Re: Mod FWD

[Keiji Takeda <keiji () sfc keio ac jp>]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner () uow edu au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-----------------------------------------------------------------------------
Hello, 

Thanks for your info.

When I did the testing.  I used both of RealSecure 3.2 and 5.0

3.2 genarated the alarm you mentioned that simply warns
receving fragmented packet.

However 5.0 launched an alarm that came from the result of
packet reconstruction.

When I tested fragmented /cgi-bin/phf attack
 these two versions generated different alarms.
One is about fragmentation itself(3.2) the other
is about reconstructed /cgi-bin/phf(5.0).

Isn't this 5.0 enough as an networkbased IDS? 

mark.teicher () networkice com san wrote on Thu, 07 Sep 2000 10:20:38 -0700
> I would recommend trying this attack again and seeing what ISS RealSecure 
> actually records to both the Display and the database.  It is not exactly 
> what is stated below.
>
> /mark
>
> /begin excerpt from their manual.
> IP Fragmentation
> RealSecure has detected a fragmented IP packet.
> Type Unauthorized Access Attempt
> Console Name IPFrag
> Technical
> Description

Keiji Takeda ( http://www.sfc.keio.ac.jp/~keiji/ )