[Snort-sigs] RealSecure signature part 2

counter.spy at ...52... counter.spy at ...52...
Wed May 1 05:06:04 EDT 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  	alert tcp $HOME_NET 902 -> any any 
	(msg:"INFO RealSecure 6.x Daemon to event collector, cryptographic
handshake";
	content: "6ISS ECNRA Built-In Provider, Strong Encryption"; 
	nocase; offset:30; depth:70; flags:A+; classtype: successful-recon-limited;

	sid: ; rev:0;)

--
Sid:

--
Summary: INFO RealSecure 6.5 cryptographic handshake

--
Impact: RealSecure components can be identified.

--
Detailed Information: This signature indicates that a RealSecure 6.5 server
sensor
offers available cryptographic providers to the console or event collector
after the console or event collector finished the initial TCP three-way
handshake.
The cryptographic handshake is done via the iSCSI protocol in clear-text.

--
Attack Scenarios: An internal hacker could use this knowledge in order to
map all the
machines that are running RealSecure.

--
Ease of Attack: The hacker needs to run a sniffer on your network for a
while.

--
False Positives: not known

--
False Negatives: RealSecure can be configured to work on different ports.

--
Corrective Action: It is yet unknown if the cryptographic handshake could be
disabled,
# I asked for that in the ISSForum mailing list but got no reply.
but it is strongly recommended to configure the sensors to work on
non-default ports.
Don't use RealSecure 6.5 if your policy does not allow IDS components to
transmit unique signatures. 
--
Contributors: counter.spy at ...52...

-- 
Additional References:



-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-sigs mailing list