I was wondering if any of you are familiar with the NFR IDS software/appliance.

I'm running this as an appliance on my network and I had a few concerns. Some of the packages it uses for its ruleset are kind of nebulous in their descriptions at best. I've recently been seeing an increase in "Invalid Network Attacks" from some pretty disparate networks. NFR is reporting these as bad addresses and a possible DOS attack. One of the networks that is sending these bad addresses to me is from icann.org which doesn't make a whole lot of sense. I was wondering if I'm getting flase positives on this and if there is a way that I can filter them out.

Some of the other networks that have been hitting me are from Spain, Denmark and Yugoslavia... those are all in the same address range but in different countries, and they all belong to some huge telecom in Europe it looks like.

Also something has been "resetting" my IDS every few hours. It's only down for about 10-20 seconds before coming up but I'm at a loss as to see what's doing it.


So is there anyone here familiar with this application? Anyone have any ideas as to why icann.org is sending me bad addresses, or why I'm seeing a large increase in bad addresses from Europe? How about why my IDS keeps resetting itself?

Any help you guys can provide will be greatly appreciated.



El Diablo