Firewall 4.2.71.2 Blocking printers, RD,...

Discussion in 'ESET Smart Security' started by luka1002, May 31, 2011.

Thread Status:
Not open for further replies.
  1. luka1002
    Offline

    luka1002 Registered Member

    I am system admin, and using NOD for more that a year and half. We have 240 licences. Till i updated all to 4.2.71.2 everything was fine.
    Now my hole network is blocked. No matter if i add subbnet to Trused zone or not.
    I looked at logs of firewall, he blocks after:

    identical ip addresses detected in network

    That is NOT TRUE. To fix this i had to turn off Block unsafe addresses after attack dectection, but now all pass and IDS is not active any more.

    Can somebody help me?
  2. Marcos
    Offline

    Marcos Eset Staff Account

    What's logged in your firewall log when you enable logging of all blocked connections in the IDS setup? Could you copy & paste some relevant records from the log here?
  3. luka1002
    Offline

    luka1002 Registered Member

    Identical IP addresses detected in network
    192.168.3.132
    192.168.3.194
    ARP


    31.5.2011.
    12:18:36

    Identical IP addresses detected in network
    192.168.3.132
    192.168.3.194
    ARP



    31.5.2011.
    11:34:03

    Identical IP addresses detected in network
    192.168.3.132
    192.168.3.194
    ARP



    27.5.2011.
    12:25:02

    Incorrect IP packet length
    192.168.0.11
    192.168.3.194
    TCP



    24.5.2011.
    14:48:59

    Incorrect IP packet length
    192.168.0.15
    192.168.3.194
    TCP



    23.5.2011.
    12:22:09

    Identical IP addresses detected in network
    192.168.3.132
    192.168.3.194
    ARP



    23.5.2011.
    9:06:25

    Identical IP addresses detected in network
    192.168.3.132
    192.168.3.194
    ARP

    here is full brief from ERA:

    Column Name Value
    Firewall Id Firewall 1298192
    Client Name Onetoplay-hp
    Computer Name Onetoplay-hp
    MAC Address 00232428a57a
    Primary Server Master
    Date Received 2011-05-31 14:20:42
    Date Occurred 2011-05-31 14:06:50
    Level Critical Warning
    Event Detected ARP cache poisoning attack
    Source 192.168.66.249
    Target 192.168.66.26
    Protocol ARP
    Rule
    Application
    User

    Column Name Value
    Firewall Id Firewall 1298185
    Client Name Onetoplay-hp
    Computer Name Onetoplay-hp
    MAC Address 00232428a57a
    Primary Server Master
    Date Received 2011-05-31 14:20:42
    Date Occurred 2011-05-31 14:06:38
    Level Critical Warning
    Event Identical IP addresses detected in network
    Source 192.168.66.249
    Target 192.168.66.26
    Protocol ARP
    Rule
    Application
    User

    this also i new:


    Column Name Value
    Firewall Id Firewall 1298457
    Client Name Ri100
    Computer Name Ri100
    MAC Address 001485a63d27
    Primary Server Master
    Date Received 2011-05-31 14:55:58
    Date Occurred 2011-05-31 14:52:34
    Level Warning
    Event Detected unexpected data in protocol
    Source 192.168.66.41:3831
    Target 255.255.255.255
    Protocol UDP
    Rule
    Application
    User


    Only this i can read from logs
    Last edited: May 31, 2011
  4. Marcos
    Offline

    Marcos Eset Staff Account

    If possible, please create 2 logs with the network communication captured using Wireshark; one with fw disabled when everything works fine and the other with fw enabled when the isssue occurs (make sure logging of all blocked connections is actually enabled in the IDS section of the firewall setup).

    Export your settings to an xml file and compress it along with the Wireshark logs. When done, let me know and I'll provide you with further instructions.
  5. luka1002
    Offline

    luka1002 Registered Member

    1 st.

    1.6.2011. 8:06:24 Identical IP addresses detected in network 192.168.66.250 192.168.66.26 ARP

    then

    1.6.2011. 8:06:24 Address temporarily blocked by active defense (IDS) 192.168.66.250:3389 192.168.66.26:49258 TCP

    ------------------------------------------------------

    i have logs that u wanted.
  6. Marcos
    Offline

    Marcos Eset Staff Account

    A PM with further instructions sent.
  7. luka1002
    Offline

    luka1002 Registered Member

    i figured out that if i disable "block unsafe address after attack detection" it work for about 10 min, then block connection for next 10 min. If i disable and "ARP Poison attack detection" then works forever, but it is not good solution.
  8. dmaasland
    Offline

    dmaasland Registered Member

    Does it have a static IP? If so you can exclude it from IDS altogether.
  9. luka1002
    Offline

    luka1002 Registered Member


    Then i need to exclude all network printers who are also static. I have about 25 of them and 9 Terminal Servers with same problem.
Thread Status:
Not open for further replies.