Where to disable alert log for: "abnormal TCP traffic detected"
Presently lot of "abnormal TCP traffic with destination port zero" is detected, which caused an email alert log each time.
Now I searched for the connected log settings where we could disable these kind of alert log.
We found: Log & Report > Log Settings > System Log > Table "Active Log and Alert" and have disabled the Alert for: Security > ADP (abnormal detection & prevention)
Unfortunately it doesn't help. Abnormal TCP traffic will still be alert-logged and transmitted by email to us each time.
There are further settings possible in:
Security Policy > ADP > Profile. But any Traffic Anomalies and Protocol Anomalies are set to "log" only but not to "alert log".
Has anybody an idea where I have to adjust further log settings in order to avoid sending alert logs in case of "abnormal TCP traffic with destination port zero"?
0
All Replies
-
Hi,
the only way is to create a firewall rule and not log traffic for these IP Address as it always match the default rule usually.
Regards,
Tobias0 -
Hi Tobias,But when this abnormal TCP traffic is matching the default rule, why the USG is sending an alert log (email) although this default rule is set to "log" only but not to "alert log"?0
-
Hi USG_User,
that was my assumption that it is the default rule, can you verify it by a screenshot of the device, when this happens? In case it may a bug (I remember a similar report last few days) I suggest adding this into the Idea Section to enhance UTM Signature to auto-block it.
But if it "comes up recently" and was not there before, it may improve different in this case, please log a ticket and we´ll deeper check for a solution on it:
https://support.zyxel.eu/hc/en-us/requests/new?ticket_form_id=114093996354
Regards,
Tobias0 -
Thanks Tobias,what kind of screenshot do you mean, screenshot from log, or the alert log message?The other similar case was me, too. A few days ago we thought we could arrange a simple IP list for blacklisting such IPs, but this could only be implemented by security policy rule containing a range of consecutive IPs.That's why now my ask for switching off the alert log for that kind of messages. But it seems impossible as well.As a workaround I've created a new security policy rule which drops all TCP attempts from this IP. This may work as long as its only one suspicious IP. But in case of another additional IP, I would have to create another new rule. That couldn't be the solution.Cheers0
-
HI USG_User,
I mean a log to prove that the any-any deny rule is shown with "Log" but do an Alert.
I checked up the system currently there is no other customer report in this direction, so it looks like this IP seems right now exclusive going to send you this stuff.
Regards,
Tobias
0 -
Hi Tobias,here is the screenshot where our default rule is set to "log" and not "alert log":And here is an example of such an alert log message again which will be sent out by email each time such an abnormal TCP packet arrives (presently about 5 times a day):No. Date/Time Source Destination
Priority Category Note
Message
1 2022-01-31 02:27:34 119.1.169.252:48336 ***.***.***.***
alert secure-policy ACCESS BLOCK
abnormal tcp traffic detected, destination port is zero, DROPBut again, from my point of view, such abnormal TCP traffic belongs to USG category ADP and should be handled there but not with the default policy, isn't it?0 -
USG_User said:As a workaround I've created a new security policy rule which drops all TCP attempts from this IP. This may work as long as its only one suspicious IP. But in case of another additional IP, I would have to create another new rule. That couldn't be the solution.Why another rule?You can create a single rule, with a IP group as source.Then in IP group you set the single IPs.0
-
valerio_vanni said:Why another rule?You can create a single rule, with a IP group as source.Then in IP group you set the single IPs.I'm aware of that. But you have to create single address objects for each IP which is not in a consecutive order. Although it would be only one additional rule, I think "blowing up" the security policy is not the smartest way to drop such anormal traffic attempts.@Zyxel_Tobias: Since yesterday we've got the additional security policy rule in place which should drop the "port zero abnormal TCP traffic" attempt from exact this IP. This rule is arranged prior the default rule and should neither log nor alert log the drops. Nevertheless USG has still sent two alert logs at night containing the drop of that abnormal traffic from that IP with exactly the same alert log message content as mentioned above.Here is our new security policy rule:Now only the alert checkbox (Log & Report > Log Settings) for "Security Policy Control" is ticked. Is this overruling the "no log" adjustment of the new security policy rule?As already said, from my point of view this anormal TCP traffic with zero port should be handled by ADP what means Anormaly Detection and Prevention. And ADP log is switched off.Any further hints would be appreciated.
0 -
Hi @USG_User,
our dev team is currently unavailable (this week), we can idle this case and continue Monday, or you log a ticket and get a follow up from us, when all tests are done: https://support.zyxel.eu/hc/en-us/requests/new?ticket_form_id=114093996354
Regards,
Tobias0 -
Moin Tobias,Yes, let's idle it until next week. Security is not affected since USG is dropping the packets in any case.0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 147 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight