Print Page | Close Window

Firewall / IDS Pit Fall (False Triggers)

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=6365
Printed Date: 27 December 2024 at 6:29am


Topic: Firewall / IDS Pit Fall (False Triggers)
Posted By: Desperado
Subject: Firewall / IDS Pit Fall (False Triggers)
Date Posted: 24 January 2008 at 1:27pm
There have been a couple of reports of the LogSat web server "attacking" SpamFilter customers networks and even causing some firewalls to go into some ugly La-La land. This is not an "attack". However, the high traffic nature of email messaging (and SPAM!) can cause a tightly configured (Anal retentive?) IDS or Firewall to mistake it as such.
 
LogSat's web server is where your SpamFilter makes all the http requests to check if an IP is listed in the SFDB and SFDC. While your SpamFilter connects to port 80 on LogSat's webserver, the return traffic will occur, by the nature of TCP, on a different random port on your server.
 
If an IDS is not able to "understand" the concept of established connections, it will not understand that the HTTP response, from LogSat's webserver to a random port on your server is, in fact, just that ... return HTTP traffic.
 
One recommendation would be to check the documentation for ISA server or whatever firewall appliance you have to see if it can be configured to detect anomalies while ignoring established TCP connections, as in this latter case, the return traffic on the random, high port numbers is absolutely legitimate and should not be interpreted as an "attack".


-------------
The Desperado
Dan Seligmann.
Work: http://www.mags.net
Personal: http://www.desperado.com


Print Page | Close Window