Introduction
Our product detects anomalies in network traffic. There are
two anomalies associated with RealNetworks multimedia servers.
- When you dial-up the Internet, you may inherit
the IP address of somebody else who was connected
to a RealNetworks server. You will therefore be sent
traffic you never asked for, causing an alert.
- Sometimes when the user disconnects from the server,
the server will still attempt to stream data.
This causes an alert, because there is nobody
listening for the incoming data.
Fix
The temporary fix is to add the following lines to
the file "sigs.ini". This file is located in the directory
where you've installed our product.
udpprobe.0.6970=
udpprobe.0.6971=
udpprobe.0.6972=
udpprobe.0.6974=
udpprobe.0.6976=
udpprobe.0.6978=
udpprobe.0.6980=
udpprobe.0.6982=
udpprobe.0.6984=
udpprobe.0.6986=
The latest version, 1.9.6, includes these lines already.
The current beta includes RealNetworks protocol parsing
directly within the intrusion detection system, so these
lines will not be needed in the future.
Allowing RealAudio through the firewall
In versions 1.9.6 and before, RealAudio doesn't work automatically
through the firewall when set at "Paranoid".
However, we are currently adding a feature
to automatically adjust the firewall filters in order to allow RealAudio
to work in this mode.
In the meanwhile, you can add the following information to the
file "firewall.ini":
[MANUAL TCP high REJECT]
ACCEPT, 6970, REAL, 1999-07-19 20:50:26, PERPETUAL
ACCEPT, 6971, REAL, 1999-07-19 20:50:26, PERPETUAL
ACCEPT, 6972, REAL, 1999-07-19 20:50:26, PERPETUAL
ACCEPT, 6973, REAL, 1999-07-19 20:50:26, PERPETUAL
ACCEPT, 6974, REAL, 1999-07-19 20:50:26, PERPETUAL
ACCEPT, 6976, REAL, 1999-07-19 20:50:26, PERPETUAL
ACCEPT, 6978, REAL, 1999-07-19 20:50:26, PERPETUAL
ACCEPT, 6980, REAL, 1999-07-19 20:50:26, PERPETUAL
ACCEPT, 6982, REAL, 1999-07-19 20:50:26, PERPETUAL
ACCEPT, 6984, REAL, 1999-07-19 20:50:26, PERPETUAL
ACCEPT, 6986, REAL, 1999-07-19 20:50:26, PERPETUAL
