Firewall / IDS Pit Fall (False Triggers) |
Post Reply |
Author | |
Desperado
Senior Member Joined: 27 January 2005 Location: United States Status: Offline Points: 1143 |
Post Options
Thanks(0)
Posted: 24 January 2008 at 1:27pm |
There have been a couple of reports of the LogSat web server "attacking" SpamFilter customers networks and even causing some firewalls to go into some ugly La-La land. This is not an "attack". However, the high traffic nature of email messaging (and SPAM!) can cause a tightly configured (Anal retentive?) IDS or Firewall to mistake it as such.
LogSat's web server is where your SpamFilter makes all the http requests to check if an IP is listed in the SFDB and SFDC. While your SpamFilter connects to port 80 on LogSat's webserver, the return traffic will occur, by the nature of TCP, on a different random port on your server.
If an IDS is not able to "understand" the concept of established connections, it will not understand that the HTTP response, from LogSat's webserver to a random port on your server is, in fact, just that ... return HTTP traffic.
One recommendation would be to check the documentation for ISA server or whatever firewall appliance you have to see if it can be configured to detect anomalies while ignoring established TCP connections, as in this latter case, the return traffic on the random, high port numbers is absolutely legitimate and should not be interpreted as an "attack". Edited by Desperado - 24 January 2008 at 11:50pm |
|
The Desperado
Dan Seligmann. Work: http://www.mags.net Personal: http://www.desperado.com |
|
Post Reply | |
Tweet
|
Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
This page was generated in 0.242 seconds.