You don'[t have to force RealSecure -
there is a facility within RealSecure allowing you to use any executable or
other file as input to a rule; selection of a string can be a simple parse
or a binary parse...
dc dave
----- Original Message -----
From: "Mark Elliott" <markeCWHOST.COM>
To: <FOCUS-IDSSECURITYFOCUS.COM>
Sent: Tuesday, January 09, 2001 11:13 PM
Subject: IDS Rules for ICMP

> Hey group - maybe someone out there in IDS land can help.
>
> My IDS (RealSecure) is picking up tons of trace routes originating from
non-existent hosts and networks (x.y.z.0 address) destined for various IPs
outside our firewall. I beleive this to be generated by utilities such as
sing and nemesis. I have seen snort rules (http://www.sys-security.com) to
capture packets generated the these utilities, but nothing within real
secure.
>
> So my question - do you know of a way to force real secure to use a user
defined string similar to snort?
>
> and
>
> Is anyone else seeing similar traffic?
>
> Thanks,
>
> Mark

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]