Home page logo
/

bugtraq logo Bugtraq mailing list archives

Symantec Enterprise Firewall (SEF) Notify Daemon data loss via SN MP
From: Martin O'Neal <BugTraq () corsaire com>
Date: Wed, 20 Feb 2002 21:05:35 -0000



-- Corsaire Limited Security Advisory --

Title: Symantec Enterprise Firewall (SEF) Notify Daemon data loss via SNMP
Date: 21.01.02
Application: Symantec Enterprise Firewall (SEF) 6.5.x 
Environment: WinNT, Win2000
Author: Martin O'Neal [martin.oneal () corsaire com]
Audience: General distribution


-- Scope --

The aim of this document is to clearly define some issues related to 
potential data loss from the Notify Daemon within the Symantec 
Enterprise Firewall (SEF) environment as provided by Symantec [1].

Note: These issues do NOT appear to be directly related to recent SNMP 
issues announced by CERT as advisory CA-2002-03 [2].


-- History --

Vendor notified: 21.01.02 
Document released: 21.02.02


-- Overview --

The SEF firewall provides multiple methods of alerting an administrator
to firewall log events; audio, external executables, mail, pager and 
SNMP. This functionality is provided by a subsystem known as the Notify 
daemon.

When using the SNMP transport method, it is common to send traps back to 
a network management station (NMS) where they can be centrally coordinated
and managed.

When the log entries are larger than a certain threshold (1024-bytes)
then the Notify daemon starts to discard alerts.


-- Analysis --

If a notification rule is configured to use SNMPv1 to generate alerts for
all event types that are logged, when the notify daemon begins to drop 
alerts, this state is logged within the local firewall audit trail as:

notifyd[0]: 606 failed to notify: transport=SNMP1, priority=Informational

It is worth noting that this alert is not subsequently passed on via SNMP. 

If SNMP is used to alert an administrator of potential issues, then there 
is the risk that the over sized entries will be lost.


-- Recommendations --

The behaviour of the SNMP Notify daemon should be revised to increase the 
size of the log messages accepted, up to the maximum allowed by the SNMP 
standard. Additionally, the daemon should also be amended to truncate the
log messages if over size and then transmit the shortened entry rather 
than discarding it.


-- References --

[1] http://enterprisesecurity.symantec.com/products/products.cfm?ProductID
    =47&PID=9674250&EID=0
[2] http://www.cert.org/advisories/CA-2002-03.html


-- Revision --

a. Initial release.
b. Revised detail to include clearer explanation of issue.
c. Revised detail to include clearer explanation of issue.


Copyright 2002 Corsaire Limited. All rights reserved. 


-----------------------------------------------------------------------------------------------------------------------
CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
-----------------------------------------------------------------------------------------------------------------------
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
-----------------------------------------------------------------------------------------------------------------------

Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF
Telephone: +44(0)1483-226000  Email:info () corsaire com

This footnote confirms that this e-mail message has been swept by
MIMEsweeper for the presence of computer viruses.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]