[48] in Intrusion Detection Systems
Www
daemon@ATHENA.MIT.EDU (brian.smith@morebbs.com)
Mon Apr 3 06:54:35 1995
From: brian.smith@morebbs.com
Date: Sat, 01 Apr 95 09:07:08
To: ids@uow.edu.au
Reply-To: ids@uow.edu.au
I noticed that when an internal user uses a Mosaic or Netscape client to access
a web server outside of the firewall, the www client uses anonoymous ftp to
fetch some items back. Most of the time there is no problem, but sometimes the
firewall sees the connections as ftp being attempted from outside, which it is
supposed to block, then generates alerts.
The problem is that in terms of trying to detect intruders, I can't tell the
difference between the ftp connections coming back as a result of web
connections and those that are really someone trying to find a port they can
connect to.
Any suggestions on how to deal with this?
Does this question belong in firewalls@greatcircle.com?
Brian Smith
DOS Dummy
