Re: Firewall Activity analysis

From: Matt Harris (
Date: 12/11/02

  • Next message: Matthew F. Caldwell: "RE: Firewall Activity analysis"
    Date: Wed, 11 Dec 2002 17:11:45 -0500
    From: Matt Harris <>
    To: "Anton A. Chuvakin" <>,

    "Anton A. Chuvakin" wrote:
    > And the dangerous thing about jumping in and implementing some simple
    > rules (such as "connection failed -> conn successful"), might create a
    > nice little (well, BIG actually!) "false-positive machine" and NIDS
    > systems already provide plenty of that.

    Just imagine if an SSL web server (port 443) had images on it hosted on
    the same system on an insecure virtual host (port 80) and the image
    server went down (failed connection), then they clicked a link to
    another document on the secure server (successful connection)... It
    would more than likely be going off for everyone hitting the web site...
    For a busy site, this could spell disaster.

     * Matt Harris - Senior UNIX Systems Engineer
     * Smithsonian Institution, OCIO