Symantec Enterprise Firewall (SEF) Notify Daemon data loss via SN MP

From: Martin O'Neal (
Date: 02/20/02

From: Martin O'Neal <>
Date: Wed, 20 Feb 2002 21:05:35 -0000

-- Corsaire Limited Security Advisory --

Title: Symantec Enterprise Firewall (SEF) Notify Daemon data loss via SNMP
Date: 21.01.02
Application: Symantec Enterprise Firewall (SEF) 6.5.x
Environment: WinNT, Win2000
Author: Martin O'Neal []
Audience: General distribution

-- Scope --

The aim of this document is to clearly define some issues related to
potential data loss from the Notify Daemon within the Symantec
Enterprise Firewall (SEF) environment as provided by Symantec [1].

Note: These issues do NOT appear to be directly related to recent SNMP
issues announced by CERT as advisory CA-2002-03 [2].

-- History --

Vendor notified: 21.01.02
Document released: 21.02.02

-- Overview --

The SEF firewall provides multiple methods of alerting an administrator
to firewall log events; audio, external executables, mail, pager and
SNMP. This functionality is provided by a subsystem known as the Notify

When using the SNMP transport method, it is common to send traps back to
a network management station (NMS) where they can be centrally coordinated
and managed.

When the log entries are larger than a certain threshold (1024-bytes)
then the Notify daemon starts to discard alerts.

-- Analysis --

If a notification rule is configured to use SNMPv1 to generate alerts for
all event types that are logged, when the notify daemon begins to drop
alerts, this state is logged within the local firewall audit trail as:

notifyd[0]: 606 failed to notify: transport=SNMP1, priority=Informational

It is worth noting that this alert is not subsequently passed on via SNMP.

If SNMP is used to alert an administrator of potential issues, then there
is the risk that the over sized entries will be lost.

-- Recommendations --

The behaviour of the SNMP Notify daemon should be revised to increase the
size of the log messages accepted, up to the maximum allowed by the SNMP
standard. Additionally, the daemon should also be amended to truncate the
log messages if over size and then transmit the shortened entry rather
than discarding it.

-- References --


-- Revision --

a. Initial release.
b. Revised detail to include clearer explanation of issue.
c. Revised detail to include clearer explanation of issue.

Copyright 2002 Corsaire Limited. All rights reserved.

CONFIDENTIALITY: This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited. If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
DISCLAIMER: Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.

Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF
Telephone: +44(0)1483-226000

This footnote confirms that this e-mail message has been swept by
MIMEsweeper for the presence of computer viruses.