Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Firewalls
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Checkpoint SmartDefense and Malformed SSL Packets

from [Bobby Matznick] Network Security [Permanent Link]
Subject: Re: Checkpoint SmartDefense and Malformed SSL Packets
Date: Thu, 16 Dec 2004 07:39:31 -0700 
Is anyone using Symantec's 7100 series IPS devices? Just had a question
regarding the event properties on particular blocked or logged events, you
can set to log for selected IP ranges or log all except IP ranges. In trying
to configure this option it seems to log all exceptions regardless of what I
put in this field. Anyone else had this issue?
ROBERT MATZNICK
----- Original Message ----- 
From: "Rob Hughes" <rob@robhughes.com>
To: <firewalls@securityfocus.com>
Sent: Tuesday, December 14, 2004 7:52 PM
Subject: Re: Checkpoint SmartDefense and Malformed SSL Packets



On Mon, 2004-12-06 at 12:42 -0800, klenke@hushmail.com wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Does anyone know which SmartDefense check triggers SSL packets to
be dropped by Rule 99443 (Malformed SSL packet detected).


Under VPN Protocols, block null-ssl pointer assignment.


 Also,
what criteria does SmartDefense use to determine if an SSL packet
is malformed and are these criteria at all configurable?



The exact criteria is not public, but basically SD looks for a valid SSL
handshake before permitting the traffic. It will always permit the
initial tcp handshake, then it expect the first packets after that to be
the SSL handshake between the server and client.

This is not configurable other than on/off, and certain specific
services in later revisions of SD.

The most common reason for drops on 99443 is due to non-SSL traffic on
port 443.

Rob
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Firewall Security Guidelines, McKee, Graydon
Next by Date:  How to authenticate a user ?, Juan B
Previous by Thread:  Re: Checkpoint SmartDefense and Malformed SSL Packets, Rob Hughes
Next by Thread:  Possible attack or what ?, STANESCU Ionut
Indexes:  [Date] [Thread] [Top] [All Lists]