[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] SIGNATURE - No Informations



Luiz,
 
Default signature severities are not gospel, and not right for everyone everywhere. In this case I can imagine that it was not low, because the potential impact of exploiting the vulnerability is high, but not high because it is not straightforward to exploit from a non-connected network, i.e. the Internet. But that of course, depends on what your environment looks like.
 
If you read the signature information you'll see that it's 'just' telling you your routers are using a default password. You need to decide whether that's something to worry about, and possibly to change it. The event severity has little bearing on this process.
 
From an audit point of view, there's no point in getting half a million events per day about something you already know, and from an analyst point or view it's completely useless. Because HSRP is so noisy, even tweaking event flooding/consolidation won't really help. The bottom line is that you're aware of the traffic/issue now, and I'd turn the signature off until the routers are suppodesly reconfigured.
 
Regards,
 
Robert
 
 -----Original Message-----
From: issforum-admin@xxxxxxx [mailto:issforum-admin@xxxxxxx]
Sent: 30 June 2003 18:35
To: ISSForum@xxxxxxx
Cc: F2252817_Daniel_Aquino_Fernandes_Lopes/BANCO_DO_BRASIL@xxxxxxxxxxxxxxxxxx
Subject: [ISSForum] SIGNATURE - No Informations


H,

        A signature named HRSP_Default_Password brought by XPress Update 20.6 for NS 7.0 has provided a lot of incidents (around 500,000 a day).
Its just notify and has medium priority. What could do I do? Just disable it? Or is it an important signaturee that tells me what is happening with my
routers?

Thanks in advanced,

Luiz Leao - BBCSIRT