Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Firewall / IDS Pit Fall (False Triggers)
  FAQ FAQ  Forum Search   Register Register  Login Login

Firewall / IDS Pit Fall (False Triggers)

 Post Reply Post Reply
Desperado View Drop Down
Senior Member
Senior Member

Joined: 27 January 2005
Location: United States
Status: Offline
Points: 1143
Post Options Post Options   Thanks (0) Thanks(0)   Quote Desperado Quote  Post ReplyReply Direct Link To This Post Topic: Firewall / IDS Pit Fall (False Triggers)
    Posted: 24 January 2008 at 1:27pm
There have been a couple of reports of the LogSat web server "attacking" SpamFilter customers networks and even causing some firewalls to go into some ugly La-La land. This is not an "attack". However, the high traffic nature of email messaging (and SPAM!) can cause a tightly configured (Anal retentive?) IDS or Firewall to mistake it as such.
LogSat's web server is where your SpamFilter makes all the http requests to check if an IP is listed in the SFDB and SFDC. While your SpamFilter connects to port 80 on LogSat's webserver, the return traffic will occur, by the nature of TCP, on a different random port on your server.
If an IDS is not able to "understand" the concept of established connections, it will not understand that the HTTP response, from LogSat's webserver to a random port on your server is, in fact, just that ... return HTTP traffic.
One recommendation would be to check the documentation for ISA server or whatever firewall appliance you have to see if it can be configured to detect anomalies while ignoring established TCP connections, as in this latter case, the return traffic on the random, high port numbers is absolutely legitimate and should not be interpreted as an "attack".

Edited by Desperado - 24 January 2008 at 11:50pm
The Desperado
Dan Seligmann.

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

This page was generated in 0.137 seconds.