Kerio Intrusion Alerts.

I've had a number of intrusion alerts recently from my Kerio Firewall. They appear to concern this site in particular: Http://www.whitehats.com/aboutus.html. anyone know what these people are about and why they should attempt these intrusions?

Joe.

 

Can you be a little bit more specific about the intrusion alerts?

For example your kerio logfile can be very helpfull to analyze the (potential) danger of the intrusion, maybe it isn't harmfull at all.

Ciao,

Smokey​

 

Hi Joe

Are you running Kerio 4.x with IDS?

If that url was showing up in an IDS alert it was likely there as a place to go for information/definitions on the the different types of IDS alerts/signatures.

Regards,

CrazyM

 

Hi Smokey and CrazyM,

Thanks for your responses.

I'm sure its nothing serious particularly as I did not accept when prompted. However, looking in the "Intrusion" section of the log there are a number of these from this Website. They are marked as follows: -

Attack Class: Misc-Activity. Priority: Low. Action: Permitted.

What does it all mean?

I'm running Kerio 4 and that url is listed in th log as the source of the intrusion.

Excuse my lack of knowledge but thats all I can tell you.

Joe.

 

Joe,

I strongly advice you to read carefully the kerio help-file.

It explaines almost everything, and you can learn how to configure the firewall in a proper and secure way.

For example look in the help-file to the chapter "Logs" -- Intrusion Logs and the chapter "Intrusions Detection System" -- IDS Settings, those two chapters explaines and answers your question.

Good luck,

Ciao,

Smokey​

 

Thanks again Smokey,

"Low priority intrusions — low-level danger intrusions (equivocal network activities, errors in protocols, invalid data format, etc.)

As a non Technical person I had hoped for a more detailed explanation than that provided above. Is this someone attempting to hack into my Computer? Equivocal network activities could mean anything and is itself ambiguous surely?

Joe.

 

To understand everything, it's absolutely necessary to read the help-file complete from the beginning till the end, only in that way you can learn what a software firewall like kerio 4x can do, and what are dangerous alerts or harmless alerts.

In your case nobody is hacking your computer, CrazyM already explained in a reply on your answer what the alert means: it's a harmless alert and nothing to worry about.

Ciao,

Smokey​

 

Thank you Smokey for explaining that but I'm sure you understand receiving an alert of any kind is a matter of concern and puzzling indeed when it relates to something harmless. I wouldn't expect or want to be notified every time someone passes my door, on the other hand I would like to be notified if someone tried to open my door.

Your help is much appreciated.

Joe.

 

You're welcome!

Ciao,

Smokey​

 

Other Intrusion Alerts

I am receiving the following Intrusion alert:
"BAD-TRAFFIC loopback traffic", remote address: 127.0.0.1 (localhost)

I cannot understand what is causing this alert. It seems that the "attack" originates from my computer or this is false positive?? What should it correct to stop attacking myself??

Using KPF 4.0.14

 

In my opinion the IDS is crap on Kerio 4x, and I always had it disabled as it caused problems with my configurations. You can't really customize what it blocks by any means other than blocking, or allowing groups which is not desireable. I suggest you disable it, and just get on with your day

 

Here's more info relating to Kerio 4, and that site.

Kerio 4x & IDS
http://www.broadbandreports.com/forum/remark,10042933~mode=flat

From »www.whitehats.com/

"ATTN Kerio Personal Firewall users: Whitehats is not attacking you, we are in the reference column, not the source. IDS does not belong on the desktop and you should disable it. I have been getting complaints from misunderstanding kerio users ever since they started including IDS signatures. Please think before you fire off email, and that applies to everyone Thanks! "