Incoming or outgoing?

**NeuroDoc** · 10-20-2020, 09:56 AM

Hi,

I received a malware alert from Webfilter:

app name = web_filter
blocked = false
category = Malware Sites
category id = 56
flagged = true
reason = BLOCK_CATEGORY
request line = GET http:/boaform/admin/formLogin?username=user&psd=user
rule id = 56
session event
bypassed = false
c client addr = 39.88.42.89
c client port = 42117

Is this malware on my system trying connect out, or a bot trying to connect in to my server?

**sky-knight** · 10-20-2020, 10:03 AM

The entry has the relevant information

C_Client_Addr is the client's address in the session that was blocked, that is to say, the origin of the event. So unless this is a bridge mode Untangle operating in a public IP address space with 39.88.42.89 behind it... this address is external to your network.

This also means you've got a web server behind Untangle you're protecting, and you've neglected to use policy rules to push ingress HTTP/HTTPS traffic into a dedicated policy. This subjects all ingress HTTP and HTTPS to the same inspection as your egress sessions of the same, and generally causes headaches. As you can see, Web Filter doesn't care about in or out, it just scans web sessions passing through it. While this isn't directly a problem, it is a means through which you can create a denial of service condition, if that web server gets any sort of real traffic, your Untangle is going to crater.

So short answer, that's an alert generated on incoming traffic, and there be dragons here.

**NeuroDoc** · 10-20-2020, 03:41 PM

Thanks for the quick feedback. I'm still quite a Untangle newbie, but enjoying the learning process.

How would I best learn how to "use policy rules to push ingress HTTP/HTTPS traffic into a dedicated policy"? I've explored the Untangle wiki to some extent, but not sure I found such policy rules.

**sky-knight** · 10-20-2020, 03:46 PM

https://wiki.untangle.com/index.php/Policy_Manager

This is easily the most powerful module in the product. The very definition of easy to learn, and difficult to master.

**NeuroDoc** · 10-20-2020, 03:52 PM

Sounds like my marriage! LOL!!!

Thanks again!

**CMcNaughton** · 10-21-2020, 09:01 AM

Originally Posted by NeuroDoc

How would I best learn how to "use policy rules to push ingress HTTP/HTTPS traffic into a dedicated policy"? I've explored the Untangle wiki to some extent, but not sure I found such policy rules.

Here's our most recent "Tech Talk" webinar on Policy Manager, too. It might help to watch as Eric goes through the app..

Thread: Incoming or outgoing?

LinkBack

Thread Tools

Incoming or outgoing?

Posting Permissions