Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 2 subscribers
  • Views 7714 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Packet Filter Logging Question

scottj_01
All-

I need some advice regarding packet filter logging. It seems that when content is delivered from Akami Technologies their servers leave a large number of logs usually ending with tcpflag RST. Please see example enclosed. My question is how do I prevent this needless logging? Mods I may have placed my post in an incorrecty under network security in place of management, logging.... Please relocate if necessary.

Thanks,
Jim

2011:05:05-12:44:14 OASIS ulogd[5189]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="0:90:1a:a1:41:27" dstmac="0:24:7e:x:y:z" srcip="69.31.28.242" dstip="173.A.B.76" proto="6" length="40" tos="0x00" prec="0x00" ttl="253" srcport="443" dstport="3097" tcpflags="RST" 
2011:05:05-12:44:14 OASIS ulogd[5189]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth0" srcmac="0:90:1a:a1:41:27" dstmac="0:24:7e:x:y:z" srcip="69.31.28.232" dstip="173.A.B.76" proto="6" length="40" tos="0x00" prec="0x00" ttl="253" srcport="443" dstport="3119" tcpflags="RST" 
[:S]


This thread was automatically locked due to age.
Parents
  • 0
    Hi, we've had some discussions here about this happening with incoming traffic to servers, one option for that is to put a DROP Rule for HTTP with logging disabled AFTER your allow rule.

    See https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/39325
    for some discussion.

    However, you're talking about traffic FROM servers to your internal clients.
    Therefore, dropping incoming traffic from HTTP & HTTPS without logging should work (after any related allow rules, if applicable).

    It does seem odd to me that webservers would be sending RSTs to browsers though. Some googling shows that some web servers will close idle sessions with RST though.

    Barry
Reply
  • 0
    Hi, we've had some discussions here about this happening with incoming traffic to servers, one option for that is to put a DROP Rule for HTTP with logging disabled AFTER your allow rule.

    See https://community.sophos.com/products/unified-threat-management/astaroorg/f/54/t/39325
    for some discussion.

    However, you're talking about traffic FROM servers to your internal clients.
    Therefore, dropping incoming traffic from HTTP & HTTPS without logging should work (after any related allow rules, if applicable).

    It does seem odd to me that webservers would be sending RSTs to browsers though. Some googling shows that some web servers will close idle sessions with RST though.

    Barry
Children
No Data