Most of the stand-alone or built-in(ie. firewalls) IDSes use regular expression to analyzes the packets it is receiving. Now if a regular expression returns true after it is compared to a packet, then the IDS will alert admin. In the world of IDS, pre-made regular expression are called signatures. Hence the name signature based alerts. If you ever used a IDS like RealSecure or Snort, this can cause some headaches because the signatures are to vague, and they get triggered to easily. That is why IDSes are not the end all solution. When you get an alert, check it out, but don't think right off the bat you are getting attacked. I hope that helped a bit.
Paul Sliwowski On Tue, 2003-02-18 at 12:22, Tim Laureska wrote: > Uuh... basic question I'm sure but what do you mean by a "signature > based alert"? > > -----Original Message----- > From: neopara [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, February 18, 2003 12:32 AM > To: security-basics > Subject: Re: TCP Syn Flooding > > On Sat, 2003-02-15 at 08:20, Tim Laureska wrote: > > OK. I just installed a Netgear firewall box between a cable modem and > a > > NT 4.0 server on a small network.. and set it up to email me attempts > at > > security breaches. I am brand new to these devices and a relative > > neophyte to internet/internal network security. So the question is > > this. > > > > I received this message a few times yesterday after I installed the > box: > > > > > > Fri, 02/14/2003 20:35:01 - TCP connection dropped - > > Source:205.138.3.201, 80, WAN - Destination:69.2.167.25, 20306, LAN - > > 'TCP:Syn Flooding' End of Log ---------- > > > > What should I make of this? > > > > T. > > > > > > > > It could also be a false positive? IDSes are kinda sensitive to syn > flood signatures. I am guesses your firewall is just dropping the syn > packet, so an application could be repeatedly trying to establish a > connection which is triggering that signature. It would help to know if > there is an legitimate application that hits port 20306. > > P.S. You should take signature based alerts with a grain of salt. > > Pawel Sliwowski > > Nothing More, For Me to Say, > About my life, A Life of Dreams.... > > > > > > > -- Nothing More, For Me to Say, About my life, A Life of Dreams....
