Difference between revisions of "HIDS 4151"
m |
m (→Description) |
||
| Line 11: | Line 11: | ||
ASL has detected multiple attempts to access a port that the firewall has been configured by the user to block, and ASL has blocked this access. When ASL detects this has occurred multiple times, it will also shun the IP address based on the [https://www.atomicorp.com/wiki/index.php/ASL_Configuration#OSSEC_SHUN_TIME OSSEC_SHUN_TIME] configured on the system. | ASL has detected multiple attempts to access a port that the firewall has been configured by the user to block, and ASL has blocked this access. When ASL detects this has occurred multiple times, it will also shun the IP address based on the [https://www.atomicorp.com/wiki/index.php/ASL_Configuration#OSSEC_SHUN_TIME OSSEC_SHUN_TIME] configured on the system. | ||
| − | The Linux kernel also supports stateful packet inspection. This rule can also be triggered if a connection is broken and is generating out of sequence packets. This is not a bug in [[ASL]] or in the kernel. This is exactly what stateful packet inspection is supposed to do. If you are triggering this rule on allowed traffic, please make sure you have [https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_DROP_INVALID] enabled for your system. This will detect these non-malicious out of sequence packets, and will ignore them. | + | The Linux kernel also supports stateful packet inspection. This rule can also be triggered if a connection is broken and is generating out of sequence packets. This is not a bug in [[ASL]] or in the kernel. This is exactly what stateful packet inspection is supposed to do. If you are triggering this rule on allowed traffic, please make sure you have [https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_DROP_INVALID FW_DROP_INVALID] enabled for your system. This will detect these non-malicious out of sequence packets, and will ignore them. |
= Troubleshooting = | = Troubleshooting = | ||
Revision as of 18:34, 15 February 2013
| Rule 4151 | |
|---|---|
| Status | Active |
| Alert Message | Multiple Firewall drop events from same source. |
Contents |
Description
ASL has detected multiple attempts to access a port that the firewall has been configured by the user to block, and ASL has blocked this access. When ASL detects this has occurred multiple times, it will also shun the IP address based on the OSSEC_SHUN_TIME configured on the system.
The Linux kernel also supports stateful packet inspection. This rule can also be triggered if a connection is broken and is generating out of sequence packets. This is not a bug in ASL or in the kernel. This is exactly what stateful packet inspection is supposed to do. If you are triggering this rule on allowed traffic, please make sure you have FW_DROP_INVALID enabled for your system. This will detect these non-malicious out of sequence packets, and will ignore them.
Troubleshooting
False Positives
None.
If you do not wish to block access to this port, please see the Tuning Guidance below.
Tuning Guidance
To configure the firewall to allow connections to this port, please see the ASL firewall documentation page.
Additional Information
Similar Rules
None.
Knowledge Base Articles
None.
Outside References
None.
