TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Mike
Can you apply a filter to stop synfloods?
I thought that synflood detection was done via separate code, for
performance and anti-DOS reasons, which meant it happened before
filters were applied. Also, if you were able to build a filter which
matched traffic causing synfloods, wouldn't that also filter out
(disable) other checks (eg security event matching) against that
traffic? When, probably, you WANT that traffic analysed for such
attacks. I'm confused.
Jason
On Thu, 26 Jul 2001 10:53:41 -0700, you wrote:
>
>TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
>[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
>----------------------------------------------------------------------------
>
>In our case thats exactly what we did. We created a filter for Synfloods
>involving the Proxys IP address. I have not had a problem since.
>
>Mike
>
>-----Original Message-----
>From: derek chow [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, July 25, 2001 12:34 AM
>To: Michael Boehnlein; 'Ramiro Antonio Marulanda Zapata';
>'[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
>Subject: RE: SYNFlood
>
>
>Hi,
>
>I had the same problem here and guess should be the
>same reason for it. Can we just filter out these
>misleading false positives?
>
>Thanks,
>Derek
>
> --- Michael Boehnlein
><[EMAIL PROTECTED]> ���l�e�G>
>> TO UNSUBSCRIBE: email "unsubscribe issforum" in the
>> body of your message to
>> [EMAIL PROTECTED] Contact [EMAIL PROTECTED]
>> for help with any problems!
>>
>----------------------------------------------------------------------------
>>
>> I experienced a similar situation. In our case, the
>> cause of the problem
>> was our Proxy Server. Because the Sensor was seeing
>> the SYN requests from
>> users out to the internet via the proxy, but not
>> seeing the SYN ACKS as they
>> were coming BACK to the proxy and being NAT'd back,
>> Realsecure assumed it
>> was a Synflood.
>>
>> Michael Boehnlein
>> Network Security Engineer
>> Imperial Bank
>>
>> -----Original Message-----
>> From: Ramiro Antonio Marulanda Zapata
>> [mailto:[EMAIL PROTECTED]]
>> Sent: Sunday, July 22, 2001 3:18 PM
>> To: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]'
>> Subject: SYNFlood
>>
>>
>>
>> TO UNSUBSCRIBE: email "unsubscribe issforum" in the
>> body of your message to
>> [EMAIL PROTECTED] Contact [EMAIL PROTECTED]
>> for help with any
>> problems!
>>
>----------------------------------------------------------------------------
>>
>> Hi, I want to know if somebody can help me.
>> Currently I am receiving too many events SYNFlood in
>> those that the source
>> IP address is 0.0.0.0 and the destination IP address
>> is of public domain,
>> that is to say, addresses of pages in Internet. Now,
>> the addresses IP
>> spoofing is always the same ones two belonging to
>> the internal network
>> segment of the company. I thank the collaboration
>> that you/they can lend me.
>> I have RS v. 6.0 Console and the RS Sensor Network
>> v. 6.0.
>>
>> Regards!
>>
>> _____________________________________
>> Ramiro Marulanda Zapata.
>> Security Analyst
>> Cyberia S.A., Medell�n-Colombia
>> Tel. 3129320-3129321
>> E-mail: [EMAIL PROTECTED]
>> _____________________________________
>>
>>
>>
>>
>
>_________________________________________________________
>Do You Yahoo!?
>�إ߭ӤH���� http://geocities.yahoo.com.hk
>Build your own website at http://geocities.yahoo.com.hk
>
>
Jason.Renard at Mail.Com
Warning - all views expressed are my own.
I cannot guarantee the accuracy of everything
I've said - use it at your own risk.
