Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Is it "fishy"?

From: "Stephane Nasdrovisky" <stephane.nasdrovisky () uniway be>
Date: Wed, 05 Dec 2001 08:39:34 +0100

Firewalls are not the only devices logging their (and user's) activity.
You'd better have a look at you web server log and/or your IDS and/or 
your network flight recorder to get the full picture on this event.

If you have some large files on your web server, this 2 hours session 
could be a slow transfer.
I've seen browsers re-sending their fin packet during half an hour 
because of a checkpoint firewall-1 design flow. I would not be too 
surprise to see such packets during 2 hours.

You're the only one who could answer the question currently. You know 
what's on your web server (i.e. is there some large page ?).

----- Original Message -----
From: "C. K. Lung" <clung () hotmail com>
Date: Tuesday, December 4, 2001 8:54 pm
Subject: [fw-wiz] Is it "fishy"?


The firewall log shows that a host (YMCA12) has been using http 
accessing a
web site over 2 hours.  Is it a form of "attack" or it is normal.  
The time
is between 10:15 am till 12:30 pm.

Any comments are much appreciated.

Thanks,

clung

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: