Results 1 to 6 of 6
  1. #1
    Newbie
    Join Date
    Oct 2018
    Posts
    13

    Default Incoming or outgoing?

    Hi,

    I received a malware alert from Webfilter:

    app name = web_filter
    blocked = false
    category = Malware Sites
    category id = 56
    flagged = true
    reason = BLOCK_CATEGORY
    request line = GET http:/boaform/admin/formLogin?username=user&psd=user
    rule id = 56
    session event
    bypassed = false
    c client addr = 39.88.42.89
    c client port = 42117

    Is this malware on my system trying connect out, or a bot trying to connect in to my server?

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    The entry has the relevant information

    C_Client_Addr is the client's address in the session that was blocked, that is to say, the origin of the event. So unless this is a bridge mode Untangle operating in a public IP address space with 39.88.42.89 behind it... this address is external to your network.

    This also means you've got a web server behind Untangle you're protecting, and you've neglected to use policy rules to push ingress HTTP/HTTPS traffic into a dedicated policy. This subjects all ingress HTTP and HTTPS to the same inspection as your egress sessions of the same, and generally causes headaches. As you can see, Web Filter doesn't care about in or out, it just scans web sessions passing through it. While this isn't directly a problem, it is a means through which you can create a denial of service condition, if that web server gets any sort of real traffic, your Untangle is going to crater.

    So short answer, that's an alert generated on incoming traffic, and there be dragons here.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Newbie
    Join Date
    Oct 2018
    Posts
    13

    Default

    Thanks for the quick feedback. I'm still quite a Untangle newbie, but enjoying the learning process.

    How would I best learn how to "use policy rules to push ingress HTTP/HTTPS traffic into a dedicated policy"? I've explored the Untangle wiki to some extent, but not sure I found such policy rules.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    25,263

    Default

    https://wiki.untangle.com/index.php/Policy_Manager

    This is easily the most powerful module in the product. The very definition of easy to learn, and difficult to master.
    CMcNaughton likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Newbie
    Join Date
    Oct 2018
    Posts
    13

    Default

    Sounds like my marriage! LOL!!!

    Thanks again!
    CMcNaughton likes this.

  6. #6
    Master Untangler CMcNaughton's Avatar
    Join Date
    Feb 2015
    Location
    Denver, CO
    Posts
    148

    Default

    Quote Originally Posted by NeuroDoc View Post
    How would I best learn how to "use policy rules to push ingress HTTP/HTTPS traffic into a dedicated policy"? I've explored the Untangle wiki to some extent, but not sure I found such policy rules.
    Here's our most recent "Tech Talk" webinar on Policy Manager, too. It might help to watch as Eric goes through the app..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2