How do you plan to find out that some of packets are initial and another
are not in UDP??
In UDP session connection does not created, connection is assumed to be
created in TCP, so you can create TRONS rule like that:
alert tcp any 2090 -> any 2090 (flags: S; msg: "Something bad happened";)
Connection events in RNE as far as I know doesn't check TCP flags at all :
-(. As a result you'll obtain a lot of false positives.
Good Luck!
---
Best regards, Sergey V. Soldatov.
tel/fax +7 095 745 89 50 (2663)
"Owen Hargreaves"
<[EMAIL PROTECTED] To: <[EMAIL PROTECTED]>
au> cc:
Sent by: Subject: [ISSForum] Quesiton
regarding connection events policys on
[EMAIL PROTECTED] network sensor 7.
19.05.2004 03:35
Hi all,
I created a connection event policy on my network sensors to monitor
connections from all on udp source port 2090 to all on udp destination
port 2090. There are many connections on this port between 2 hosts. ISS
alerted once when A 2090 -> B 2090 and once more when B 2090 -> A 2090.
Although the same 2 hosts continue to connect to each other on these
ports, no more alerts are generated. Why does ISS only alert once for
the initial connection and not again for connections there after?
Owen.
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]
The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
[EMAIL PROTECTED]
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to [EMAIL PROTECTED]
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303
Barfield Road, Atlanta, Georgia, USA 30328.
