Where to disable alert log for: "abnormal TCP traffic detected"

USG_User
USG_User Posts: 374  Master Member
5 Answers First Comment Friend Collector Sixth Anniversary
edited February 2022 in Security
Presently lot of "abnormal TCP traffic with destination port zero" is detected, which caused an email alert log each time.
Now I searched for the connected log settings where we could disable these kind of alert log.

We found: Log & Report > Log Settings > System Log > Table "Active Log and Alert" and have disabled the Alert for: Security > ADP (abnormal detection & prevention)

Unfortunately it doesn't help. Abnormal TCP traffic will still be alert-logged and transmitted by email to us each time.

There are further settings possible in:
Security Policy > ADP > Profile. But any Traffic Anomalies and Protocol Anomalies are set to "log" only but not to "alert log".

Has anybody an idea where I have to adjust further log settings in order to avoid sending alert logs in case of "abnormal TCP traffic with destination port zero"?

«1

All Replies

  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi,

    the only way is to create a firewall rule and not log traffic for these IP Address as it always match the default rule usually.

    Regards,

    Tobias
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi Tobias,
    But when this abnormal TCP traffic is matching the default rule, why the USG is sending an alert log (email) although this default rule is set to "log" only but not to "alert log"?
  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi USG_User,

    that was my assumption that it is the default rule, can you verify it by a screenshot of the device, when this happens? In case it may a bug (I remember a similar report last few days) I suggest adding this into the Idea Section to enhance UTM Signature to auto-block it.

    But if it "comes up recently" and was not there before, it may improve different in this case, please log a ticket and we´ll deeper check for a solution on it:

    https://support.zyxel.eu/hc/en-us/requests/new?ticket_form_id=114093996354

    Regards,

    Tobias
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited February 2022
    Thanks Tobias,
    what kind of screenshot do you mean, screenshot from log, or the alert log message?

    The other similar case was me, too. A few days ago we thought we could arrange a simple IP list for blacklisting such IPs, but this could only be implemented by security policy rule containing a range of consecutive IPs.

    That's why now my ask for switching off the alert log for that kind of messages. But it seems impossible as well.

    As a workaround I've created a new security policy rule which drops all TCP attempts from this IP. This may work as long as its only one suspicious IP. But in case of another additional IP, I would have to create another new rule. That couldn't be the solution.

    Cheers
  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    5 Answers First Comment Friend Collector Sixth Anniversary
    HI USG_User,

    I mean a log to prove that the any-any deny rule is shown with "Log" but do an Alert.

    I checked up the system currently there is no other customer report in this direction, so it looks like this IP seems right now exclusive going to send you this stuff.

    Regards,

    Tobias


  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited February 2022
    Hi Tobias,
    here is the screenshot where our default rule is set to "log" and not "alert log":



    And here is an example of such an alert log message again which will be sent out by email each time such an abnormal TCP packet arrives (presently about 5 times a day):

    No.  Date/Time           Source                 Destination           
          Priority            Category               Note                 
          Message
     1    2022-01-31 02:27:34 119.1.169.252:48336 ***.***.***.***                                  
          alert               secure-policy          ACCESS BLOCK                                   
          abnormal tcp traffic detected, destination port is zero, DROP


    But again, from my point of view, such abnormal TCP traffic belongs to USG category ADP and should be handled there but not with the default policy, isn't it?
  • valerio_vanni
    valerio_vanni Posts: 91  Ally Member
    First Answer First Comment Friend Collector Second Anniversary
    USG_User said:
    As a workaround I've created a new security policy rule which drops all TCP attempts from this IP. This may work as long as its only one suspicious IP. But in case of another additional IP, I would have to create another new rule. That couldn't be the solution.
    Why another rule?
    You can create a single rule, with a IP group as source.
    Then in IP group you set the single IPs.


  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    edited February 2022
    Why another rule?
    You can create a single rule, with a IP group as source.
    Then in IP group you set the single IPs.
    I'm aware of that. But you have to create single address objects for each IP which is not in a consecutive order. Although it would be only one additional rule, I think "blowing up" the security policy is not the smartest way to drop such anormal traffic attempts.

    @Zyxel_Tobias: Since yesterday we've got the additional security policy rule in place which should drop the "port zero abnormal TCP traffic" attempt from exact this IP. This rule is arranged prior the default rule and should neither log nor alert log the drops. Nevertheless USG has still sent two alert logs at night containing the drop of that abnormal traffic from that IP with exactly the same alert log message content as mentioned above.

    Here is our new security policy rule:


    Now only the alert checkbox (Log & Report > Log Settings) for "Security Policy Control" is ticked. Is this overruling the "no log" adjustment of the new security policy rule?



    As already said, from my point of view this anormal TCP traffic with zero port should be handled by ADP what means Anormaly Detection and Prevention. And ADP log is switched off.

    Any further hints would be appreciated.



  • Zyxel_Tobias
    Zyxel_Tobias Posts: 200  Zyxel Employee
    5 Answers First Comment Friend Collector Sixth Anniversary
    Hi @USG_User,

    our dev team is currently unavailable (this week), we can idle this case and continue Monday, or you log a ticket and get a follow up from us, when all tests are done: https://support.zyxel.eu/hc/en-us/requests/new?ticket_form_id=114093996354

    Regards,
    Tobias
  • USG_User
    USG_User Posts: 374  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary
    Moin Tobias,
    Yes, let's idle it until next week. Security is not affected since USG is dropping the packets in any case.

Security Highlight