TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
Hello I was trying to tuning the Network Sensor 6.0 and find one mayor limits. I can see some signatures how SYNFlood that have one trigger threshold, in other words I can take the number of event before Realsecure engine trigger one response. This is very good but only exits in few signatures. For example, not trigger threshold in the Netbios_Session_Request signature. In one network where this event is very common and happen in any moment (normal pattern) i will be obligated to logging at least one of this events to the Enterprise BD (using the Flood Protection in the Advance setting) because the signature no have trigger threshold. In other words, I can reduce the limits to logging and protect the Enterprise DB but: What if I need bypass some Netbios_Session_Request events (no Realsecure response) before begin to logging in the Enterprise DB? If I disable the Netbios_Session_Request signature I will be unable detect brute force attack or at least lost one event that I can use to detect or suspect of one brute force attack. Other signatures have the same problem, for example Windows_Null_Session, etc. Someone have recommendations? Best Regard Nelson
