I have a problem

[rebelscum0000]

Hi

Last week I have installed ESS V.5. latest version and I have been seeing the "Detected DNS cache poisoning attack on average about 50-100 times a day so far

I read @ ESET Knowledgebase
http://kb.eset.com/esetkb/index?page...nt&id=SOLN2933


I understand it is an ESS issue, Why bother to fix it by following the instructions?

I decided to downgrade to ESS V.4.X (latest version) and a friend of mine use my computer meanwhile I was out of the town.

Just out of curiosity, How do I know how many Detected DNS cache poisoning attack messages my friend received in ESS V.4.X GUI OR log file?

[Marcos]

V5 detects the same attacks as v4 except that it notifies the user when an attack is detected instead of just logging it in the firewall log. Attack notifications can be disabled in v5 and newer.
What are the source IP addresses of these DNS cache poisoning attacks?

[rebelscum0000]

Quote:

Originally Posted by Marcos

V5 detects the same attacks as v4 except that it notifies the user when an attack is detected instead of just logging it in the firewall log. Attack notifications can be disabled in v5 and newer.
What are the source IP addresses of these DNS cache poisoning attacks?

V5: Most of them are: Source 10.3.77.26:53 Target 197.168.0.122:1040

Then if V5 notifies the user when an attack is detected, and v4 does not...

V4: I do not know How many Detected DNS cache poisoning attack messages I have meanwhile my friend was using my compute, How can I found out?

Thank you

[rebelscum0000]

Quote:

Originally Posted by Marcos

V5 detects the same attacks as v4 except that it notifies the user when an attack is detected instead of just logging it in the firewall log. Attack notifications can be disabled in v5 and newer.
What are the source IP addresses of these DNS cache poisoning attacks?

Hello?

[rebelscum0000]

Quote:

Originally Posted by Marcos

V5 detects the same attacks as v4 except that it notifies the user when an attack is detected instead of just logging it in the firewall log. Attack notifications can be disabled in v5 and newer.
What are the source IP addresses of these DNS cache poisoning attacks?

Where is the official Eset support forum? Could you be son kind to provide me the link?

TIA

[SweX]

Quote:

Originally Posted by rebelscum0000

Where is the official Eset support forum?

You are writing in it right now

I guess that you are waiting for an reply from Marcos/or other ESET Mod?

[Marcos]

Does the IP address 10.3.77.26 belong to your Internet provider's DNS server?

[rebelscum0000]

Quote:

Originally Posted by Marcos

Does the IP address 10.3.77.26 belong to your Internet provider's DNS server?

Yes, Confirmed with my ISP and ipconfig /all

And once again my main question

I downgrade to V.4
How do I know How many DNS cache poisoning attacks I have meanwhile my friend was using my computer and I was out of the town?

V.4 GUI Or Log File?

[encus]

Quote:

Originally Posted by rebelscum0000

Yes, Confirmed with my ISP and ipconfig /all

And once again my main question

I downgrade to V.4
How do I know How many DNS cache poisoning attacks I have meanwhile my friend was using my computer and I was out of the town?

V.4 GUI Or Log File?

For ESS v4, you can view all the attacks in the firewall log.

Good luck!

[rebelscum0000]

Quote:

Originally Posted by encus

For ESS v4, you can view all the attacks in the firewall log.

Good luck!

Thank sir, But I can not find the firewall logs

Where are they located?

Windows XP Pro SP3

TIA

[encus]

Quote:

Originally Posted by rebelscum0000

Thank sir, But I can not find the firewall logs

Where are they located?

Windows XP Pro SP3

TIA

1. Open ESS main menu
2. Click Tools -> Log
3. From drop down menu, select Personal Firewall Log

HTH.

[rebelscum0000]

Quote:

Originally Posted by encus

1. Open ESS main menu
2. Click Tools -> Log
3. From drop down menu, select Personal Firewall Log

HTH.

Thank you but Using the V.4 GUI and following your intructions The Eset Personal firewall log is empty, I do not understand why i can not view all the attacks in the firewall log.

Or If I need to post my firewall Log, here @ this forum, where is located the log file?

Windows XP SP3

Thanks in advance for any help you can provide me

[rebelscum0000]

Hello?

[Marcos]

There are no differences in DNS cache poisoning detection between v4 and v5 as both utilize the same firewall module which includes the functionality for attack detetections. If the attack is not detected any more with v4, it shouldn't be detected after installing v5 either.

[rebelscum0000]

Quote:

Originally Posted by Marcos

Does the IP address 10.3.77.26 belong to your Internet provider's DNS server?

i confirmed the IP address 10.3.77.26 belong to my Internet provider's DNS server then is a real attack?

[SweX]

Quote:

Originally Posted by rebelscum0000

Thank you but Using the V.4 GUI and following your intructions The Eset Personal firewall log is empty, I do not understand why i can not view all the attacks in the firewall log.

Or If I need to post my firewall Log, here @ this forum, where is located the log file?

Windows XP SP3

Thanks in advance for any help you can provide me

You need to enable logging of the firewall so the firewall log will be filled with information.

