I have seen UDP traceroute and firewalk alerts using NFR while doing large
transfers of binary data between hosts indicating that I am somehow
performing a traceroute on a bogus host. This is something like replaying
random traffic I guess. The firewalk alerts (3) were single packets, but the
single traceroute alert was almost 200k packets. Both appear irregular
perhaps and so were easily discarded as harmless anomalies and therefore
benign.

The filters seem to just look for traceroute packets and particular port
number activities, so there must have been some data that apparently
masqueraded as such. I know this sounds weird, but that's what it had to be
in my case because there was nothing much else going on over the wire as it
is a lab environment.

Sorry, but I can't help you with RealSecure, but my guess is no for this
particular alarm i.e., traceroute.

Mike Ruscher
Communications Security Establishment
mgruschercse-cst.gc.ca

> -----Original Message-----
> From: Mark Elliott [mailto:markecwhost.com]
> Sent: Tuesday, January 09, 2001 10:13 AM
> To: FOCUS-IDSSECURITYFOCUS.COM
> Subject: IDS Rules for ICMP
>
>
> Hey group - maybe someone out there in IDS land can help.
>
> My IDS (RealSecure) is picking up tons of trace routes
> originating from non-existent hosts and networks (x.y.z.0
> address) destined for various IPs outside our firewall. I
> beleive this to be generated by utilities such as sing and
> nemesis. I have seen snort rules
> (http://www.sys-security.com) to capture > packets generated
> the these utilities, but nothing within real secure.
>
> So my question - do you know of a way to force real secure to
> use a user defined string similar to snort?
>
> and
>
> Is anyone else seeing similar traffic?
>
> Thanks,
>
> Mark
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]