:'(I'm getting all these pings and they are filling up my ZAP logs... Is there anyway to stop logging just those? I don't want to stop all logging, just all these pings??

it sucks i get an alert in my log every second its insaine

Hi Blaze

Which version of ZA are you using?
I believe the latest Pro and Plus versions allow for expert rules where you may be able to create a block rule with no logging.

Regards,

CrazyM

Hi Blaze,

Yeah, this new worm is a real killer!! :o >:(

I've posted here a couple times that I like to leave my firewall logging everything just so I can see the same trends that people are talking about whenever something like the Blaster worm hits. (Of course, I have "alerting" turned off, so I don't get a popup for every event - that would be horrible for even a few dozen events, never mind the hundreds or thousands we're all getting now.)

For people running ZAP (or ZA+) 4.0, they have the ability to use an expert rule to block the new worm related events without logging or alerting on them. But, every other type of blocked event will still be logged. It's the best of both worlds. :)

To block the effects of these worms without logging them, you need to add an Expert Rule in ZAP 4.0... Open the ZAP user interface (from the systray) > select the Firewall panel > select the Expert tab...

In the lower right of that page, press the "Add" button to create a new rule. (If you haven't used this section before, you may have to play with it a bit to get comfortable.)

In the Add Rule screen, you'll want to fill it out so that it looks like this:

http://www.wilderssecurity.com/attachments/zap-wormrule-block-nolog.gif

Notice every field...

Rank - is the number of the rule. (Since ZAP isn't a rule based firewall, most users won't have any expert rules yet. Note that the order rules get executed can be critical when the scope of one also includes what is covered by a rule with a narrower scope. But, we won't get into all that here. Making this rule #1 is the easiest way to handle it unless you have other rules covering 135/tcp or inbound pings.)

Name - is a very short name for the rule. Pick any you want.

Comments - is any text you want to explain the rule or leave it empty.

State - is where you turn on/off a rule. Use the pulled down menu and tell ZAP this rule is to be "Enabled".

Action - is where you either choose to allow or block something. You want to "Block" all the stuff you'll be describing in the rule below.

Track - is where either alerting and/or logging is selected. Since the whole point of making this rule is to not do any alerting or logging, pick "None".

The rule itself is worked out in the 4 boxes at the bottom of the screen...

Source - Well, it's packets coming in from the Internet, so, hit the "Modify" button > go to "Add Location" and choose "Internet Zone". (This will replace the "Any" value that was there when you first brought the screen up.)

Destination - Since you are blocking incoming packets, the "destination" is your computer, so hit "Modify" > "Add Location" > and choose "My Computer".

Okay, we're almost done. The next box is the hardest since you have a second screen to fill out for each type of packet you'll be blocking...

Protocol - The worm we're all fighting has two types of probes. Pings and incoming TCP port 135 hits. You need to add each of these separately... Hit "Modify" > "Add Protocol" > "Add Protocol"...

Make the first protocol, the TCP port 135 block, look like this:

http://www.wilderssecurity.com/attachments/zap-wormrule-block-tcp135.gif

Hit OK. Now, on Protocol again, hit "Modify" > "Add Protocol" > "Add Protocol" again and make the PING (ICMP) block rule look like this:

http://www.wilderssecurity.com/attachments/zap-wormrule-block-pings.gif

Hit OK.

The last box (Time) should just be left at Any, so this rule will be active all the time.

Hit OK on this "Add Rule" screen to close it. This brings you back to the ZAP Firewall > Expert rule screen, hit the "Apply" button that is below and to the right of the Add button.

Done. The rule is now active.

This will simply block (stealth) all TCP port 135 and Pings coming in to your system from the Internet Zone. (That is important. I used the Internet Zone as the Source for these hits. This rule will not apply to Pings coming in from the Trusted Zone, so if you need Pings from your ISP or sites or games, enter their address in the trusted zone and this rule won't block them.)

If you want, you can edit the rule and set it to "Disabled" at any point, just to see if the Pings are still happening. But for me, I must say I've had it enabled for a couple weeks now and truly - Silence is Golden. :D

Edit: Oh, and here is the one-liner summary that should be visible on the expert rules page when the rule is active:

http://www.wilderssecurity.com/attachments/zap-wormrule-summary.gif

-{ Quote: " quoting: LowWaterMark link=board=23;threadid=12936;start=0#msg83028 date=1061964856]
Yeah, this new worm is a real killer!! :o >:(
" }-
Correct, it's the Welchia, Blaster-D or Nachi worm (it's the worm tries to repair the Blaster infection and in doing so floods the networks with pings). My Snort ids identifies these connection requests as CyberKit 2.2 Windows attacks.

:D thank you LowWaterMark that worked like a charm

thx guys for your input as well

this wll help alot of newbies wondering if there being hack because of the hundreds of alerts from this nasty worm attack

so if your a newbie and have zone alarm pro

you need to do the albove otherwise you will think your being hack every second of the day when its just a worm going around attacking everything in sight

And I'm running ZA free. Don't have no fancy settings. :-[ So I just muted the hits!!!! Log em in and send them to dShield once a day. (Wonder if that does any good!!??)

I envy you 'high cotton' dudes with all them fancy settings. I guess ima gettin my moneys worth though!!!! :P

LOL. :D

There's nothing wrong with the way you are doing it. Stopping the alerts is the next best thing to something like the above. And it's great that you upload your alerts to DShield, I do that also, though obviously since I've stopped logging these specific ones, I'm no longer sending those in.

