RE: Speedera Alerts

[Erek Adams <erek () theadamsfamily net>]

On Tue, 26 Mar 2002, Luo, Feng (Exchange) wrote:

> Erek, could you explain what the dangers about these Speedera Alerts are, I
> got a lot too.

Feng,

        It's not so much the "danger" of the alert itself.  Rather, what else
it _could_ be is more of the danger.  Consider the following:

        *  Your users are on the internet.
        *  Your users visit a site using Speedera.
        *  You see the resulting 'pings' back.

        Now, if this goes on for a while, you'll consider it 'normal' and not
unusual for your networks traffic.  Heck, you might even put up ignore
rules and/or remove that rule from the list.  Now by doing so, you've given
the 3l33t h4x0r a alert type that can be mimiced and would be ignored.  Now
they could use the Speedera Ping type as a ICMP tunnel.

        You'll need to inspect the packet dumps and make sure that it is a
'Speedera Ping' and not something else, IF you are concerned about it.  Since
the ICMP rules are prone to lots of false postives and large numbers of alerts
on legitimate traffic, they are turned off by default.

        I would _strongly_ suggest:


http://www.amazon.com/exec/obidos/ASIN/0735710082/qid=1017162710/sr=1-1/ref=sr_1_1/103-4870944-6418218

  Network Intrusion Detection: An Analyst's Handbook

and

http://www.amazon.com/exec/obidos/ASIN/0735710635/qid=1017162710/sr=1-2/ref=sr_1_2/103-4870944-6418218

  Intrusion Signatures and Analysis


        Those two books will help understand some of the how/why's and what's
of the IDS world.

        Good luck!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users