[Snort-sigs] RealSecure signature part 1

counter.spy at ...52... counter.spy at ...52...
Wed May 1 05:03:02 EDT 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

Rule:  	alert tcp $HOME_NET 2998 -> any any 
	(msg:"INFO RealSecure 6.x Daemon to WGM, cryptographic handshake";
	content: "6ISS ECNRA Built-In Provider, Strong Encryption"; 
	nocase; offset:30; depth:70; flags:A+; classtype: successful-recon-limited;

	sid: ; rev:0;)


Summary: INFO RealSecure 6.5 cryptographic handshake

Impact: RealSecure components can be identified.

Detailed Information: This signature indicates that a RealSecure 6.5 server
offers available cryptographic providers to the console or event collector
after the console or event collector finished the initial TCP three-way
The cryptographic handshake is done via the iSCSI protocol in clear-text.

Attack Scenarios: An internal hacker could use this knowledge in order to
map all the
machines that are running RealSecure.

Ease of Attack: The hacker needs to run a sniffer on your network for a

False Positives: not known

False Negatives: RealSecure can be configured to work on different ports.
Corrective Action: It is yet unknown if the cryptographic handshake could be
# I asked for that in the ISSForum mailing list but got no reply.
but it is strongly recommended to configure the sensors to work on
non-default ports.
Don't use RealSecure 6.5 if your policy does not allow IDS components to
transmit unique signatures. 

Contributors: counter.spy at ...52...

Additional References:

GMX - Die Kommunikationsplattform im Internet.

More information about the Snort-sigs mailing list