Intrusion LOG

Discussion in 'other firewalls' started by controler, Nov 2, 2003.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    Does anyone know why Kerio has so many hits to the WhiteHats web site? Kerio Personal Firewall 4.0
     

    Attached Files:

  2. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Well, actually, it's not a 'hit' -- it's a reference to a database on the WhiteHats website at which you can obtain more detailed information on the logged event. Actually, it's a reference to the ArachNIDS database, which is mirrored by a slew of IDS websites.

    The display, however, is a bit confusing. (There is a similar question on the DSLR Security Forum at the moment.) The problem is that the display seems (to some) to be indicating the rDNS lookup for the remote site.

    It's a rather appealing feature to me. Specifically, it provides access to a dynamic database rather than relying on a "canned" (and usually rather terse) description of the event that would otherwise most likely be found in the firewall application. BlackICE/RealSecure provide a somewhat different interface that effectively accomplishes the same thing.
     
  3. controler

    controler Guest

    Thanks Joseph

    I kinda guessed as much but this is what the hlp files reads and I posted this at DSLr also.

    Kerio Personal Firewall is able to detect and block many known intrusion types. For this purpose it uses its internal intrusion database. The database is automatically updated every time a new version of the firewall is installed (therefore, we recommend you to perform update of Kerio Personal Firewall anytime it is alerted).

    IDS Settings
    IDS (Intrusion Detection System) parameters can be set in the Intrusions section.
     

    Attached Files:

  4. controler

    controler Guest

    Kerio Personal Firewall uses the Snort IDS — for detailed information on individual attacks and attack types go to the http:/www.snort.org/ website.
     
  5. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    controler,

    Until I read your posting (at DSLR Security), I didn't realize that Kerio 4.x was using SNORT for intrusion detection. (Actually, I didn't realize that a firewall vendor was allowed to simply incorporate Snort if they so desired.)

    Definitely a good choice, however. Snort is sort of the grand-daddy of IDS and packet sniffing utilities and has what is probably an unmatched set of signatures. Snort is available in cross-platform implementations and, if I recall correctly, the first signatures for Code Red came from heavy-duty users running Snort on large LANs.

    I think I'll take a detailed look at Kerio 4 when it's officially released on 10 November (?).
     
  6. controler

    controler Guest

    My white hats logs have mysteriously dissapeared
    Interesing ey?
     
  7. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    I'm still waiting for KPF 4.x to go to public release. Are you sure that's there's not a configuration setting somewhere that discards log events (especially IDS events) after some period of time? It might be set too short.
     
  8. controler

    controler Guest

    Hi John

    I went back through all the settings and do not see anything to start or stop the IDS reference URL. That is what is missing in the log now.
    Here is what I think might be happening.I think when I made my first post with screen shots I was on my
    Linksys router with remote address 172.20.1.xxx
    and the reference URL would get logged to the Intrusion LOG. Now I am on my Actiontec router
    showing remote address as 192.168.0.xxxxx
    so i am not sure why the referenc URL is missing when using my Actiontec router. Since I use my Linksys router while at the lake and winterized my lake place, I will not be back there till spring to chek it out. If anyone else is using a Linksys router and this new ver of Kerio, maybe they could check into it?
    If you look at my second screen shot, you will see the details button. This new screen shot was taken from that info. It shows the reference URL should be
    White Hats.

    con
     

    Attached Files:

  9. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    controler,

    Just judging from the size of the vertical scroll bar, it looks like you've got a sizable list of IDS sigs that KPF 4.x will recognize!

    Okay, the initial shot is of the Linky with a public IP address of 172.20.1 xx. I'm not an expert on routers (still stuck on dial-up here :( ), but it looks like the IDS is picking up something from the Linky that it doesn't pick up from the other router. I have a vague recollection of some configuration issue with the Linky that might be related to this (can't remember if it involves the router or the firewall, however). Might check the Linksys forum at BBR/DSLR. Perhaps something related to the SNMP remote logging supported by the Linksys?

    Incidentally, the difference in behavior of these two routers is an excellent example of why it can be important for respondents to know about more about system configuration and Internet communication above and beyond. Thanks for taking the time to extend your earlier comments. (Now, if we can just find someone who can tell you what to do! :D )
     
  10. controler

    controler Guest

    John

    The Linky allows you to log incomming and outgoing if enabled and I do have that enabled on the linky. This is accomplished without any special software. Just typing the 192.xxx.xx.x in your browser will pull up the router config file coded into the router. The actiontec requires external software to get at the config settings. I will go back into that and look around but I don't remember there being an option to log incomming and outgoing traffic on the Actiontec. I like the Actiontec mainly because of the features. It has a 4 port hub for hard wire or wireless. Also has a built in firewall. The linky comes with an option to use trendmicro AV and ZoneAlarm incorporated into the router which is kinda cool also.
    Untill this morning I had ICS (windos XP's firewall) enabled too and even though Kerio does not recomend leaving that on. I have not seen any problems here so far.
    I am trying it both ways for now. I will take a peek at DSLreports site on Linksys and see if I can see anything there.
    Thanks again

    went back a recheckedc my actiontec router settings and they look good. Although I use PPPoA with the actiontec and PPPoE with the Linky. and the actiontec log only allows web activity not incomming and outgoing. I have also used walwatcher with my linky and that works well. Haven't found a similer program for the actiontec though.

    con
     
Thread Status:
Not open for further replies.