CPMAD detects "suspicious malicious activity".
What I used in class to remember what MAD detects is pretty stupid, but I still
remember it:
Sometimes -SYN Attack
A-Anti Spoofing
Stupid -Successive connx attempts
Person - Port Scanning
Believes- Blocked connx port scanning (okay...they didn't stop???)
Leisure- Login Failure
Secures- Successive Alerts
Liberty- LAND Attack
(okay, so I am a right winger...heh)
There are a small number of tuneable settings to control how sensitive MAD is and how
it responds. It is simplistic at best, and here is my memorization technique for this
one:
Maybe- MODE
It- INTERVAL
Really- REPETITIONS
Requires- RESOLUTION
Action- ACTION
These are the settings you can make for each of the above attack profiles.
When it works, it will automatically block all further traffic from an attacker so if
an attacker
initiates a port scan it, only a small portion of the ports probed will be allowed,
after the MAD
kicks in, it will not allow the probe of a port EVEN IF there is a matching rule to
allow it because
the connection attempt was part of a "port scan" that MAD detected. So this can help to
stealth your network.
Dirty little secret about MAD is that it is not super stable.
It can just "stop", and there are "no log entries" anywhere to let you know that MAD
abended.
One of the common reasons for MAD to fail is not pre-allocating enough memory for it
to use.
You MUST calculate a realistic figure for the amount of ram to preallocate for MAD use
or it
will fail during operation. Apparently it cannot dynamically allocate memory on it's
own.
\conf\cpmad_config.cfg
MAD_MEMORY = 75000 (or whatever....allocate a ton, however there is a calculation
based on the number of connections your firewall will have.)
For it to work, you also need: MAD_SYSTEM_MODE = ON
(we were told in class that any little mistakes in his cfg file will cause complete
failure)
>From I was told, it builds table entries of it's own for all the connections thru the
>firewall and
works somewhat independently of the inspect engine. It also hooks into the logging
daemon
and detects log entries.
I think using an a real intrusion detection system is probably a much better way to go.
RealSecure can terminate active sessions when it detects "malicious" activity.
Anyone care to slap me down?
(it's no big deal, I might just be hitting the crack pipe again)
----- Original Message -----
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, October 31, 2000 8:31 AM
Subject: [FW1] MAD?
>
> Folks
>
> Has anyone heard of a FW-1 addin util called "MAD" - malicious activity
> analysis? I've heard a rumour that it gives more functionality to the
> customised alerts function in FireWall-1 so that you can create alerts for
> certain types of events and not others?
>
> Can anyone shed some light on this for me?
> Greg
>
>
> Vistorm "European ASP of the year"
>
> CONFIDENTIAL
> The contents of this email and any attachments may be
> confidential. It is intended for the named recipient(s) only.
> If you are not the named recipient, please notify the sender
> immediately and do not disclose the contents to any other
> person or make any copies.
>
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
