TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
At 12:12 PM 8/15/00 -0400, Weir, Bruce wrote:
>Hi Marc
>
>Yes, I have done this about once a month over the past six months and
>usually get a response from ISS.
Hi all, the "official" policy is only to contact the originator of the kill
if it's causing you a problem or it is indicative of a badly misconfigured
sensor - like 1000 kills detected in a day.
What we would do is act as a go between with the two parties to help
troubleshoot it.
Most kills that get picked up are an incorrectly set syn-flood high water,
like Brian said. This is most often picked up for http traffic and smtp
traffic.
When your RS detects a kill you can usually work out where it's from by the
IP addresses involved in the connection. One will be at your end, the other
will be the server at the other end. It's a reasonable guess that the admin
for the server concerned would be a good person to follow it up with.
Personally I'd rather contact that person directly and ask what my users
did that they didn't like to try to resolve it. It will be faster than
going through ISS tech support each time. Of course we are always willing
to help, especially if it's resolving syn-flood false alarms, etc.
A RealSecure kill is not indicicative of an attack against your network, or
necessarily one from your network to the other guy, it could be they are
using RealSecure as a firewall, it could be an incorrectly set parameter at
their end or several other things. If you have a RealSecure on your network
and you didn't pick up the "outgoing attack" then you can be fairly
confident that it wasn't an attack from your end.
But remember anybody who buys RealSecure can configure it to do anything
they like. It's their money they spent and if they decide to use RealSecure
to block http access because they don't like your IP block then it's their
choice.
Regards, Steve
----------------------------------------------------------------------------
Steve Reddock
Consulting Manager - Asia Region
[EMAIL PROTECTED]
Internet Security Systems KK, Japan
Phone +81-3-5475-6458 Fax +81-3-5475-0557
http://www.iss.net http://www.isskk.co.jp
PGP keys available on request
Internet Security Systems - The Power to Protect
------------------------------------------------------------------------
