OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: RealSecure Queries
From: Becker, Pat (ISS Atlanta) (pmbiss.net)
Date: Sun Jun 18 2000 - 20:21:27 CDT


TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

Let me try and address your questions.

1. You are exactly right. There's no reason you couldn't use either
interface, but using the stealth interface will no longer keep it
stealthy.

Care should always be taken when configuring response transports, or
you may end up defeating the purpose of the stealth interface.

2. I'll admit that the database isn't my area of expertise, but let
me try and answer. If depends where you want to purse the log files,
(console or sensor). It is possible to do this and is easier on the
console side.

This should be done after syncing the DB with the engine. Otherwise
the next sync will bring in records that you may have deleted.

3. It certainly is possible that you are only seeing HTTP, FTP, and
Email traffic, but I'd be sureprised with if that was really the
case, unless you have a firewall blocking the traffic.

Although HTTP, FTP, and SMTP are some of the most used protocols, I
would not be comfortable with using any intrusion detection software
that only monitored those protocols. There are many other attacks
outside of these areas. Buffer overflows in Sun RPC programs,
security flaws across Netbios, Distributed and Singular Denial of
Service Attacks. It would be great if you could focus on a small
number of protocols. One of the advantages of RealSecure is the
broad coverage of a large number of protocols, ports, and attack
signatures. If only HTTP, FTP, and SMTP are the only traffic that is
ALLOWED on your network, then you may be able to do that; Otherwise
you'll need to be diligent.

Good luck,

Pat Becker
Sr. Development Engineer/RealSecure
Internet Security Systems, Inc.
pmbiss.net

- -----Original Message-----
From: Brian Tan Wee Beng [mailto:tanwbbmailcityasia.com]
Sent: Thursday, June 15, 2000 10:03 AM
To: issforumiss.net
Subject: RealSecure Queries

TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your
message to
majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
- ----------------------------------------------------------------------
- ------

Hi,
  Some doubts about RealSecure:
1) If the engine is configured in Stealth mode,which interface will
the email alert be sent out??If i'm not wrong,it should be from the
interface with TCP/IP binded.
2)Is there any way to purge the log after certain date??I know that
the log is contained in rsclientlog.mdb.
3)For the past one month,i apply the maximum coverage in the engine
so as to get a clear picture of the kind of traffic that's flowing in
the network.From the log,i notice only HTTP and Email and
occasionally FTP traffic.When i refine my policy,am i right to say
that i should only concentrate on events that are related to these
three kind of traffic??
Appreciate any advice given.

Cheers

Get your FREE Email at http://www.mailcityasia.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQCVAwUBOU13PbC0aGNAqc2xAQEtvAQAoDthMiRzCcXgnsKOHLa43Y3Zr2ufohBg
54mb2or6NoPqi33Xr63feQE8lZUZ8GDEkdVFsBaC5GHHqoQB3qe4IhCCS+tQ/sgj
bsocGwxczj+2RuqWVQ8kbsTcRjyDbRq5+9NoY4ImDBAwHm8t3lslOwCYk19mk5ZR
kx3tlhZ+3xI=
=YOwX
-----END PGP SIGNATURE-----