[BellaBoo]

how to upload a pic ... this poster needs a visual!



did that work!??!

HA thar it beeee!

OP, tick the yellow highlighted box then click OK. after a short while, your log will reveal the relevant activity.

fyi, google the offending ip addy/s to identify them.

i had a couple intruders (from china and germany) but it turned out they were just *looking* [common, recurring attempts] so i ran checks on my computer using ShieldsUp! via grc.com and i was satisfied with the results: my computer provided zero access.

so i unchecked the box 'Display notification afer attack detection' box [see above pic under intrusion detection]

HTH

good luck, btw!

edited to add necessay clarification

[rebelscum0000]

Quote:

Originally Posted by BellaBoo

how to upload a pic ... this poster needs a visual!

Attachment 235366

did that work!??!

HA thar it beeee!

OP, tick the yellow highlighted box then click OK. after a short while, your log will reveal the relevant activity.

fyi, google the offending ip addy/s to identify them.

i had a couple intruders (from china and germany) but it turned out they were just *looking* [common, recurring attempts] so i ran checks on my computer using ShieldsUp! via grc.com and i was satisfied with the results: my computer provided zero access.

so i unchecked the box 'Display notification afer attack detection' box [see above pic under intrusion detection]

HTH

good luck, btw!

edited to add necessay clarification

Thank you very much and sorry for the delay, using ShieldsUp my IP is dynamic I will never pass the test, so I can not run checks in my computer any other suggestion?

[BellaBoo]

hey rebel sorry, i missed your post...

even tho your IP is dynamic [about which i know nothing], did you at least try ShieldsUp!?

i have no other suggestions for you, but perhaps with the passage of time, you've been able to work out something.

if not, good luck in your endeavours

[BellaBoo]

so, i researched dynamic IP and i came up with this: http://whatismyipaddress.com/dynamic-static

it says tho that and i quote: ... Dynamic IP addressing assigns a different IP address each time the ISP customer logs on to their computer, ...! so, if that were the case, ShieldsUp! will scan your computer during your current computer session and if there are any hiccups, they'll be revealed. so, it doesn't matter the ip addy, it matters that your computer is silent to the outside world.

unless however: If you have Dynamic IP Addressing through your Website Host it means that you are sharing an IP Address with several other customers. in which case, ShieldsUp! would be pointless.

[rebelscum0000]

Quote:

Originally Posted by BellaBoo

hey rebel sorry, i missed your post...

even tho your IP is dynamic [about which i know nothing], did you at least try ShieldsUp!?

i have no other suggestions for you, but perhaps with the passage of time, you've been able to work out something.

if not, good luck in your endeavours

Thank you BellaBoo, yup I tried ShieldsUp! but I was not sure

[rebelscum0000]

Quote:

Originally Posted by BellaBoo

so, i researched dynamic IP and i came up with this: http://whatismyipaddress.com/dynamic-static

it says tho that and i quote: ... Dynamic IP addressing assigns a different IP address each time the ISP customer logs on to their computer, ...! so, if that were the case, ShieldsUp! will scan your computer during your current computer session and if there are any hiccups, they'll be revealed. so, it doesn't matter the ip addy, it matters that your computer is silent to the outside world.

unless however: If you have Dynamic IP Addressing through your Website Host it means that you are sharing an IP Address with several other customers. in which case, ShieldsUp! would be pointless.

OK I will try again, Thank you very much

[rebelscum0000]

Hi,

Could be a possibility that I am receiving DNS cache poisoning detection since I am sending from my Mac massive emails to my Outlook Express?

Thanks in advance for any help you can provide me

Win XP SP3

[dwomack]

This could be a possibility. What the KB article does not state is the various reasons that your IP address could be triggering the DNS Cache Poisoning Attack Detections. This is because there are simply too many reasons to reasonably list and we don't want to speculate on causes without complete information.

I've seen this happen with non-standard data traffic or when the router pings your network to verify it's still connected. There are many other reasons for the detection to be triggered. The IP addresses you provided for the Source (ISP) and Target (you) are within the safe range so it's very likely one of these reasons (including the one you gave) could be the reason you have seen these notifications. Again, without complete information, it's hard to speculate. It might be worth placing a call or submitting a support ticket with your local ESET distributor for more efficient support: http://www.eset-la.com/soporte/contacto

[rebelscum0000]

Quote:

Originally Posted by dwomack

This could be a possibility. What the KB article does not state is the various reasons that your IP address could be triggering the DNS Cache Poisoning Attack Detections. This is because there are simply too many reasons to reasonably list and we don't want to speculate on causes without complete information.

I've seen this happen with non-standard data traffic or when the router pings your network to verify it's still connected. There are many other reasons for the detection to be triggered. The IP addresses you provided for the Source (ISP) and Target (you) are within the safe range so it's very likely one of these reasons (including the one you gave) could be the reason you have seen these notifications. Again, without complete information, it's hard to speculate. It might be worth placing a call or submitting a support ticket with your local ESET distributor for more efficient support: http://www.eset-la.com/soporte/contacto

Thank you sir