TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------

Hi,

is there already a release date for this new release of RS?

Cheers,
Josef

> -----Original Message-----
> From: Farley, Tim (ISSAtlanta) [SMTP:TFarleyiss.net]
> Sent: Wednesday, March 21, 2001 1:07 AM
> To: 'Rickard Cedergren 2184'; issforumiss.net
> Cc: Timo Vanska 2138
> Subject: RE: Filter RealSecure Events?
>
>
> TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
> to
> majordomoiss.net Contact issforum-owneriss.net for help with any
> problems!
> --------------------------------------------------------------------------
> --
>
> > The problem is this, I have a webserver with java installed on it and
> > some "Java shell" event triggers all the time when someone is
> > using it. This event is still of concern if the source ip address is
> > not from say the internal network.
>
> I assume you mean the event named "HTTP_JAVA". You can filter this in 5.x
> versions of RealSecure using a user defined filter. HTTP_JAVA is one of
> the
> few events that looks at text coming FROM the web server. So what you can
> do is put a filter in place that filters all traffic FROM port 80 only on
> the IP of the affected web server. This will also turn off HTTP_SHOCKWAVE
> and HTTP_ACTIVEX events for that server but not much else. All the
> "attack"
> type events look at traffic that is going *TO* port 80. so those will
> still
> be active on your internal server.
>
> In a soon-to-be-released version of RealSecure, there is a new feature
> that
> will let you handle stuff like this in a more generic and flexible way on
> an
> event-by-event basis.
>
> > Another similar problem exists with "IP unknown protocol event" and
> > OSPF. This event is useless cause i can't filter out anything other
> than
> > protocol 1(icmp), 6(tcp) and 17(udp) (OSPF is protocol 89).
>
> You don't need to filter out ICMP, TCP, UDP and IGMP on that event, as it
> automatically ignores them. If you go into your policy file where that
> event is defined (under "IP" in the tree to the left) and click on the
> ADVANCED... button, you will see a dialog that (among other things)
> displays
> a configurable parameter called IGNORE. This is custom to this event.
> You
> can put an entire list of protocol numbers here for this event to ignore,
> separated by spaces and/or commas. Note there is a problem with current
> versions of the engine that has been discussed on this list, where it does
> not appear to take changes to the IGNORE parameter until you stop and
> restart the engine.
>
> Hope that helps.
>
> =====================================
> Tim Farley
> Senior Researcher
> Internet Security Systems
>
> tfarleyiss.net
> (404) 236-2600 / Direct Dial (404) 236-2873 / fax (404) 236-2624
> http://www.iss.net
>
> Internet Security Systems - The Power to Protect
> =====================================
>
> > -----Original Message-----
> > From: Rickard Cedergren 2184 [mailto:rickard.cedergrenteracom.se]
> > Sent: Tuesday, March 20, 2001 11:34 AM
> > To: issforumiss.net
> > Cc: Timo Vänskä 2138
> > Subject: Filter RealSecure Events?
> >
> >
> >
> > TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of
> > your message to
> > majordomoiss.net Contact issforum-owneriss.net for help
> > with any problems!
> > --------------------------------------------------------------
> > --------------
> >
> > Hi, I have read all the pdf files (manuals) and searched the website
> > www.iss.net for anything on "filtering on events" without any luck.
> >
> > I have RealSecure 5.5 and two network sensors deployed.
> >
> > The problem is this, I have a webserver with java installed on it and
> > some "Java shell" event triggers all the time when someone is
> > using it.
> > This event is still of concern if the source ip address is
> > not from say
> > the internal network.
> >
> > I would not like to disable the particular event completely
> > and a filter
> > on the source and/or destination ip and/or port would be to ruff.
> >
> > Another similar problem exists with "IP unknown protocol event" and
> > OSPF.
> > This event is useless cause i can't filter out anything other than
> > protocol 1(icmp), 6(tcp) and 17(udp) (OSPF is protocol 89).
> >
> > Anyone done this?
> >
> > I would appreciate any kind of hints or tips regarding filtering on
> > events.
> >
> >
> >
> >
> > Thank You!
> >
> > /Rickard Cedergren
> >
> >
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]