[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-ids
Subject: Re: IDS Rules for ICMP
From: Jose Vicente da Costa Machado Filho <JVicente () AMERICEL ! COM ! BR>
Date: 2001-01-09 18:57:24
[Download RAW message or body]
Hi Mark,
you can go to the Policy Editor on your Management Console and use the =
User
Defined Signatures and input your own data. You can put the string and =
it
seems to be like Snort.
Regards,
Jose Vicente da C Machado
AMERICEL
I.T. - Information Security
email: jvicente@americel.com.br
office:(61) 329-6698
fax:(61) 329-6709
mobile:(61) 929-0016
http://www.americel.com.br
Address:
SEPS 702/902 Bloco B 1=BA andar
70390-025 - Brasilia - DF
Brazil
-----Original Message-----
From: Mark Elliott [mailto:marke@CWHOST.COM]
Sent: Tuesday, January 09, 2001 12:13
To: FOCUS-IDS@SECURITYFOCUS.COM
Subject: IDS Rules for ICMP
Hey group - maybe someone out there in IDS land can help.
My IDS (RealSecure) is picking up tons of trace routes originating from
non-existent hosts and networks (x.y.z.0 address) destined for various =
IPs
outside our firewall. I beleive this to be generated by utilities such =
as
sing and nemesis. I have seen snort rules =
(http://www.sys-security.com) to
capture packets generated the these utilities, but nothing within real
secure.
So my question - do you know of a way to force real secure to use a =
user
defined string similar to snort?
and
Is anyone else seeing similar traffic?
Thanks,
Mark
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2652.35">
<TITLE>RE: IDS Rules for ICMP</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>Hi Mark,</FONT>
</P>
<P><FONT SIZE=2>you can go to the Policy Editor on your Management Console and use \
the User Defined Signatures and input your own data. You can put the string and it \
seems to be like Snort.</FONT></P>
<P><FONT SIZE=2>Regards,</FONT>
<BR><FONT SIZE=2>Jose Vicente da C Machado</FONT>
<BR><FONT SIZE=2>AMERICEL</FONT>
<BR><FONT SIZE=2>I.T. - Information Security</FONT>
<BR><FONT SIZE=2>email: jvicente@americel.com.br</FONT>
<BR><FONT SIZE=2>office:(61) 329-6698</FONT>
<BR><FONT SIZE=2>fax:(61) 329-6709</FONT>
<BR><FONT SIZE=2>mobile:(61) 929-0016</FONT>
<BR><FONT SIZE=2><A HREF="http://www.americel.com.br" \
TARGET="_blank">http://www.americel.com.br</A></FONT> <BR><FONT \
SIZE=2>Address:</FONT> <BR><FONT SIZE=2>SEPS 702/902 Bloco B 1º andar</FONT>
<BR><FONT SIZE=2>70390-025 - Brasilia - DF</FONT>
<BR><FONT SIZE=2>Brazil</FONT>
</P>
<BR>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Mark Elliott [<A \
HREF="mailto:marke@CWHOST.COM">mailto:marke@CWHOST.COM</A>]</FONT> <BR><FONT \
SIZE=2>Sent: Tuesday, January 09, 2001 12:13</FONT> <BR><FONT SIZE=2>To: \
FOCUS-IDS@SECURITYFOCUS.COM</FONT> <BR><FONT SIZE=2>Subject: IDS Rules for \
ICMP</FONT> </P>
<BR>
<P><FONT SIZE=2>Hey group - maybe someone out there in IDS land can help.</FONT>
</P>
<P><FONT SIZE=2>My IDS (RealSecure) is picking up tons of trace routes originating \
from non-existent hosts and networks (x.y.z.0 address) destined for various IPs \
outside our firewall. I beleive this to be generated by utilities such as sing \
and nemesis. I have seen snort rules (<A HREF="http://www.sys-security.com" \
TARGET="_blank">http://www.sys-security.com</A>) to capture packets generated the \
these utilities, but nothing within real secure.</FONT></P>
<P><FONT SIZE=2>So my question - do you know of a way to force real secure to use a \
user defined string similar to snort?</FONT> </P>
<P><FONT SIZE=2>and</FONT>
</P>
<P><FONT SIZE=2>Is anyone else seeing similar traffic?</FONT>
</P>
<P><FONT SIZE=2>Thanks,</FONT>
</P>
<P><FONT SIZE=2>Mark</FONT>
</P>
</BODY>
</HTML>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic