LogSat Software

Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic

There have been a couple of reports of the LogSat web server "attacking" SpamFilter customers networks and even causing some firewalls to go into some ugly La-La land. This is not an "attack". However, the high traffic nature of email messaging (and SPAM!) can cause a tightly configured (Anal retentive?) IDS or Firewall to mistake it as such.

LogSat's web server is where your SpamFilter makes all the http requests to check if an IP is listed in the SFDB and SFDC. While your SpamFilter connects to port 80 on LogSat's webserver, the return traffic will occur, by the nature of TCP, on a different random port on your server.

If an IDS is not able to "understand" the concept of established connections, it will not understand that the HTTP response, from LogSat's webserver to a random port on your server is, in fact, just that ... return HTTP traffic.

One recommendation would be to check the documentation for ISA server or whatever firewall appliance you have to see if it can be configured to detect anomalies while ignoring established TCP connections, as in this latter case, the return traffic on the random, high port numbers is absolutely legitimate and should not be interpreted as an "attack".

Edited by Desperado - 24 January 2008 at 11:50pm

Author	Message Topic Search Topic Options Post Reply Create New Topic Printable Version Translate Topic
Desperado Members Profile Send Private Message Find Members Posts Add to Buddy List Senior Member Joined: 27 January 2005 Location: United States Status: Offline Points: 1143	Post Options Post Reply Quote Desperado Report Post Thanks(0) Quote Reply Topic: Firewall / IDS Pit Fall (False Triggers) Posted: 24 January 2008 at 1:27pm
	There have been a couple of reports of the LogSat web server "attacking" SpamFilter customers networks and even causing some firewalls to go into some ugly La-La land. This is not an "attack". However, the high traffic nature of email messaging (and SPAM!) can cause a tightly configured (Anal retentive?) IDS or Firewall to mistake it as such. LogSat's web server is where your SpamFilter makes all the http requests to check if an IP is listed in the SFDB and SFDC. While your SpamFilter connects to port 80 on LogSat's webserver, the return traffic will occur, by the nature of TCP, on a different random port on your server. If an IDS is not able to "understand" the concept of established connections, it will not understand that the HTTP response, from LogSat's webserver to a random port on your server is, in fact, just that ... return HTTP traffic. One recommendation would be to check the documentation for ISA server or whatever firewall appliance you have to see if it can be configured to detect anomalies while ignoring established TCP connections, as in this latter case, the return traffic on the random, high port numbers is absolutely legitimate and should not be interpreted as an "attack". Edited by Desperado - 24 January 2008 at 11:50pm
	The Desperado Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com

LogSat Software

Site Navigation[Skip]

Spam Filter ISP Support Forum

Firewall / IDS Pit Fall (False Triggers)