|Alert Message||Multiple Firewall drop events from same source.|
ASL has detected multiple attempts to access a port that you have configured the ASL firewall to block, and ASL has blocked this access. ASL does not block any ports by default. It will only block the ports you configure it to block. Therefore, if you are getting these alerts, this means you have configured ASL to block this port. See the Tuning guidance section below for instructions to configure ASLs firewall to allow connections to ports you have configured.
When ASL detects this has occurred multiple times, it will also shun the IP address based on the OSSEC_SHUN_TIME you have configured for your system.
The Linux kernel also supports stateful packet inspection. This rule can also be triggered if a connection is broken and is generating out of sequence packets. This is not a bug in ASL or in the kernel. This is exactly what stateful packet inspection is supposed to do. If you are triggering this rule on allowed traffic, please make sure you have FW_DROP_INVALID enabled for your system. This will detect these non-malicious out of sequence packets, and will ignore them.
How to read the firewall logs
The ASL firewall will log a lot of information about a connection it has blocked because you have configured ASL to block the port. See this page for documentation about the log format for ASL:
If you do not wish to block access to this port, please see the Tuning Guidance below.
To configure the firewall to allow connections to this port, please see the ASL firewall documentation page.
If you are using Fast mode, then you will want to add the ports you want to allow in to these settings:
See this Article:
Knowledge Base Articles