Thread: th_flags: 2 message_info: SYN packet for established connection
View Single Post
  #3 (permalink)  
Old 2006-08-02
RobertGraham RobertGraham is offline
Senior Member
  
Join Date: 2006-02-02
Posts: 204
Rep Power: 3
RobertGraham has an average reputation (10+)
Send a message via MSN to RobertGraham Send a message via Yahoo to RobertGraham
Default Re: th_flags: 2 message_info: SYN packet for established connection
Have you guys searched CHKP's SecureKnowledge database? There should be a technote that explains this is coming from SmartDefense and that you have to use dbedit to change the definition.

If memory serves, what's happening is MS Proxy is behaving in a way that doesn't jive with the connections table held for three way handshakes on the firewall. You can either do a packet capture and try to file a bug report with MS or you can use the SK article to disable the SmartDefense check. My preference is both. Disable SmartDefense and replace with a real IDS solution AND use proxy products(like BlueCoat) that don't mess up transmissions like MS does.

That's my two cents on this.
Reply With Quote