Hi, Few months ago, I created two IDS rules following Lance's article "Intrusion Detection for FW-1", they all worked fine and caught few suspicious activity, additionally, a month ago I decided to tune up the system a li'l bit (Solaris 2.6 patch level 105181-21 , FW-1 4.0). I applied some changes: ndd -set /dev/tcp tcp_xmit_hiwat 64000 ndd -set /dev/tcp tcp_recv_hiwat 64000 ndd -set /dev/tcp tcp_slow_start_initial 2 ndd -set /dev/tcp tcp_conn_req_max_q 1024 ndd -set /dev/tcp tcp_conn_req_max_q0 4096 ndd -set /dev/tcp tcp_close_wait_interval 60000 and set tcp:tcp_conn_hash_size = 16384 in /etc/system I also set local-mac-address and put two other entries to objects.C file: :nat_limit (50000) :nat_hashsize (65535) Since then on I've been getting all kinds of false alarms, valid outbound http conns get cut off, it also happens to some smtp (with roughly 12,000 a day 30-40 are cut) as being caught by either rule 1 or 2* *(1 - prevents queSO and ping-of-death from the Internet to DMZ, 2 - prevents portscanning on DMZ) Before the change was done all http initiated from outside (all the banner exchangers) had been just silently dropped. I'm kinda confused.. however I suspect it has something to do with windows and timeouts affecting long-lasting sessions - i.e. an email with 5mb attachment) any advise more than welcome! ps. for those who haven't seen it yet, there is an excellent article on Solaris kernel tupe-up http://www.rvs.uni-hannover.de/people/voeckler/tune/EN/tune.html Dominik ===== Your rifle is only a tool it is a hard heart which kills.. <full metal jacket> -------------------------------- Dominik M. Miklaszewski [EMAIL PROTECTED] __________________________________________________ Do You Yahoo!? Yahoo! Mail � Free email you can access from anywhere! http://mail.yahoo.com/ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
