Re: Is it "fishy"?

["C. K. Lung" <clung () hotmail com>]

Stephane;

The firewall rejected their access.

Thanks and regards,


----- Original Message ----- 
From: "Stephane Nasdrovisky" <stephane.nasdrovisky () uniway be>
To: "C. K. Lung" <clung () hotmail com>
Cc: "Firewall-Wizards@Nfr. Net" <firewall-wizards () nfr net>
Sent: Wednesday, December 05, 2001 2:39 AM
Subject: Re: [fw-wiz] Is it "fishy"?


> Firewalls are not the only devices logging their (and user's) activity.
> You'd better have a look at you web server log and/or your IDS and/or
> your network flight recorder to get the full picture on this event.
>
> If you have some large files on your web server, this 2 hours session
> could be a slow transfer.
> I've seen browsers re-sending their fin packet during half an hour
> because of a checkpoint firewall-1 design flow. I would not be too
> surprise to see such packets during 2 hours.
>
> You're the only one who could answer the question currently. You know
> what's on your web server (i.e. is there some large page ?).
>
> ----- Original Message -----
> From: "C. K. Lung" <clung () hotmail com>
> Date: Tuesday, December 4, 2001 8:54 pm
> Subject: [fw-wiz] Is it "fishy"?
>
> > The firewall log shows that a host (YMCA12) has been using http
> > accessing a
> > web site over 2 hours.  Is it a form of "attack" or it is normal.
> > The time
> > is between 10:15 am till 12:30 pm.
> >
> > Any comments are much appreciated.
> >
> > Thanks,
> >
> > clung
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () nfr com
> > http://list.nfr.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () nfr com
> http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards