and/or legally privileged
information. The information is intended only for use by the
designated recipient. If you are not the intended recipient (or
responsible for the delivery of the message to the intended
recipient), you are hereby notified that any dissemination,
distribution, copying, or other use of, or taking of any action in
reliance on this e-mail is strictly prohibited. If you have received
this e-mail communication in error, please notify the sender
immediately and delete the message from your system.
***************************************************
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo
