Re: Realsecure Advisory - Fate Research Labs (11-01-00)

["Mitchell, Rick" <rjmitchell () COLUMBIAENERGYGROUP COM>]

Greetings

According to this:

http://xforce.iss.net/alerts/advise68.php

RealSecure *can* be used to block/detect the IIS Unicode exploit. Also, you can
add custom URL parsing rules to look for the RDS exploit as well. I have used
both
of these methods to successfully detect these types of attacks. This doesn't
mean that you do not go out and patch your servers - it just lets you know who
is trying to
get in. Remember - always patch your servers FIRST and rely on RealSecure (or
any other IDS) to detect KNOWN attacks (which is what IDS's are supposed to do
).
As long as IDS's are signature based (just like AV's) you are never going to be
fully protected from any exploit. Think of how many ways one can send the URL
string
of "msadc" - and then you will soon realize that trying to add a signature in
RealSecure to detect all of these is useless. Patch your servers, check your
IIS logs
reguarly, check your firewall logs, and then rely on RealSecure to let you know
who is trying KNOWN attacks on your server farm.

Regards,

- Rick Mitchell
Network Administrator
Columbia Gas Transmission