[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] MAD?
CPMAD detects "suspicious malicious activity". What I used in class to remember what MAD detects is pretty stupid, but I still remember it: Sometimes -SYN Attack A-Anti Spoofing Stupid -Successive connx attempts Person - Port Scanning Believes- Blocked connx port scanning (okay...they didn't stop???) Leisure- Login Failure Secures- Successive Alerts Liberty- LAND Attack (okay, so I am a right winger...heh) There are a small number of tuneable settings to control how sensitive MAD is and how it responds. It is simplistic at best, and here is my memorization technique for this one: Maybe- MODE It- INTERVAL Really- REPETITIONS Requires- RESOLUTION Action- ACTION These are the settings you can make for each of the above attack profiles. When it works, it will automatically block all further traffic from an attacker so if an attacker initiates a port scan it, only a small portion of the ports probed will be allowed, after the MAD kicks in, it will not allow the probe of a port EVEN IF there is a matching rule to allow it because the connection attempt was part of a "port scan" that MAD detected. So this can help to stealth your network. Dirty little secret about MAD is that it is not super stable. It can just "stop", and there are "no log entries" anywhere to let you know that MAD abended. One of the common reasons for MAD to fail is not pre-allocating enough memory for it to use. You MUST calculate a realistic figure for the amount of ram to preallocate for MAD use or it will fail during operation. Apparently it cannot dynamically allocate memory on it's own. \conf\cpmad_config.cfg MAD_MEMORY = 75000 (or whatever....allocate a ton, however there is a calculation based on the number of connections your firewall will have.) For it to work, you also need: MAD_SYSTEM_MODE = ON (we were told in class that any little mistakes in his cfg file will cause complete failure) >From I was told, it builds table entries of it's own for all the connections thru the firewall and works somewhat independently of the inspect engine. It also hooks into the logging daemon and detects log entries. I think using an a real intrusion detection system is probably a much better way to go. RealSecure can terminate active sessions when it detects "malicious" activity. Anyone care to slap me down? (it's no big deal, I might just be hitting the crack pipe again) ----- Original Message ----- From: <[email protected]> To: <[email protected]> Sent: Tuesday, October 31, 2000 8:31 AM Subject: [FW1] MAD? > > Folks > > Has anyone heard of a FW-1 addin util called "MAD" - malicious activity > analysis? I've heard a rumour that it gives more functionality to the > customised alerts function in FireWall-1 so that you can create alerts for > certain types of events and not others? > > Can anyone shed some light on this for me? > Greg > > > Vistorm "European ASP of the year" > > CONFIDENTIAL > The contents of this email and any attachments may be > confidential. It is intended for the named recipient(s) only. > If you are not the named recipient, please notify the sender > immediately and do not disclose the contents to any other > person or make any copies. > > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ > ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|