Kerio Intrusion Alerts.

Discussion in 'other firewalls' started by Joe - London, Apr 11, 2004.

Thread Status:
Not open for further replies.
  1. Joe - London

    Joe - London Registered Member

    Joined:
    Apr 28, 2003
    Posts:
    10
    I've had a number of intrusion alerts recently from my Kerio Firewall. They appear to concern this site in particular: Http://www.whitehats.com/aboutus.html. anyone know what these people are about and why they should attempt these intrusions?

    Joe.
     
  2. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Can you be a little bit more specific about the intrusion alerts?

    For example your kerio logfile can be very helpfull to analyze the (potential) danger of the intrusion, maybe it isn't harmfull at all.

    Ciao,

    Smokey
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Joe

    Are you running Kerio 4.x with IDS?

    If that url was showing up in an IDS alert it was likely there as a place to go for information/definitions on the the different types of IDS alerts/signatures.

    Regards,

    CrazyM
     
  4. Joe - London

    Joe - London Registered Member

    Joined:
    Apr 28, 2003
    Posts:
    10
    Hi Smokey and CrazyM,

    Thanks for your responses.

    I'm sure its nothing serious particularly as I did not accept when prompted. However, looking in the "Intrusion" section of the log there are a number of these from this Website. They are marked as follows: -

    Attack Class: Misc-Activity. Priority: Low. Action: Permitted.

    What does it all mean?

    I'm running Kerio 4 and that url is listed in th log as the source of the intrusion.

    Excuse my lack of knowledge but thats all I can tell you.

    Joe.
     
  5. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    Joe,

    I strongly advice you to read carefully the kerio help-file.

    It explaines almost everything, and you can learn how to configure the firewall in a proper and secure way.

    For example look in the help-file to the chapter "Logs" -- Intrusion Logs and the chapter "Intrusions Detection System" -- IDS Settings, those two chapters explaines and answers your question.

    Good luck,

    Ciao,

    Smokey
     
  6. Joe - London

    Joe - London Registered Member

    Joined:
    Apr 28, 2003
    Posts:
    10
    Thanks again Smokey,

    "Low priority intrusions — low-level danger intrusions (equivocal network activities, errors in protocols, invalid data format, etc.)

    As a non Technical person I had hoped for a more detailed explanation than that provided above. Is this someone attempting to hack into my Computer? Equivocal network activities could mean anything and is itself ambiguous surely?

    Joe.
     
  7. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    To understand everything, it's absolutely necessary to read the help-file complete from the beginning till the end, only in that way you can learn what a software firewall like kerio 4x can do, and what are dangerous alerts or harmless alerts.

    In your case nobody is hacking your computer, CrazyM already explained in a reply on your answer what the alert means: it's a harmless alert and nothing to worry about.

    Ciao,

    Smokey
     
  8. Joe - London

    Joe - London Registered Member

    Joined:
    Apr 28, 2003
    Posts:
    10
    Thank you Smokey for explaining that but I'm sure you understand receiving an alert of any kind is a matter of concern and puzzling indeed when it relates to something harmless. I wouldn't expect or want to be notified every time someone passes my door, on the other hand I would like to be notified if someone tried to open my door.

    Your help is much appreciated.

    Joe.
     
  9. Smokey

    Smokey Registered Member

    Joined:
    Apr 1, 2002
    Posts:
    1,513
    Location:
    Annie's Pub
    You're welcome!;)

    Ciao,

    Smokey
     
  10. ablazhov

    ablazhov Registered Member

    Joined:
    Apr 21, 2004
    Posts:
    6
    Other Intrusion Alerts

    I am receiving the following Intrusion alert:
    "BAD-TRAFFIC loopback traffic", remote address: 127.0.0.1 (localhost)

    I cannot understand what is causing this alert. It seems that the "attack" originates from my computer or this is false positive?? What should it correct to stop attacking myself??

    Using KPF 4.0.14
     
  11. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    In my opinion the IDS is crap on Kerio 4x, and I always had it disabled as it caused problems with my configurations. You can't really customize what it blocks by any means other than blocking, or allowing groups which is not desireable. I suggest you disable it, and just get on with your day :cool:
     
  12. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Here's more info relating to Kerio 4, and that site.

    Kerio 4x & IDS
    http://www.broadbandreports.com/forum/remark,10042933~mode=flat

    From »www.whitehats.com/

    "ATTN Kerio Personal Firewall users: Whitehats is not attacking you, we are in the reference column, not the source. IDS does not belong on the desktop and you should disable it. I have been getting complaints from misunderstanding kerio users ever since they started including IDS signatures. Please think before you fire off email, and that applies to everyone :D Thanks! "
     
Thread Status:
Not open for further replies.