RE: RealSecure Kill

Brian Laing Tue, 15 Aug 2000 08:20:40 -0700

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------

I have delt with several of these for customers.  After looking at logged
data in RealSecure and firewall logs, each one has turned out to be HTTP
traffic.  Seems like company a connects up to company b, company b's
webserver is very busy and triggers syn-flood, company b has synflood set
with a responce of kill connction.  This then triggers company a's
RealSecure.

I would check RealSecure and your firewall logs to see what type of traffic
was running on that connection and investigate it that way.

brian


> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
> Weir, Bruce
> Sent: 14 August 2000 03:23 PM
> To: Fleck, Michael; '[EMAIL PROTECTED]'
> Cc: Briese, Charles (Chuck)
> Subject: RE: RealSecure Kill
>
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your
> message to
> [EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help with
> any problems!
> ------------------------------------------------------------------
> ----------
>
> Contact ISS Customer Support. They have the contact information
> for all the
> Custids. ISS will not tell you the name of company that the Custid belongs
> to, however, they will contact the them and ask why the RS Kill was
> generated. ISS will ask you to send an email message with a copy
> of  the RS
> Kill event (email alarm, etc.) attached. After ISS contacts the
> company, RS
> Kill traffic usually stops.
>
> Bruce
>
>
>               -----Original Message-----
>               From:   Fleck, Michael [mailto:[EMAIL PROTECTED]]
>               Sent:   Friday, August 11, 2000 5:15 PM
>               To:     '[EMAIL PROTECTED]'
>               Cc:     Briese, Charles (Chuck)
>               Subject:        RealSecure Kill
>
>
>               TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of
> your message to
>               [EMAIL PROTECTED]  Contact [EMAIL PROTECTED] for help
> with any problems!
>
> ------------------------------------------------------------------
> ----------
>
>               Occasionally pick up RealSecure Kill entries in my Sensor
> loges. How can I
>               reference the Custid back to a warm body to inquire why the
> Kill was
>               generated.
>
>               >       Michael Fleck
>               >       Internet Infrastructure Security
>               >       Compaq Computer Corporation
>               >       20555 SH 249    ( MC 020303 )
>               >       Houston, TX 77070
>               >        Telephone:  (281) 518-7067
>               >        Pager:  (713) 762-8464
>               >
>               >
>
>
RE: RealSecure Kill

Reply via email to
