2 Replies Latest reply on Jun 11, 2013 12:07 PM by dpbpc62

    Filter or stop logging an event

    dpbpc62

      We have several websense set up on our network in offline mode.  The way is works is that it will inject spoofed RST packets with to both the client and the server of a TCP session.  For example:

       

      Client -> Server SYN
      Server -> Client SYN ACK
      Websense (Spoofed as Client) -> Server RST
      Websense (Spoofed as Server) -> Client RST

      This hasn't been causing much of an obvious issue on the MFE until a resent websense update where they are now sending RST packets based on IP address for facebook and twitter.

      I am now getting quite a lot of alerts in my logs about this.  I would assume that this is caused by the RST clearing the session on the MFE before is caused the client to stop sending packets. 

       

      Do you know if there is a way to tell the MFE to not log this event?


      Application    <Unknown TCP>
      Area   aclquery
      Attackip      x.x.x.x
      Attackzone     internal
      CacheHit       1
      Category       policy_violation
      Cmd    httpp
      Date   2013-06-10 11:27:08 -0400
      DestGeo        US
      DestPort       80
      DestZone       external
      Domain htpp
      Dstip  x.x.x.x
      Event  ACL deny
      Facility       http_proxy
      Hostname      hostname.com
      Logid  0
      Pid    2666
      Priority       major
      Protocol       6
      Reason Traffic denied by policy.
      Rule_name      Deny All
      SourcePort     45939
      SourceZone     internal
      Srcip  x.x.x.x
      Ssl_name       Exempt All
      Syslog  2
      Syslog Critical (2)
      Type   attack