Is there a way to rewrite the 3050 to be a cusomt sig looking for absensce of answered (ACKED) SYN/ACK paackets to reduce alerts that happen when servers are down or some other sort of auto response has blocked access for a host ? Thanks Kevin
Are there any signatures available for this. From looking at the advisory it would seem searching for anything between \x80-\xff in the to header might suffice.
When will the ability to set capture = true be added ? Can we increase the eventstore without negative side effects ? Could it be added to context based sigs only ?
You can filter out src and dst IP's based on what they are doing. You can also change the port list on the IDS sig which is currently 1-1023 to be something like 1-52;54-87;89-160;163-387;390-1023. Or you can alert on data post some pre-analysis engi...
I know it is in my hands. I was wondering if there was a formula or if it was arbitrary. For instance why is the DHCP bug defaulted to medium. The impact is that it could shut down an interface on an internet router however it should not be running o...
Write an xml parser to put it in the format you want. Do this after logs have been gathered through RDEP. There are probably better solutions but that is the one I know of.