Bugtraq mailing list archives
Re: Realsecure Advisory - Fate Research Labs (11-01-00)
From: "Mitchell, Rick" <rjmitchell () COLUMBIAENERGYGROUP COM>
Date: Mon, 6 Nov 2000 15:20:33 -0500
Greetings According to this: http://xforce.iss.net/alerts/advise68.php RealSecure *can* be used to block/detect the IIS Unicode exploit. Also, you can add custom URL parsing rules to look for the RDS exploit as well. I have used both of these methods to successfully detect these types of attacks. This doesn't mean that you do not go out and patch your servers - it just lets you know who is trying to get in. Remember - always patch your servers FIRST and rely on RealSecure (or any other IDS) to detect KNOWN attacks (which is what IDS's are supposed to do ). As long as IDS's are signature based (just like AV's) you are never going to be fully protected from any exploit. Think of how many ways one can send the URL string of "msadc" - and then you will soon realize that trying to add a signature in RealSecure to detect all of these is useless. Patch your servers, check your IIS logs reguarly, check your firewall logs, and then rely on RealSecure to let you know who is trying KNOWN attacks on your server farm. Regards, - Rick Mitchell Network Administrator Columbia Gas Transmission
Current thread:
- Realsecure Advisory - Fate Research Labs (11-01-00) Loki (Nov 07)
- <Possible follow-ups>
- Re: Realsecure Advisory - Fate Research Labs (11-01-00) Mitchell, Rick (Nov 07)
- Realsecure Advisory - Fate Research Labs (11-01-00) dynamo (Nov 08)