I have concerns that some things are not being killed...
I run Wietse's rpcbind wrapper on my machines and I still see people
trying to scan RPC ports (via syslog), even though I have the kill
option set in RS. It's that multiple-layer defense strategy I
suppose... call me paranoid.
-Tim
-----Original Message-----
From: RENTERIA TABARES JUAN [mailto:[EMAIL PROTECTED]]
Sent: Thursday, January 13, 2000 9:11 PM
To: [EMAIL PROTECTED]
Subject: The Engine detected a PmapDump how can i know if it was blocked
or if it was success?
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
------------------------------------------------------------------------
----
I was reviewing the logs of my server and checking the email,
it notifies the following message (also was displayed on the
engine console):
'PmapDump' event detected by the RealSecure engine at 'server'.
Details:
Source Address: 24.x.x.x
Source Port: 828
Source MAC Address: 00:xx:xx:xx:xx:xx
Destination Address: ip my range
Destination Port: Portmap (111)
Time: Thu Jan 13 20:03:11 CST 2000
Protocol: TCP (6)
Priority: high
Actions mask: 0x245
How can i know if the ENGINE, killed the attack when it was
detected, in the policies i have checked the kill option for the
RPC Attack, also checked the email notification, i was notified
by email, but i don`t know if the ENGINE really killed the
attack?
Is there a way to know that the attack was killed succesfully.
Tkz, From Mexico.
smime.p7s
