(Embedded
image moved
to file:
pic32359.pcx)
The MAD (Malicious Activity Detection) feature on FW-1 4.1 SP1 (aka CP2000)
keeps generating the following log entries/alerts:
"1501" "3Aug2000" " 0:02:55" "daemon" "localhost" "alert" "accept" ""
"<untrusted IP address>" "<IP on trusted network>" "ip" "" "" "
additionals: attack=blocked_connection_port_scanning"
It seems to think that multiple connection attempts (caused by network
latency/timeouts) are really port scans. Is there any way to set MAD's
threshhold so it is a little more tolerant and quits giving me these annoying
pop-up alerts? I've gotten so many that I had to turn off "Play system default
beep..." and "Show this window" for the alerts. Annoying as hell!
Also, any documentation on this feature? Can't seem to find anything in any
great detail on Check Point's site or the usual outside sources (PhoneBoy, Lance
Spitzner).
TIA,
Dan
-------------------------------------------------------------------------------
Daniel R. (Dan) Dunn, EE
Sr. INFOSEC Engineer, GRC Int'l (an AT&T company)
OSD-ITD Firewall Administrator
p: 703-614-8086, ext 300
The opinions expressed by the author are entirely his own, and
do not reflect those of AT&T, GRCI, Inc., or their subsidiaries,
nor do they reflect policy, opinion, or endorsement by the
US Department of Defense or any of its agencies.
pic32359.pcx
