|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: synfloods and spoofed addresses
From: Tim O'Connor (oconnort
nyu.edu)Date: Tue Oct 31 2000 - 11:38:25 CST
- Next message: Fitch, Brian (ISSAtlanta): "RE: synfloods and spoofed addresses"
- Previous message: Carlos Moreno: "RE: Event Channel Closed"
- Next in thread: Fitch, Brian (ISSAtlanta): "RE: synfloods and spoofed addresses"
- Reply: Fitch, Brian (ISSAtlanta): "RE: synfloods and spoofed addresses"
- Reply: Lindley, Jim (ISSAtlanta): "RE: synfloods and spoofed addresses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------
I've got two questions regarding RS3.2 (engine on Solaris, console on
W2K) that are a bit elusive.
I'm detecting SYNfloods, and some of these show spoofed source
addresses, but in looking into the details, I find a field that
reveals the "InfoType"=SPOOFEDSRC, InfoValue=the.real.network.address.
Does anyone know how the software determines the genuine address when
the source address is spoofed? We want to be sure that if we chase
after a spoofed source, we're heading in the right direction.
(Yesterday, I had one such case, and called the owner of the machine,
and he was indeed using the web site that was allegedly the target of
his SYNflood, so the information in that field was accurate, at least
in this case.)
But this leads me to my second query, which is: what does the software
use to "decide" it has a SYNflood on its hands? In this case I
mentioned above, the owner of the machine was making repeated attempts
to download content from a congested web site. He could have been
lying about his activity, but when I inquired about his actual
activity, the time he claims to have quit trying the web site is the
time the "SYNflood" stopped, according to RS. Has anyone else seen
this kind of false positive?
I appreciate any responses from experienced RS users. Although I'm
a longtime user of ISS and, to a lesser extent, S3, I'm just now
getting RS installed from the CD I have (and am awaiting an update to
the more current engine version). I appreciate what I see so far, but
would like to have a better handle on the basic operations.
--tim o'connor
- Next message: Fitch, Brian (ISSAtlanta): "RE: synfloods and spoofed addresses"
- Previous message: Carlos Moreno: "RE: Event Channel Closed"
- Next in thread: Fitch, Brian (ISSAtlanta): "RE: synfloods and spoofed addresses"
- Reply: Fitch, Brian (ISSAtlanta): "RE: synfloods and spoofed addresses"
- Reply: Lindley, Jim (ISSAtlanta): "RE: synfloods and spoofed addresses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]