Huge number of High Severity Alerts and constant Medium Alerts

Help for v2
1

I’ve just got my hands on CFP 2.4 and done basic (I think) tweaks of it.

I run two P2P apps a lot - uTorrent and eMule. While these two apps running, I will get hundreds of High Severity Alerts and constant Medium Severity Alerts as shown below.

I would think CPF is functioning properly, as I see CPF is giving alerts in the patterns of rules it’s been configured. I would also consider all the alerts are normal (I COULD WELL BE WRONG). But I am concerned with whether enormous of logging will adversely affect my overall internet traffic speeds and/or my Windows XP PC performance (CPU and RAM hug…).

I configured CPF to

  • Block fragmented IP datagrams
  • Do protocol analysis
    And
    CPF has pre-configured rule under Network Monitor,
    “BLOCK and LOG IP IN or Out FROM IP [Any] TO IP [Any] WHERE IPPROTO IS ANY”
    Appreciate your helpful comments!!! :BNC

Two High Severity Alerts I am getting:
Summary of alerts:
Alert 1: Blocked by Protocol Analysis (Fragmented IP Packet)
Alert 2: Blocked by protocol analysis- Invalid Flag Combination

Details of alerts: [Alert 1] Reporter :Network Monitor Description: Blocked by Protocol Analysis (Invalid Flag Combination) Direction: TCP Incoming Source: someone else's IP & port Destination: my IP and port which is NOT what I signed for my P2P apps Reason: ACK FIN RST is an invalid TCP flag combination

[Alert 2]
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fragmented IP Packet)
Direction: IP Incoming
Source: someone else’s IP
Destination: my IP
Protocol : TCP
Reason: Fragmented IP packets are not allowed

Two Medium Severity Alerts I am getting:
Summary of alerts:
Alert 1: Inbound Policy Violation (Access Denied, ICMP = HOST UNREACHABLE)
Alert 2: Inbound Policy Violation (Access Denied, IP = someone else’s, Port = someone else’s)

Details of alerts: Severity :Medium Reporter :Network Monitor Description:Inbound Policy Violation (Access Denied, ICMP = HOST UNREACHABLE) Protocol:ICMP Incoming Source: someone else's IP Destination: my IP Message: HOST UNREACHABLE Reason: Network Control Rule ID = 10

Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = someone else’s, Port = someone else’s)
Protocol: UDP Incoming
Source: someone else’s IP and port
Destination: my IP and port which is NOT what I signed for my P2P apps
Reason: Network Control Rule ID = 10

2

It is possible that this could pose a resource drain on your system, but not definitively.

For the Host Unreachable message, you can easily create a rule to block & not log; that will reduce the drain of logging on that event type.

You would go to the bottom Block & Log All rule (looks like Rule ID 10, based on your logs), right-click and select Add/Add Before (this is crucial, since the rules filter from the top down).

Then create the rule as:

Action: Block (don’t check the box for an alert to be created)
Protocol: ICMP
Direction: In
Source: Any
Destination: Any
ICMP Details: Host Unreachable

OK. This will make it the new Rule ID 10, and move the other down to ID 11.

For the blocked UDP incoming, you probably want to keep seeing those, for security reasons.

On the ACK FIN RST, you may want to read through this thread: https://forums.comodo.com/index.php/topic,2684.0.html

Where the very issue of ACK FIN RST is being worked through. I don’t have a quick/easy answer for you on that. User Neglacio makes the statement that this needs to be allowed rather than blocked, for at least some specific p2p apps, but this appears in his case, to be referring to the p2p app not being able to connect to do its thing. However, if yours is working, that’s probably not an issue. I would not advise turning off Protocol Analysis unless you are not able to connect otherwise (and even then, that would be the last option for me personally).

LM

PS: Welcome to the forums, if no one’s said so before.

3

Thanks for the suggestions and warm welcome. :smiley:
I am digging this forum… :wink:

4

You bet! Let us know how the rule works, if that helps reduce some of that strain.

LM