Attack Detection doesn't work - CFP v3.0.13.268 X32

Attack Detection doesn’t work

CFP version: X32
CPU: AMD Athlon XP 3000+ 32-bit
OS: Windows XP Professional SP2
Running security software: Avira AntiVir PersonalEdition Classic
Networks used:
Scanning + flooding over LANs: 1) 100 Mbit switched, 2) 1 Gbit switched
Scanning over WAN: Scanner 100 Mbit - Target 10 Mbit bridged, 5 hops, 6-7 ms delay

Initial CFP configuration:
Mode: Custom policy.
Wizard answers: All advanced options selected, except for complete port stealth. Allowed all LAN
traffic for 2nd NIC.
Removed: Global Block Rule and LAN Allow rules created by the wizard.
Added: Various Application rules, including listen ports. Ask rule for All Applications at the end of the list.
Defense+ configuration: Train with Safe Mode


Port scan blocking or flood detection didn’t trigger.

Corresponding packets were logged throughout the full duration of the scan, at a rate limited to 2 packets per second. For TCP, only SYN flagged packets were logged. Packets with any other flags (FIN/RST/PUSH/ACK/URG/Xmas/Ymas) or null flags were not logged.

All ports allowed by application rules were detected as open and some client-endpoints as closed, the rest stealth. Depending on settings and network used, full-range scans were finished in 20-180 seconds and common ports scans in 5-15 seconds.

After starting a flood test, the target computer’s CPU usage rose to 80-100%. When the gigabit LAN connection was used and if the flood type was one to get logged by CFP, the computer became somewhat slow to respond.

Fix attempts:

Disabled protocol analysis - no effect.

Uninstalled and reinstalled CFP, chose the same answers (advanced) and included Incoming Alerts, adding to the wizard-created configuration only one Trusted Application rule for PuTTY and removing the LAN Allow rules. Detection didn’t trigger when repeating the tests.

Testing software and commands used:

Nmap version 4.11 ( Nmap: the Network Mapper - Free Security Scanner )
Debian package version: 4.11-1

Scan common ports, TCP connect, 20 ms timeouts, min. parallelism 512 probes:
nmap -P0 -sT --min-parallelism 512 --max-rtt-timeout 20 host

TCP SYN: Replace switch “-sT” with “-sS”

All ports: Add switch “-p 1-65535”

5 ms timeouts were used with the tests through LAN.

hping3 version 3.0.0-alpha-2 ($Id: release.h,v 1.4 2004/04/09 23:38:56 antirez Exp $)
Debian package version: 3.a2.ds1-3

ICMP flood, TCP SYN flood, UDP flood
time hping3 --flood --icmp host
time hping3 --flood -S host
time hping3 --flood --udp host

Floods were run for 1-5 minutes lengths. Different TCP flags and different data sizes also tried (-d size). Rate averages were around 8 000 - 24 000 packets/second depending on connection and data size used.