Threats log for denied packets

L1 Bithead

Threats log for denied packets

Dear all,

I currently have a generic rule which blocks netbios-like traffic to and from internet with a simple deny. As this traffic is very likely to be malware generated (at least in my context) I have enabled a simple alert-only antivirus profile on that rule, but I don't get any entries in the thread logs. On the other hand, when I turn the rule to be accept instead of deny, threads logs is filed with virus alert.

So, does the deny has precedence over the antivurs profile, dicarding the paket before it has a chance to be analysed ?

If so, what can I do to achieve the what I described ?

Thanks alot.

Tags (3)
L4 Transporter

If your security rule is blocking by port number then the traffic will probably be dropped before any type of application ID can be done or threat can be detected.  If you are blocking by application signature then you will see the application in the traffic log, but the packets are being dropped before any threat can come through. In other words, you are seeing the application session initiation but no payload.

A rule of thumb is to never turn on any profiles for a deny rule.  There is no need since the packets are dropped by policy and not inspected any further.  Profiles are only useful for allowed traffic.


L3 Networker

Could these rule of thumbs be compiled into a single pdf? :-)

L1 Bithead

Thank you for this quick answer, this is indeed what I had deduced too.

So is there a way to achieve this ? We are already generating an "odd behavioured machines" repport on allowed trafic, but having also the denied one would make this repport muich more usefull.

Any thoughts ?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!