TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ---------------------------------------------------------------------------- Hi Staci, Yes you can do something like this but: a) Be aware that there aren't any tunable flood control settings for user-defined connections. b) The other challenge you might have is in matching "anything-but" what is valid. Depends how simple your definition of validity is. c) You could potentially get around the "anything-but" problem with multple user-defined connections, in a certain order, with different priorities for each one. In other words code a user-defined event for what's expected, but with no alerts, then AFTER that code more user-defined events for anything else WITH alerts. d) But it's not easy to do this in a "water-tight" fashion, ie to catch EVERYTHING that's invalid. It could also have an impact on network engine performance if you code too many connection events. e) I think you'll need a separate connection event for "any TCP service", a separate one for "any UDP service" and yet more for "any ICMP type x code y". Plus think whether you want to watch for traffic TO the unexpected addresses (ie somebody scanning for them) or FROM those addresses (ie somebody coming from them). It would be good if ISS could offer an "any IP" connection event in the future. f) One thing I started investigating was very wide subnet masks, for example I think 0.0.0.1/1 is accepted by realsecure and covers every IP address within that subnet (if you can call it a subnet; more of a supernet really). By doing this i can detect when we misconfigure our servers and they start using 10.*.*.* range. g) Hmm I've also been meaning to set up a user-defined connection event for 127.0.0.1. It strikes me that some people can use this as a source address in a variety of (usually trust-based) attacks. I wonder whether 0.0.0.1/1 would detect that? Yes i know it's within the masked range but i haven't tried to see what happens. h) I can't be sure if you mean to detect use of wide IP ranges you're not using, or specific IP addresses. Not that it makes much difference to the above comments. I wish you luck Staci. I tried doing what you're suggesting and gave up after about fifteen rules which only did 80% of what I wanted. Still at least RealSecure didn't give me the blue screen of death unlike another bit of software which objected violently to my endeavours. Jason On Thu, 24 May 2001 10:07:29 -0400, you wrote: > >TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to >[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! >---------------------------------------------------------------------------- > > > >Hi All, > My question is this. Is there merit in creating User Defined connections >to tell you when someone is trying to use IP's that you know your >organization does not. The way of thinking here is that anyone who hit these >IP's that you know are empty could possibly be a attacker. The other >question is if I make a user defined connection from any , to -my void IP, >service any. Will I be alerted? or am I doing it wrong. > Thanks to all!!! > > > Jason.Renard at Mail.Com Warning - all views expressed are my own. I cannot guarantee the accuracy of everything I've said - use it at your own risk.
