Re: Kerio Personal Firewall: - followup

From: Alan Illeman (illemann_at_surfbest.net)
Date: 04/02/04 

Date: Thu, 1 Apr 2004 20:08:56 -0500

"Goerz" <goerz@despammed.com> wrote in message
news:5RYac.105951$FJ6.3874742@twister1.libero.it...
>
> "Alan Illeman" <illemann@surfbest.net> in message
> news:106mgq8g7kv5o63@news.supernews.com... wrote:
> [snip!]
> > You ARE using Snort software in this product. Sans.org IS a reputable
> > security conscious organisation, so I suggest that you or others in
> 'second
> > level support', contact S-ENG who replied to my inquiry - and
> > get back to me. There is no hurry, as the intrusions are being denied,
but
> > there is a real CONCERN, not just by me, but by others in a Usenet
> > newsgroup.
>
> Thank you for your post, please keep us informed.
> By the way, I connected another pc (a laptop), with Kerio Personal
Firewall
> installed, to my home ADSL line: the intrusions started immediately, with
> the same frequency. The intrusion log of this laptop, when connected to a
> large corporate network with hardware firewall and so on, didn't show
> anything about this "loopback". I therefore strongly suspect it's not
> something generated internally by the pc, but a network activity.
> Regards,
> Goerz

Actually I made a mistake in my email to Kerio and Sans. I referred
to http://rr.sans.orgfirewall/egress.php as being difficult to understand
whereas I really meant a different link.

<quote>
http://rr.sans.org/firewall/egress.php

Why is SANS attacking me from http://rr.sans.org/firewall/egress.php?

Snort (www.snort.org) is an open-source IDS tool. One of the default
Snort rules for identifying bad traffic is:

alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic";
classtype:bad-unknown; reference:url,rr.sans.org/firewall/egress.php;
sid:528; rev:4;)

The "alert ip any any <> 127.0.0.0/8 any" portion says to generate an
alert on IP traffic to or from any 127.x.x.x address. The "msg:" attribute
contains the text of the alert. The "reference:" field can contain one or
more references to external sites with information about this kind of traffi
c.

In this case the reference includes the URL to a SANS Reading Room document
which contains information about egress filtering on your network.

We have received a number of questions asking why we are attacking folks
and it has almost always been the case that the person asking why SANS was
attacking them was using the Kerio personal firewall.

! Kerio appears to use the Snort engine and default rules for their IDS
! capability. They also seem to be badly mangling the information in this
! specific signature so you think that they are reporting an attack from
SANS.

The correct answer is that someone sent a probe/attack to your IP address
and forged the source address to be 127.x.x.x.

If you are getting these attacks/probes at home on a cable/DSL connection,
you cannot really do anything to prevent them. Your personal firewall is
doing what it should to protect your individual computer. If you are getting
these attacks/probes at work, then talk to you network administrators about
adding ingress filters to block this traffic.
</quote>

Obviously I understand this :)

The paragraph (with my exclamations '!') is an assumption. Kerio have told
me
that they ARE using the 'default rules' but NOT the 'Snort engine', which is
not
surprising as it is open source software. Kerio refute the criticism in this
paragraph,
although they have not publicly said so (I phoned them, and got nowhere)

Alan

Quantcast