Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [ISSForum] signature search function: re tredo

from [Palmer, Paul \(ISSAtlanta\)] Network Security [Permanent Link]
Subject: Re: [ISSForum] signature search function: re tredo
Date: Wed, 13 Sep 2006 14:58:57 -0400 
Scott,

If you have not discovered it already, there is a document (a ".chm"
file actually) that you can download from the SiteProtector console's
help menu. This "pam.chm" contains more information about signatures and
tuning. The information is cross-correlated in a variety of ways. In
this case, you could have navigated to the information on IPv6, found a
list of signatures that trigger at that protocol level, and seen that
IPv6_Teredo was one of them.

We use the term signature very loosely. In actuality, PAM doesn't have
signatures. There is no table of signature specifications that we could
hash. PAM is a collection of protocol parsers and detection algorithms
integrated tightly together. This confers a lot of benefits over
signature-based systems, more stable performance over time being just
one of them.

Paul

-----Original Message-----
From: issforum-bounces@atla-mm1.iss.net On Behalf Of Johnson, Scott
Sent: Tuesday, September 12, 2006 12:34 PM
To: issforum@atla-mm1.iss.net
Subject: [ISSForum] signature search function: re tredo

I found the Teredo signature but by accident.

 

ISS must reinstate the signature search it had in the old policy editor.
There is no way to perform a string search to find key words in
signature descriptions. This makes it difficult to quickly find what you
are looking for. One can not depend on the name of the signature to be
descriptive enough. 

 

While I am ranting, true signature tuning needs to be implemented. There
needs to be a one to one mapping of PAMs to signatures and if that is
not enough direct access to the signature. ISS could flag the signature
by an md5 hash as to whether or not it is original or modified.

 

Scott Johnson 

Information Security

Electric Reliability Council of Texas

www.ercot.com

Office: 512-248-3152

Cell: 512-917-9844

 

_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.




_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [ISSForum] Backup of Private/Public keys, Heng Kuo Kuang Kelvin NCS
Next by Date:  [ISSForum] RemoteSiteException, Chi-Chi_Potorachillo
Previous by Thread:  [ISSForum] signature search function: re tredo, Johnson, Scott
Next by Thread:  [ISSForum] Teredo Signature, Johnson, Scott
Indexes:  [Date] [Thread] [Top] [All Lists]