Results 1 to 2 of 2
  1. #1
    Join Date
    Oct 2019

    Post Yet another "Block suspicious activity"

    I'd like to continue an old, closed "Thread: block suspicious activity", to understand if the last sentence to "sspeed" by "dmorris" does still apply.

    "Is there anyway for the firewall app to block suspicious activity like this automatically?"
    No, not currently.

    It was 09-04-2016, I wonder if today "Untangle FW 14.2.2" still cannot somehow block the sessions that trigger the alert "Suspicious Activity: Client created many RDP sessions".

    I think it can, but I cannot make it work :-(

    In Config -> Events -> Alerts, I open the alert whose description is "Suspicious Activity: Client created many RDP sessions", and I see:
    Class: SessionEvent
    SServerPort = 3389
    Enabled Thresholds
    Exceeds Threshold Limit: 20
    Over Timeframe: 60
    Grouping Field: CClientAddr

    I think I can understand this, and my idea is to use triggers to tag sessions, and to use this in Firewall app.

    So I go to Config -> Events -> Triggers to make a new Trigger rule with same above conditions, and I fill "Perform the following action(s)" with:
    Action Type: Tag Host
    Target: CClientAddr
    Tag name: suspicious RDP
    Tag Lifetime: 1800

    I expect to find tagged sessions in "Sessions", or in "Reports -> All Events EXTENDED" (a custom report derived by "All Events", to which I added some more fields, like "Tags")...
    BUT I NEVER SEE a single record with column "Tags" filled with any chars: they are all empty, meanwhile my email account receives dozens of msg "Suspicious Activity: Client created many RDP sessions", and I can see hundreds of sessions that make 2 or more "RDP" connections per second, way lots more then 20 in 60 sec!
    Please don't tell me I should not expose RDP: it's something out of my control, and I already know it's not a good idea, BUT this is what I have to face.

    I even noticed a default Trigger rule whose description is "Tag suspicious activity" that uses:
    Class: AlertEvent
    description = *Suspicious Activity*

    that exactly does what I thought:
    Action Type: Tag Host
    Target: CClientAddr
    Tag name: suspicious
    Tag Lifetime: 1800

    I enabled it, but no Tags still appear in sessions, nor in "Reports -> All Events EXTENDED" described above.

    Please anyone shed some lights in my dark room :-D
    Last edited by FabioB; 10-09-2019 at 06:10 AM.

  2. #2
    Join Date
    Oct 2019


    Replies: 0
    Views: 110

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

SEO by vBSEO 3.6.0 PL2