TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Hi James,
According to your mail, do you mean that we can filter
any security events by source or destination address ?
If true, how can I do it ?
thks,
raymond
--- "Lindley, Jim (ISSAtlanta)" <[EMAIL PROTECTED]>
wrote:
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the
> body of your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED]
> for help with any problems!
>
----------------------------------------------------------------------------
>
> Steve:
>
> I believe that your explanation of the SYNFLOOD
> parameters is at variance
> with the descriptions in the event's Advanced
> options. The HIGHWATERMARK is
> the total number of unrequited SYN-ACKs waiting in
> the collection buffer on
> any single IP Socket. This tracks a SYNFLOOD
> against single CPUs and
> services. The second parameter, the DELTA, tracks
> the TOTAL number of
> unrequited SYN-ACKs on the network segment. As I
> undertand this, The
> SYNFLOOD triggers if EITHER threshold is exceeded.
>
> As for limiting the logging or display of
> uneccesarily repetitive
> information, that may be done through setting the
> Event Propagation and
> Event Filtering options on the same Advanced
> property sheet. Users may
> define events in terms of any combination of source
> and destination address
> or port and may further eliminate redundant
> notifications/logging/etc. by
> manipulating event thresholds and intervals.
>
> To find out even more, come to one of my classes!
>
> James R Lindley
> Senior Security Instructor
> Internet Security Systems Inc
> 678-443-6323
> An unquenchable thirst for Pierian water.
>
****************************************************************************
> *******
> ISS CONNECT 2000
> International User Group and Information Security
> Summit
>
> March 19-24, 2000
> http://connect.iss.net
>
> REGISTER
> TODAY!
>
****************************************************************************
> *******
> -----Original Message-----
> From: Reddock, Steve (ISSTokyo)
> [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, March 12, 2000 11:22 PM
> To: [EMAIL PROTECTED]
> Subject: Re: SynFloods
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the
> body of your message to
> [EMAIL PROTECTED] Contact [EMAIL PROTECTED]
> for help with any
> problems!
>
----------------------------------------------------------------------------
>
> Hi,
>
> When RealSecure detects a synflood it puts the
> source address as 0.0.0.0 to
> avoid flooding the console (and the user!). A real
> synflood attack will
> almost certainly come from a spoofed source and
> quite possibly from a large
> number of spoofed sources. If each one of these IPs
> was displayed in the
> console as a separate souce address you would get
> swamped.
>
> So they all get listed as 0.0.0.0. If you drill down
> on the event or use
> the event inspector the source IP is listed in the
> info field, just incase
> it's useful.
>
> The way we detect synfloods is not perfect.
> Basically we count the number
> of half open connections to each IP address. When
> you hit the magic number
> we detect a synflood.
>
> So imagine RS sitting infront of your firewall. All
> 2,000 users on your
> network are emailing and surfing like mad. RS needs
> to keep track of all
> 2000 ips for outgoing traffic and all the incoming
> stuff too. This is not
> that easy.
>
> A real Syn-flood will be a few thousand half open
> connections. If
> RealSecure was to try to keep track of up to 3,000
> half open connections on
> a few thousand machines it would very quickly run
> out of resources. So we
> call a synflood at much less that a few thousand
> half open connections. The
> default is in fact 40.
>
> As you have seen, some networks are busier and can
> run to more than 40 half
> open connections in regular use. When this happens
> you will see a synflood
> false positive. To change the high water mark open
> your policy editor and
> select the synflood decode. Click the advanced tab.
> There are two numbers
> there. The high water mark is how many half open
> connections are allowed
> before we trigger. You can usually take this to 150
> without problems. I've
> seen people run at several hundred without problems.
> If you do increase
> this number by much take a look at the readme. There
> is a section on how to
> determine how much memory the detector requires. A
> sniffer could be used to
> help determine the average number of half open
> connections, but may
> customers just increase bit by bit until it seems
> right.
>
> The second parameter to can adjust is the delta. The
> default is 500. This
> means that once we trigger a syn-flood we wait for
> another 500 half open
> connections before we tell you again. So in a real
> syn-flood of several
> thousand events you will actually be told of several
> syn-floods in the
> space of a minute or two. If there is only one
> syn-flood logged it's
> probably a false positive and maybe increasing the
> high water mark is
> required.
>
> If you have RealSecure Network Engine protecting a
> busy web server I would
> expect 40 to be too low and you will get false
> positives. This does not
> mean the engine can't keep up, it's just that there
> are a lot of
> connections at that time, as it the nature of http
> traffic.
>
> Of course it's a really good idea to patch those
> webservers against
> syn-flood and every other DOS attack.
>
> Cheers, Steve
>
> At 11:03 AM 09-03-00 , Matthew F. Caldwell wrote:
>
> >TO UNSUBSCRIBE: email "unsubscribe issforum" in the
> body of your message to
> >[EMAIL PROTECTED] Contact [EMAIL PROTECTED]
> for help with any
> problems!
>
>---------------------------------------------------------------------------
> -
> >
> >
> >
> >If your using Solaris Engines, try using tcpdump or
> snoop to look at the
> >SYN packets further. On Windows NT try windump.
> This will give you a
> >better understanding of the packets and what is
> causing the SYN signature
> >to appear. I've seen the synflood signature appear
> often in cases where
> >the engines can't keep up with the bandwidth. (Most
> often high traffic
> >websites)
>
>
----------------------------------------------------------------------------
> Steve Reddock
> Consulting Manager - Asia Region
> [EMAIL PROTECTED]
>
> Internet Security Systems KK, Japan
> Phone +81-3-5475-6458 Fax +81-3-5475-0557
> http://www.iss.net
> http://www.isskk.co.jp
>
> Adaptive Network Security for the Enterprise
>
=== message truncated ===
__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
