-----BEGIN PGP SIGNED MESSAGE----- This message is being sent in response to the recent postings on both the IDS forum and on BugTraq regarding ISS RealSecure's ability to address the modified attack signatures described in those postings. NEW ATTACK SIGNATURES When new attack types and evasive techniques are identified by ISS product developers and ISS X-Force researchers, we update our products with additional X-Press Updates to detect and block such attacks. Just as anti-virus software must regularly release new virus definition files when new viruses are found, Intrusion Detection Software such as RealSecure must be updated when new attacks are developed and discovered. ENHANCEMENTS TO NEXT REALSECURE RELEASE ISS development is aware of the modified attacks described in the postings. They have been addressed by engineering for the next major release of RealSecure. As with any software product, RealSecure continues to develop and evolve and so does the strength and scope of the attack signatures and packet processing. The next RealSecure release contains numerous additions and enhancements that will allow RealSecure to detect the modified attacks described in the BugTraq posting. FALSE POSITIVES FOR SENDMAIL ATTACKS RealSecure's analysis of email messages is designed to enhance performance by treating email headers and message content the same. While this can lead to false positives under certain conditions, customers rarely receive such false positives if RealSecure is configured properly. By turning off the Wiz check, as recommended (since very few machines are vulnerable to the Wizard backdoor), customers can reduce excessive false positives. Many RealSecure signatures, like the email signatures, include advanced tuning options that also help reduce positives. These advanced options allow you to configure many parameters, such as how often an event must be seen within a user-defined period of time before triggering a response. This functionality is very flexible and allows users to configure this flood protection based on many parameters, such as source and destination address and port. WHISKER STEALTH MODES A signature to detect a broader range of Whisker scans is already in the engineering builds of RealSecure. We have verified and retested this signature using the various Whisker modes to ensure comprehensive detection of this program. The current development build has successfully detected attempts to evade RealSecure using a variety of methods including stealth mode. MODIFIED IP FRAGMENTATION ATTACKS The next release of RealSecure will detect more advanced IP fragmentation attacks by adding enhanced IP Fragment re-assembly to the Network Sensor. The IP Fragmentation re-assembly code has been successfully tested both in-house and at various customer sites. This functionality has been completely re-engineered to help prevent evasive techniques, such as the ones described in the BugTraq posting. X-PRESS UPDATES In addition to including a variety of new signatures, the next release of RealSecure will make it even easier to quickly add new signatures using X-Press Updates. This feature already exists in other ISS SAFEsuite products and allows ISS to respond more timely to new security threats. RECOMMENDATIONS ISS asks individuals to please report any bugs, new exploits, new modifications to exploits, and any issues regarding ISS products to supportat_private ISS also recommends using the open discussion forum on ISS technology at http://xforce.iss.net/maillists to seek answers. This forum also provides many useful tips and advice on how to use RealSecure. In addition, to ensure proper configuration, ISS recommends customers go through an ISS intrusion detection training course. Customers may also request assistance from ISS Consulting Group to help implement and properly configure RealSecure in a specific environment. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOL7UnjRfJiV99eG9AQH8PAP/YDoGane/IfB5X48k2EOx/dMPNbNw64Wg G6ukW5xT56mgl+vm1l84hSfdb9d+Xazklan4OOB0Um7sKgnnthBLjuBol98oA8pM fsQwax7Sla5I8wYQHVH9D1xzMriDZ4SueTafF3O8UUpv/JXdFdPK2lMDoRLFInKO VUiWkq4ZyXA= =t+3v -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:38:47 PDT