[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [ISSForum] [Newbie] All 0's in the source IP
> When the sensor sees events which could be using a spoofed source IP, it
> will record it as 0.0.0.0.
This thread explains it better:
For the lazy: when "too many" similar packets whiz by (16 in one second),
the sensor merely reports them all as 0.0.0.0 (or A.0.0.0 or A.B.0.0 or
whatever). I don't believe this 16:1 ratio is configurable through PAM or
anything, which is a shame when you're using RealSecure on a high traffic
gigabit network. (If I'm wrong please say so!)
It would seem that all an attacker has to do to cover his tracks from
RealSecure is to source his attack across 15 other IPs. The timing is
pretty tight, and only useful for fast, single-packet kills, but I'm sure
it's doable, especially if he's inside your network already.
Tod Beardsley | planb-security.net
ISSForum mailing list
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.