Re: Kerio Personal Firewall: - followup
From: Alan Illeman (illemann_at_surfbest.net)
Date: 04/02/04
- Next message: igorz: "redundant link"
- Previous message: Alan Illeman: "Re: Kerio Personal Firewall: - followup"
- In reply to: Alan Illeman: "Re: Kerio Personal Firewall: - followup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 1 Apr 2004 20:13:57 -0500
There's a mistake in this post - see inline comment.
Alan
"Alan Illeman" <illemann@surfbest.net> wrote in message
news:106mgq8g7kv5o63@news.supernews.com...
> Note I have removed the names and email addresses of the
> two people I have been communicating with at SANS.ORG
> and KERIO.COM and will call them here, simply S-ENG
> and K-ENG (Sans engineer, Kerio engineer), and
> ME is errr.. well, me!
>
> [ ORIGINAL MESSAGE - STARTS ]
>
> Hello,
>
> I am very satisfied with your product.
> I have also purchased AVG 7 Professional.
>
> I am getting continuous intrusions from the same source:
>
> Description:
> "BAD-TRAFFIC loopback traffic"
> Direction:
> IN
> Remote Address:
> 127.0.0.1
> Reference URL:
> http://rr.sans.orgfirewall/egress.php
> Attack class:
> bad-unknown
> Priority:
> medium
> Action:
> dropped
>
> They occur as regularly as 10 secs apart, but sometimes only
> 10 minutes apart.
>
> This was the reply from sans.org:
> <quote>
> I'm willing to bet you are using the Kerio Personal Firewall. Please look
> at http://www.sans.org/faq.php#egress for an explanation. Quick Summary:
> Kerio is misrepresenting the Snort alert. You are not being attacked the
by
> SANS Reading Room.
> </quote>
>
> I found the above explanation difficult to understand.
The above sentence refers to the 'Kerio is misrepresenting the Snort alert'
explanation, not the http://www.sans.org/faq.php#egress explanation.
>
> What can you tell me?
>
> Warm regards,
> Alan
>
> [ORIGINAL MESSAGE - ENDS]
>
>
> 1) - from K-ENG
> > I've had a reply from Kerio technical support "I will ask second level
> > support about this. I do not know if Sans.org is correct and that KPF
> > is misreporting this event. I will find more information for you."
>
> 2) - from K-ENG
> > I spoke to second level support and they say that the 'Reference URL'
> > field shows URL, which contains informations about logged attack and
> > corresponding IDS rule. It is not the source address of the attack.
> >
> > I thinks sans.org is giving users incorrect information regarding this
> > feature of our product.
>
> 3) - ME to K-ENG
>
> I KNOW that the Reference URL field is not reporting the source of
> the attack. What your organisation needs to do, is to determine WHY
> it is behaving this way. WE also know that the reported Remote Address
> cannot be 127.0.0.1
>
> You ARE using Snort software in this product. Sans.org IS a reputable
> security conscious organisation, so I suggest that you or others in
'second
> level support', contact S-ENG who replied to my inquiry - and
> get back to me. There is no hurry, as the intrusions are being denied, but
> there is a real CONCERN, not just by me, but by others in a Usenet
> newsgroup.
>
> You have an excellent product, in my opinion, and Kerio deserves a full
> investigation.
>
> 4) - ME to K-ENG and S-ENG
> (both in same email, so if they're not in touch by now, they'll know)
>
> S-ENG, I've asked K-ENG of Kerio to get in touch with you.
>
> In the meantime I downloaded Snort and did a text search in
> the Rules directory for 'egress'. In the file 'bad-traffic.rules' is
> this entry . . .
>
> alert ip any any <> 127.0.0.0/8 any
> (msg:"BAD-TRAFFIC loopback traffic";
> classtype:bad-unknown;
> reference:url,rr.sans.org/firewall/egress.php;
> sid:528;
> rev:4;)
>
> It's all on one line in the file.
>
> Have a good day.
>
> Best wishes to you both.
>
> Alan Illeman (Toronto. Canada)
>
>
>
- Next message: igorz: "redundant link"
- Previous message: Alan Illeman: "Re: Kerio Personal Firewall: - followup"
- In reply to: Alan Illeman: "Re: Kerio Personal Firewall: - followup"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