In the case of this worm though, and the 150K infected systems, (that being the last number I heard, I'm not sure if it's a lot more now), I don't think DShield or others like myNetWatchman can have much of an effect on this.

The ISPs all know the signature of infected systems and they could, if they wanted, identify the systems on thier networks sending out continuous pings or TCP port 135 connection attempts. In truth, I don't think they really need reporting groups to tell them that they have a massive number of infected systems on their hands. But, it certainly can't hurt.

Thanks LWM for the easy clear instructions. I saw your comments to the DSLR thread and came here to get the scoop. Thanks again, the dang pings have been driving me nuts. I will delete my ZoneLog Analyzer database {currently saturated with ten to fifteen thousand records, mostly pings} and start fresh after creating this rule. Warmly, Ran

Thanks a lot LowWaterMark.

I recently upgraded to ZAP 4.0 after having used ZAF for the last couple of years, and your instructions were just what I was looking for to stop logging all those those Pings.

Keep up the great work,
Regards, Bill

:D yup thx lowawater great stuffs

Hmm...... do i dare ask how to write a rule for the same issue when using SPF Pro ::)

Hi Rainwalker

-{ Quote: " quoting: Rainwalker link=board=23;threadid=12936;start=0#msg84012 date=1062306412]
Hmm...... do i dare ask how to write a rule for the same issue when using SPF Pro ::)" }-

Could you create a similar rule in the Advanced Rules of Sygate?

Regards,

CrazyM

Correct me if I'm wrong.

http://home01.wxs.nl/~kleyn080/Image1SPF.gif

http://home01.wxs.nl/~kleyn080/Image2SPF.gif

Regards,

Pieter

Hi Pieter

Thanks for the screenshots from Sygate.
For your ICMP echo request example, should the direction not be just for inbound? That particular rule would likely not allow you to ping others - depending on your other Advanced rules and their priority.

Regards,

CrazyM

Hi CrazyM,

You can count on me to make errors like that. :-[
Yes, it does. If you want it to block only incoming, you can choose "Incoming" on the "Ports and Protocols" tab under "Traffic Direction"
I guess this way nobody would ever find out if I was infected with that worm? :P

Regards,

Pieter

Peter Crazy M
Thank you Thank you :)

Opps.....I applied the SPF rule and nothing changed. Still in ping city. ??? By the way for awhile now whenever i drag n drop a smiley to this post and others i always get two instead of just the one.......browser issue ???

???

Hi Rainwalker,

You didn't put a checkmark in the "Record this traffic in Packet Log" ?
And can you check in the Traffic Log if the pings are being blocked by this rule and not by any other rule higher in the hierarchy.

Regards,

Pieter

Thanks Pieter........ Rule is on top... box unchecked... my mistake ....i was thinking about the Traffic Log and hoping to stop recording there..Packet block is working.......anyway to stop logging of icmp pings in Traffic Log? :-\

I don't think so.

Traffic Log

Simply put, this log logs all inbound and outbound traffic in detail that comes through your system/network.

Quote from:
http://bellsouthpwp.net/i/k/ikpe/SygateBasicsPt2.html#Logs
Emphasis on "all" by me.

But I'm not 100% sure about this.
You could try the mail-link at the bottom of that site and see if King knows of a way to do what you want.
Or try at the Sygate forums (http://forums.sygate.com/vb/).

Regards,

Pieter

OK... again Pieter thank you for your time and assistance.

-{ Quote: " quoting: LowWaterMark link=board=23;threadid=12936;start=0#msg83146 date=1062027781]
LOL. :D

There's nothing wrong with the way you are doing it. Stopping the alerts is the next best thing to something like the above. And it's great that you upload your alerts to DShield, I do that also, though obviously since I've stopped logging these specific ones, I'm no longer sending those in.

In the case of this worm though, and the 150K infected systems, (that being the last number I heard, I'm not sure if it's a lot more now), I don't think DShield or others like myNetWatchman can have much of an effect on this.

The ISPs all know the signature of infected systems and they could, if they wanted, identify the systems on thier networks sending out continuous pings or TCP port 135 connection attempts. In truth, I don't think they really need reporting groups to tell them that they have a massive number of infected systems on their hands. But, it certainly can't hurt.
" }-

Excuse me but that is the cutest avatar I have ever seen!

Now, I just have ZA regular. I have been getting all kinds of pings also...for weeks.

I have Norton Anti Virus, Boclean and I was thinking about getting Norton Firewall or perhaps their whole security package.

Does anyone have an opinion about Firewalls?

Hi museheart

-{ Quote: " quoting: museheart link=board=23;threadid=12936;start=15#msg84540 date=1062456700]I have Norton Anti Virus, Boclean and I was thinking about getting Norton Firewall or perhaps their whole security package." }-

If that combo along with ZA works for you, no need to change unless you were wanting to try NPF/NIS specifically.

-{ Quote: "Does anyone have an opinion about Firewalls?" }-

That's a pretty broad question for this forum ;). Anything in particular you were after? (perhaps in a post of it's own to keep this one from going off topic)

Regards,

CrazyM

Actually, I am not that crazy about Norton or ZA.

;Dbump llook like some new newbies need help there should be a sticky on this

wow! blast from the past...