|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Fitch, Brian (ISS Atlanta) (BFitch
iss.net)Date: Wed Sep 19 2001 - 17:11:11 CDT
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any problems!
----------------------------------------------------------------------------
The RSKill is TCP resets designed to sever a TCP session. If you put a
sniffer on the wire, I'm sure you'll see the RST packets being sent, however
the nimda worm is such a small session that it is over before the TCP RSTs
can be sent.
Brian Fitch
ISS IDS Named Accounts Engineer
-----Original Message-----
From: Anderson, Mike [mailto:Mike_Andersoncentraltechnology.net]
Sent: Wednesday, September 19, 2001 4:38 PM
To: 'issforumiss.net'; ISS Technical Support
Subject: HTTP_Windows_Executable and HTTP_IIS_Unicode_Translation
TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
majordomoiss.net Contact issforum-owneriss.net for help with any
problems!
----------------------------------------------------------------------------
Hello,
We have a network sensor with the RSKILL response set to
HTTP_Windows_Executable and HTTP_IIS_Unicode_Translation, to aid in
protecting from the new nimda worm. However, our web site admin notifies me
that his logs show those connections actually getting through. The RS
console logs these SPECIFIC events as being killed. Any help/ideas?
Thanks.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]