Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 8 replies
  • Subscribers 0 subscribers
  • Views 4317 views
  • Users 0 members are here
Options
Suggested

[7.191] RDP detected as Winny again

ulong
Hello,

I'm currently in 7.191,
I see in the changelog in the forum : 
[FIX] Remote desktop sessions (RDP) are no longer mis-detected as Winny.


but when I tries to open a connection to remote windows server I have no connection...
In P2P I set all to BLOCK completly, and winny was set to that...
I saw in AFC live log in RED (block) "P2P Rule: Winny" 

in AFC.log : 
2008:05:06-21:11:07 (none) ulogd[2641]: id="2019" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Block" action="drop" fwrule="60214" outitf="eth0" srcip="192.168.1.100" dstip="192.168.0.1" proto="6" length="51" tos="0x00" prec="0x00" ttl="126" srcport="3389" dstport="1618" tcpflags="ACKPSH "

2008:05:06-21:11:58 (none) ulogd[2641]: id="2019" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Block" action="drop" fwrule="60214" outitf="eth0" srcip="192.168.1.100" dstip="192.168.0.1" proto="6" length="51" tos="0x00" prec="0x00" ttl="126" srcport="3389" dstport="1621" tcpflags="ACKPSH "

2008:05:06-21:12:29 (none) ulogd[2641]: id="2019" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Block" action="drop" fwrule="60214" outitf="eth0" srcip="192.168.1.100" dstip="192.168.0.1" proto="6" length="51" tos="0x00" prec="0x00" ttl="126" srcport="3389" dstport="1622" tcpflags="ACKPSH "

2008:05:06-21:13:21 (none) ulogd[2641]: id="2019" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Block" action="drop" fwrule="60214" outitf="eth0" srcip="192.168.1.100" dstip="192.168.0.1" proto="6" length="51" tos="0x00" prec="0x00" ttl="126" srcport="3389" dstport="1624" tcpflags="ACKPSH "

2008:05:06-21:14:09 (none) ulogd[2641]: id="2019" severity="info" sys="SecureNet" sub="packetfilter" name="AFC Block" action="drop" fwrule="60214" outitf="eth0" srcip="192.168.1.100" dstip="192.168.0.1" proto="6" length="51" tos="0x00" prec="0x00" ttl="126" srcport="3389" dstport="1629" tcpflags="ACKPSH "


Last test: I set P2P winny at "do not control", and my RDP connection works fine...
So it seems that is not really fix...

Ulong.

Just a remark [[;)]] : with no information the AFC.log is not really useful for us : winny= fwrule 60214, 
So please give us a comment or a table as I [FEATURE REQUEST] in another thread ([7.190] AFC log file) : 
In this case I go directly to the live log and see it but I need to look later,
It can be very hard to find the useful lines in the log... [[;)]]
Parents Reply Children
  • 0 in reply to ulong
    Yep, still happens.  I've opened an official support case with Astaro (I actually opened it Tuesday), I've forwarded all my logs and the methodology they can use to reproduce it to support, and they've sent it to the developers.  I believe (but can't prove it yet) that it has a lot to do with the updated RDP client included in XP SP3 (yep, it changed ... I didn't know it until I noticed the new command line options for mstsc.exe) ... all of our incidents have occurred when using an XP SP3 machine as the RDP client.  Can't say that I've seen it with any Vista boxen yet.

    CTO, Convergent Information Security Solutions, LLC

    https://www.convergesecurity.com

    Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries.  Use the advice given at your own risk.

Unfiltered HTML