TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Guys
I'm confused - if RealSecure was set up to watch traffic IN and OUT of
your network at the location where you tap into the network, then
surely it should see packets with consistent addresses and NAT won't
matter? Sure you may NAT stuff but it would happen consistently BEFORE
or AFTER it hits RealSecure? Wouldn't it?
Now what COULD be happening is that your setup is only sending ONE
half of the conversation to RealSecure which is quite a different
matter and one which I'd be inclined to investigate pretty quickly as
you could be missing stuff.
Jason
On Wed, 25 Jul 2001 15:33:33 +0800 (CST), you wrote:
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
>----------------------------------------------------------------------------
>
>Hi,
>
>I had the same problem here and guess should be the
>same reason for it. Can we just filter out these
>misleading false positives?
>
>Thanks,
>Derek
>
> --- Michael Boehnlein
><[EMAIL PROTECTED]> ���l�e�G>
>> TO UNSUBSCRIBE: email "unsubscribe issforum" in the
>> body of your message to
>> [EMAIL PROTECTED] Contact [EMAIL PROTECTED]
>> for help with any problems!
>>
>----------------------------------------------------------------------------
>>
>> I experienced a similar situation. In our case, the
>> cause of the problem
>> was our Proxy Server. Because the Sensor was seeing
>> the SYN requests from
>> users out to the internet via the proxy, but not
>> seeing the SYN ACKS as they
>> were coming BACK to the proxy and being NAT'd back,
>> Realsecure assumed it
>> was a Synflood.
>>
>> Michael Boehnlein
>> Network Security Engineer
>> Imperial Bank
>>
>> -----Original Message-----
>> From: Ramiro Antonio Marulanda Zapata
>> [mailto:[EMAIL PROTECTED]]
>> Sent: Sunday, July 22, 2001 3:18 PM
>> To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
>> Subject: SYNFlood
>>
>>
>>
>> TO UNSUBSCRIBE: email "unsubscribe issforum" in the
>> body of your message to
>> [EMAIL PROTECTED] Contact [EMAIL PROTECTED]
>> for help with any
>> problems!
>>
>----------------------------------------------------------------------------
>>
>> Hi, I want to know if somebody can help me.
>> Currently I am receiving too many events SYNFlood in
>> those that the source
>> IP address is 0.0.0.0 and the destination IP address
>> is of public domain,
>> that is to say, addresses of pages in Internet. Now,
>> the addresses IP
>> spoofing is always the same ones two belonging to
>> the internal network
>> segment of the company. I thank the collaboration
>> that you/they can lend me.
>> I have RS v. 6.0 Console and the RS Sensor Network
>> v. 6.0.
>>
>> Regards!
>>
>> _____________________________________
>> Ramiro Marulanda Zapata.
>> Security Analyst
>> Cyberia S.A., Medell�n-Colombia
>> Tel. 3129320-3129321
>> E-mail: [EMAIL PROTECTED]
>> _____________________________________
>>
>>
>>
>>
>
>_________________________________________________________
>Do You Yahoo!?
>�إ߭ӤH���� http://geocities.yahoo.com.hk
>Build your own website at http://geocities.yahoo.com.hk
>
>
Jason.Renard at Mail.Com
Warning - all views expressed are my own.
I cannot guarantee the accuracy of everything
I've said - use it at your own risk.
