OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Fitch, Brian (ISS Atlanta) (BFitchiss.net)
Date: Thu Oct 11 2001 - 20:48:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
    majordomoiss.net Contact issforum-owneriss.net for help with any problems!
    ----------------------------------------------------------------------------

    Your parameters for SYNFlood are probably left to the defaults (check the
    advanced tab on the decode in your policy editor and you'll see what I
    mean). This will cause a lot of false positives in regards to web traffic
    and SMTP traffic.

    Chances are the "External IP" are web sites.

    Try increasing the values for "HighWaterMark" and "PacketsPerEvent" until
    you see a reduction in the false positives. Whatever final value you choose
    will depend on your network and your troubleshooting.

    The topic of SYNFlood has been discussed many times on the issforum, the
    archives are found here:

    http://archives.neohapsis.com/archives/iss/

    Brian Fitch, ISS Named Accounts Engineer

    -----Original Message-----
    From: JBFRYEUP.COM
    To: issforumiss.net
    Sent: 10/11/01 2:23 PM
    Subject: SYN-Flood false positives.

    TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message
    to
    majordomoiss.net Contact issforum-owneriss.net for help with any
    problems!
    ------------------------------------------------------------------------ 

    ----

    RealSecure 5.0.2 detects a great deal of what it flags as SYNflood
attacks.
See Event detail below:
     Event:              SYNFlood
     Date:               2001/10/11 13:10:13
     Source Addr:        0.0.0.0
     Deatination Addr:   External IP address
     Sensor Location:    Internal IP address behind firewall
     Protocol:      TCP
     Source Port:        Any
     Destination Port:   HTTP
     SPOOFEDSRC:    Internal IP address

    Events similar to this are being generated approx. seven times per min.
with three differen't SPOOFEDSRC internal IP adresses.
The oddest thing about this is that the events continue to be generated
for
a particular SPOOFEDSRC internal IP address even after the host
associated
with that IP address has been removed from the network i.e. powered off.
Anyone seen anything like this?

    Jayme Frye
Union Pacific Railroad
Data Security
271-3970