Difference between revisions of "HIDS 4151"

From Atomicorp Wiki
Jump to: navigation, search
m (Description)
m (Description)
 
(6 intermediate revisions by 2 users not shown)
Line 9: Line 9:
 
= Description =
 
= Description =
  
ASL has detected multiple attempts to access a port that the firewall has been configured by the user to block, and ASL has blocked this access.  When ASL detects this has occurred multiple times, it will also shun the IP address based on the [https://www.atomicorp.com/wiki/index.php/ASL_Configuration#OSSEC_SHUN_TIME OSSEC_SHUN_TIME] configured on the system.
+
ASL has detected multiple attempts to access a port that you have configured the ASL firewall to block, and ASL has blocked this access.  '''ASL does not block any ports by default.  It will only block the ports you configure it to block.'''  Therefore, if you are getting these alerts, this means you have configured ASL to block this port.  See the Tuning guidance section below for instructions to configure ASLs firewall to allow connections to ports you have configured.
  
The Linux kernel also supports stateful packet inspection.  This rule can also be triggered if a connection is broken and is generating out of sequence packets.  This is not a bug in [[ASL]] or in the kernel.  This is exactly what stateful packet inspection is supposed to do.  If you are triggering this rule on allowed traffic, please make sure you have [https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_DROP_INVALID FW_DROP_INVALID] enabled for your system.  This will detect these non-malicious out of sequence packets, and will ignore them.
+
When ASL detects this has occurred multiple times, it will also shun the IP address based on the [https://www.atomicorp.com/wiki/index.php/ASL_Configuration#OSSEC_SHUN_TIME OSSEC_SHUN_TIME] you have configured for your system.
 +
 
 +
The Linux kernel also supports stateful packet inspection.  This rule can also be triggered if a connection is broken and is repeatedly generating out of sequence packetsThis is not a bug in [[ASL]] or in the kernel.  This is exactly what stateful packet inspection is supposed to do.  If you are triggering this rule on allowed traffic, please make sure you have [https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_DROP_INVALID FW_DROP_INVALID] enabled for your system.  This will detect these non-malicious out of sequence packets, and will ignore them.
 +
 
 +
Note: Some third party kernels do not support stateful packet inspection.  The ASL kernel supports stateful packet inspection.  If your kernel does not, or does not include the INVALID state for iptables then you will need to disable active response on this rule.  Some third party kernels provided with openvz and virtuzzo are known to have this limitation.
 +
 
 +
 
 +
== How to read the firewall logs ==
 +
 
 +
The ASL firewall will log a lot of information about a connection it has blocked because you have configured ASL to block the port.  See this page for documentation about the log format for ASL:
 +
 
 +
[[Firewall Logs]]
  
 
= Troubleshooting =
 
= Troubleshooting =
Line 24: Line 35:
  
 
To configure the firewall to allow connections to this port, please see the [[ASL firewall]] documentation page.
 
To configure the firewall to allow connections to this port, please see the [[ASL firewall]] documentation page.
 +
 +
If you are using Fast mode, then you will want to add the ports you want to allow in to these settings:
 +
 +
https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_INBOUND_TCP_SERVICES
 +
 +
https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_INBOUND_UDP_SERVICES
  
 
= Additional Information =
 
= Additional Information =
Line 30: Line 47:
  
 
None.
 
None.
 +
 +
== FAQs ==
 +
 +
See this Article:
 +
 +
https://www.atomicorp.com/wiki/index.php/Using_ASL#DROP_ASL_INPUT
  
 
== Knowledge Base Articles==  
 
== Knowledge Base Articles==  

Latest revision as of 12:04, 26 February 2015

Rule 4151
Status Active
Alert Message Multiple Firewall drop events from same source.

Contents

[edit] Description

ASL has detected multiple attempts to access a port that you have configured the ASL firewall to block, and ASL has blocked this access. ASL does not block any ports by default. It will only block the ports you configure it to block. Therefore, if you are getting these alerts, this means you have configured ASL to block this port. See the Tuning guidance section below for instructions to configure ASLs firewall to allow connections to ports you have configured.

When ASL detects this has occurred multiple times, it will also shun the IP address based on the OSSEC_SHUN_TIME you have configured for your system.

The Linux kernel also supports stateful packet inspection. This rule can also be triggered if a connection is broken and is repeatedly generating out of sequence packetsThis is not a bug in ASL or in the kernel. This is exactly what stateful packet inspection is supposed to do. If you are triggering this rule on allowed traffic, please make sure you have FW_DROP_INVALID enabled for your system. This will detect these non-malicious out of sequence packets, and will ignore them.

Note: Some third party kernels do not support stateful packet inspection. The ASL kernel supports stateful packet inspection. If your kernel does not, or does not include the INVALID state for iptables then you will need to disable active response on this rule. Some third party kernels provided with openvz and virtuzzo are known to have this limitation.


[edit] How to read the firewall logs

The ASL firewall will log a lot of information about a connection it has blocked because you have configured ASL to block the port. See this page for documentation about the log format for ASL:

Firewall Logs

[edit] Troubleshooting

[edit] False Positives

None.

If you do not wish to block access to this port, please see the Tuning Guidance below.

[edit] Tuning Guidance

To configure the firewall to allow connections to this port, please see the ASL firewall documentation page.

If you are using Fast mode, then you will want to add the ports you want to allow in to these settings:

https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_INBOUND_TCP_SERVICES

https://www.atomicorp.com/wiki/index.php/ASL_firewall#FW_INBOUND_UDP_SERVICES

[edit] Additional Information

[edit] Similar Rules

None.

[edit] FAQs

See this Article:

https://www.atomicorp.com/wiki/index.php/Using_ASL#DROP_ASL_INPUT

[edit] Knowledge Base Articles

None.

[edit] Outside References

None.

[edit] Notes

Personal tools