I’ve just got my hands on CFP 2.4 and done basic (I think) tweaks of it.
I run two P2P apps a lot - uTorrent and eMule. While these two apps running, I will get hundreds of High Severity Alerts and constant Medium Severity Alerts as shown below.
I would think CPF is functioning properly, as I see CPF is giving alerts in the patterns of rules it’s been configured. I would also consider all the alerts are normal (I COULD WELL BE WRONG). But I am concerned with whether enormous of logging will adversely affect my overall internet traffic speeds and/or my Windows XP PC performance (CPU and RAM hug…).
I configured CPF to
- Block fragmented IP datagrams
- Do protocol analysis
And
CPF has pre-configured rule under Network Monitor,
“BLOCK and LOG IP IN or Out FROM IP [Any] TO IP [Any] WHERE IPPROTO IS ANY”
Appreciate your helpful comments!!! :BNC
Two High Severity Alerts I am getting:
Summary of alerts:
Alert 1: Blocked by Protocol Analysis (Fragmented IP Packet)
Alert 2: Blocked by protocol analysis- Invalid Flag Combination
Details of alerts: [Alert 1] Reporter :Network Monitor Description: Blocked by Protocol Analysis (Invalid Flag Combination) Direction: TCP Incoming Source: someone else's IP & port Destination: my IP and port which is NOT what I signed for my P2P apps Reason: ACK FIN RST is an invalid TCP flag combination[Alert 2]
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fragmented IP Packet)
Direction: IP Incoming
Source: someone else’s IP
Destination: my IP
Protocol : TCP
Reason: Fragmented IP packets are not allowed
Two Medium Severity Alerts I am getting:
Summary of alerts:
Alert 1: Inbound Policy Violation (Access Denied, ICMP = HOST UNREACHABLE)
Alert 2: Inbound Policy Violation (Access Denied, IP = someone else’s, Port = someone else’s)
Details of alerts: Severity :Medium Reporter :Network Monitor Description:Inbound Policy Violation (Access Denied, ICMP = HOST UNREACHABLE) Protocol:ICMP Incoming Source: someone else's IP Destination: my IP Message: HOST UNREACHABLE Reason: Network Control Rule ID = 10Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = someone else’s, Port = someone else’s)
Protocol: UDP Incoming
Source: someone else’s IP and port
Destination: my IP and port which is NOT what I signed for my P2P apps
Reason: Network Control Rule ID = 10