> Ajay: > When the sensor sees events which could be using a spoofed source IP, it > will record it as 0.0.0.0.
This thread explains it better: http://archives.neohapsis.com/archives/iss/2003-q2/0030.html For the lazy: when "too many" similar packets whiz by (16 in one second), the sensor merely reports them all as 0.0.0.0 (or A.0.0.0 or A.B.0.0 or whatever). I don't believe this 16:1 ratio is configurable through PAM or anything, which is a shame when you're using RealSecure on a high traffic gigabit network. (If I'm wrong please say so!) It would seem that all an attacker has to do to cover his tracks from RealSecure is to source his attack across 15 other IPs. The timing is pretty tight, and only useful for fast, single-packet kills, but I'm sure it's doable, especially if he's inside your network already. -- Tod Beardsley | planb-security.net _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
