View Full Version : Legit Attacks or Noise?
FireDancer
August 14th, 2003, 12:51 PM
Hi All,
I am still in learning mode and I am now trying to learn to decipher logs, I am still new to my firewall and all of its
componants.. but coming along nicley with the help of others.
I recived these logs last night and want to know if they are just noise from the internet or legitimate attacks..
Any advise would be greatly appreciated. Here is a snippet of what started last night at around 10 pm my time and ended around 2 am.
Regards,
FireDancer
BlitzenZeus
August 14th, 2003, 01:00 PM
Go into your firewall administration, advanced, misc tab, and uncheck 'log suspicious packets' as its mostly logs garbage, the logs are mostly useless as they are just timed out packets that arrived after the service stopped listening. Personally I can't even believe they even used the word attack when its used completely out of context.
The block lower ports rule is a rule you made, other than that everything is fine.
If the packets were not inspected there is no way to know their true intent, so they are merely probes when blocked.
CrazyM
August 14th, 2003, 01:20 PM
Hi FireDancer
-{ Quote: "Legit Attacks or Noise?" }-
Short answer, noise and nothing to worry about.
As BlitzenZeus suggested, most of those entries for "TCP ack packet attack" will just be packets arriving late. In your log sample, the remote service 80/http (came from the service/port used by web servers) and local service 1914/ephemeral port (ports in this range 1024-5000 are used by your system as part of an active outbound connection) indicate this. If you leave the "log suspicious packets" enabled, your logs will fill up quickly with these types of entries.
The blocked outbound netbios is not unusual either. When you visit some web sites they will make a call to netbios. In this case your rules did not permit this and blocked it. This is good and as it should be.
Going to that same site in your logs (Windows update) I will get the same entry in my firewall log:
2003/08/14, 10:07:00.834, GMT -0700, 2011, Device 2, Blocked outgoing UDP packet (no matching rule), src=192.168.1.5, dst=207.46.134.93, sport=137, dport=137
Regards,
CrazyM
FireDancer
August 14th, 2003, 01:37 PM
Blitz & CrazyM,
Thanks so much for all your help!!! I am feeling a bit more confident in my rules and making them. Still alot to learn and can be kind of a slow process at times but well worth it.
Very Best Regards,
FireDancer
vBulletin® Copyright ©2000-2012, Jelsoft Enterprises Ltd.
Copyright ©2002 - 2012, Wilders Security Forums