TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
Please remember that RSKill does not block packets. It kills a TCP
connection once it meets specified criteria. A connection event is not
generated until a connection is established. Therefore, the RSKill
will not be performed until the connection has been established. Even
so, the RSKill should take effect almost immediately AFTER the
connection is established.
Are you just seeing evidence that the connection was established, or
are you seeing evidence that activity actually occurred on the
connection (such as a login)?
Another thing you must keep in mind is that only one connection event
will trigger for any single connection (always the first in the list).
So if you have created one connection event to report the event and a
second to kill the connection, the kill will not be applied.
If you are trying to block all traffic from a particular location,
your router is probably better equipped to enforce this than an IDS.
The RSKill is only effective against TCP connections. It cannot be
used against UDP or ICMP traffic.
Paul
- -----Original Message-----
From: Richard Ginski [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 09, 2000 11:10 AM
To: [EMAIL PROTECTED]
Subject: Conection resets failing on source port FTP attempts
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your
message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any
problems!
- ------------------------------------------------------------------------
- ----
I have tried to block a particular IP address from accessing our
network address. I set up a connection event (tcp (all
source/destination ports), udp(all source/destination ports), and
icmp(echo reply/response)). I have turned on the responses"reset","log
database", "display", and "E-mail", for their IP address
(the.identified.ip.address) coming to our net address (our.net.0.0). I
have ensured that I am using the correct masks for both (/32, /16
respectively). I am still receving source port FTP notifications
coming from this address instead of the reset notification. (I have
already notified the Coord of this address space.)
Any ideas???
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5
iQCVAwUBOZGJ3ISi4VqTDp53AQH1UwP9HSN1txf9VGumrwd2tqwgrNgGlQWM5oSR
XHuH+MO3hgbEocA7hQRbLrt1bQNcu+EcE/Vvwf6sI30cD+BAlPlTcfLo0FgXHwxv
0n3GKH6Fjw1yqOyJC01/N93zWv+SlbDmFSsoM0v5YsNwLRmq7B3WSrhtz6DuBhhP
NesT9ex9M88=
=foca
-----END PGP SIGNATURE-----
