-- Corsaire Limited Security Advisory -- Title: Symantec Enterprise Firewall (SEF) Notify Daemon data loss via SNMP Date: 21.01.02 Application: Symantec Enterprise Firewall (SEF) 6.5.x Environment: WinNT, Win2000 Author: Martin O'Neal [martin.oneal@corsaire.com] Audience: General distribution -- Scope -- The aim of this document is to clearly define some issues related to potential data loss from the Notify Daemon within the Symantec Enterprise Firewall (SEF) environment as provided by Symantec [1]. Note: These issues do NOT appear to be directly related to recent SNMP issues announced by CERT as advisory CA-2002-03 [2]. -- History -- Vendor notified: 21.01.02 Document released: 21.02.02 -- Overview -- The SEF firewall provides multiple methods of alerting an administrator to firewall log events; audio, external executables, mail, pager and SNMP. This functionality is provided by a subsystem known as the Notify daemon. When using the SNMP transport method, it is common to send traps back to a network management station (NMS) where they can be centrally coordinated and managed. When the log entries are larger than a certain threshold (1024-bytes) then the Notify daemon starts to discard alerts. -- Analysis -- If a notification rule is configured to use SNMPv1 to generate alerts for all event types that are logged, when the notify daemon begins to drop alerts, this state is logged within the local firewall audit trail as: notifyd[0]: 606 failed to notify: transport=SNMP1, priority=Informational It is worth noting that this alert is not subsequently passed on via SNMP. If SNMP is used to alert an administrator of potential issues, then there is the risk that the over sized entries will be lost. -- Recommendations -- The behaviour of the SNMP Notify daemon should be revised to increase the size of the log messages accepted, up to the maximum allowed by the SNMP standard. Additionally, the daemon should also be amended to truncate the log messages if over size and then transmit the shortened entry rather than discarding it. -- References -- [1] http://enterprisesecurity.symantec.com/products/products.cfm?ProductID =47&PID=9674250&EID=0 [2] http://www.cert.org/advisories/CA-2002-03.html -- Revision -- a. Initial release. b. Revised detail to include clearer explanation of issue. c. Revised detail to include clearer explanation of issue. Copyright 2002 Corsaire Limited. All rights reserved. ----------------------------------------------------------------------------------------------------------------------- CONFIDENTIALITY: This e-mail and any files transmitted with it are confidential and intended solely for the use of the recipient(s) only. Any review, retransmission, dissemination or other use of, or taking any action in reliance upon this information by persons or entities other than the intended recipient(s) is prohibited. If you have received this e-mail in error please notify the sender immediately and destroy the material whether stored on a computer or otherwise. ----------------------------------------------------------------------------------------------------------------------- DISCLAIMER: Any views or opinions presented within this e-mail are solely those of the author and do not necessarily represent those of Corsaire Limited, unless otherwise specifically stated. ----------------------------------------------------------------------------------------------------------------------- Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF Telephone: +44(0)1483-226000 Email:info@corsaire.com This footnote confirms that this e-mail message has been swept by MIMEsweeper for the presence of computer viruses.
