Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner_at_uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo_at_uow.edu.au
-----------------------------------------------------------------------------
Hello,
Thanks for your info.
When I did the testing. I used both of RealSecure 3.2 and 5.0
3.2 genarated the alarm you mentioned that simply warns
receving fragmented packet.
However 5.0 launched an alarm that came from the result of
packet reconstruction.
When I tested fragmented /cgi-bin/phf attack
these two versions generated different alarms.
One is about fragmentation itself(3.2) the other
is about reconstructed /cgi-bin/phf(5.0).
Isn't this 5.0 enough as an networkbased IDS?
mark.teicher_at_networkice.com san wrote on Thu, 07 Sep 2000 10:20:38 -0700
>I would recommend trying this attack again and seeing what ISS RealSecure
>actually records to both the Display and the database. It is not exactly
>what is stated below.
>
>/mark
>
>/begin excerpt from their manual.
>IP Fragmentation
>RealSecure has detected a fragmented IP packet.
>Type Unauthorized Access Attempt
>Console Name IPFrag
>Technical
>Description
Keiji Takeda ( http://www.sfc.keio.ac.jp/~keiji/ )
Received on Sep 08 2000
Intro
