Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Realsecure Advisory - Fate Research Labs (11-01-00)
From: "Mitchell, Rick" <rjmitchell () COLUMBIAENERGYGROUP COM>
Date: Mon, 6 Nov 2000 15:20:33 -0500


According to this:


RealSecure *can* be used to block/detect the IIS Unicode exploit. Also, you can
add custom URL parsing rules to look for the RDS exploit as well. I have used
of these methods to successfully detect these types of attacks. This doesn't
mean that you do not go out and patch your servers - it just lets you know who
is trying to
get in. Remember - always patch your servers FIRST and rely on RealSecure (or
any other IDS) to detect KNOWN attacks (which is what IDS's are supposed to do
As long as IDS's are signature based (just like AV's) you are never going to be
fully protected from any exploit. Think of how many ways one can send the URL
of "msadc" - and then you will soon realize that trying to add a signature in
RealSecure to detect all of these is useless. Patch your servers, check your
IIS logs
reguarly, check your firewall logs, and then rely on RealSecure to let you know
who is trying KNOWN attacks on your server farm.


- Rick Mitchell
Network Administrator
Columbia Gas Transmission

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]