Scan ASL 5.004 with Nessus - any report or warning

Hi all,

I have ASL V.5004 with Intrusion Protection licence. I am scan ASL with program Nessus. But Intrusion Protection no report any attack, port scanning and nor yet not send e-mail warning.

I have licence on Intrusion Protection, Intrusion Protection enable, Portscan Detection enable, Notification Levels High and medium severity but ASL no sent any warning !

Where is error ?

Thanks Alda

0 JimmyM over 21 years ago

ASLs implementation of Snort uses inline mode to analyze traffic that passes in/out/through the firewall. If the port scans are being dropped since they are targeted ar unopened ports, I'm not sure snort would see the traffic. This is how snort_inline works, If Astaro has set up ASL to QUEUE ALL inbound traffic then it should detect a port scan, this will however increase CPU usage since ASL/Snort has to analyze ALL traffic even though it is sent to unopened ports. In addition dynamic snort rules would have to be generated by ASL to have snort drop traffic on any unoped ports. The unoped ports would change based on what features etcetera you enable. In my opinion, only traffic that would normally go to the ALLOW target should go to the QUEUE target since QUEUE is a terminating target and gets the final say as to what actually gets passed or dropped.
I would have preferred Astaro allowed the user to set the QUEUE target in the packet filter window, as well as given a check box in the other areas where ASL generates its own packetfilter rules to enable/disable IPS inspection of that traffic.
Sorry, I digress.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel