Show and Tell

Discussion in 'other firewalls' started by controler, Nov 9, 2002.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    Outpost Attack log..
    Interesting since I never get port scans or requests.
    11/9/2002 1:43:08 PM   Connection request   64.4.12.57   TCP(2266)
    11/9/2002 1:41:10 PM   Port scanned   216.52.46.143   TCP(1954) TCP(1956) TCP(1955) TCP(1287) TCP(1352) TCP(1307)
    11/9/2002 1:41:10 PM   Connection request   216.52.46.143   TCP(1954)
    11/9/2002 1:41:10 PM   Connection request   216.52.46.143   TCP(1956)
    11/9/2002 1:41:10 PM   Connection request   216.52.46.143   TCP(1955)
    11/9/2002 1:40:29 PM   Connection request   216.52.46.143   TCP(1287)
    11/9/2002 1:40:23 PM   Connection request   216.52.46.143   TCP(1352)
    11/9/2002 1:40:13 PM   Connection request   216.52.46.143   TCP(1307)
    11/9/2002 1:40:06 PM   Connection request   216.52.46.143   TCP(1295)
    11/9/2002 1:38:29 PM   Connection request   216.52.46.143   TCP(1287)
    11/9/2002 1:38:24 PM   Connection request   216.52.46.143   TCP(1352)
    11/9/2002 1:38:14 PM   Connection request   216.52.46.143   TCP(1307)
    11/9/2002 1:38:06 PM   Connection request   216.52.46.143   TCP(1295)
    11/9/2002 1:36:29 PM   Connection request   216.52.46.143   TCP(1287)
    11/9/2002 1:36:24 PM   Connection request   216.52.46.143   TCP(1352)
    11/9/2002 1:36:14 PM   Connection request   216.52.46.143   TCP(1307)
    11/9/2002 1:36:07 PM   Connection request   216.52.46.143   TCP(1295)
    11/9/2002 1:34:30 PM   Connection request   216.52.46.143   TCP(1287)
    11/9/2002 1:34:25 PM   Connection request   216.52.46.143   TCP(1352)
    11/9/2002 1:34:15 PM   Connection request   216.52.46.143   TCP(1307)
    11/9/2002 1:34:07 PM   Connection request   216.52.46.143   TCP(1295)
    11/9/2002 1:32:31 PM   Connection request   216.52.46.143   TCP(1287)
    11/9/2002 1:32:26 PM   Connection request   216.52.46.143   TCP(1352)
    11/9/2002 1:32:16 PM   Connection request   216.52.46.143   TCP(1307)
    11/9/2002 1:32:08 PM   Connection request   216.52.46.143   TCP(1295)
    11/9/2002 1:30:59 PM   Connection request   195.101.191.68   UDP(137)
    11/9/2002 1:30:31 PM   Connection request   216.52.46.143   TCP(1287)
    11/9/2002 1:30:26 PM   Connection request   216.52.46.143   TCP(1352)
    11/9/2002 1:30:16 PM   Connection request   216.52.46.143   TCP(1307)
    11/9/2002 1:30:08 PM   Connection request   216.52.46.143   TCP(1295)
    11/9/2002 1:30:07 PM   Connection request   211.252.3.207   UDP(137)
    11/9/2002 1:28:32 PM   Connection request   216.52.46.143   TCP(1287)
    11/9/2002 1:28:27 PM   Connection request   216.52.46.143   TCP(1352)
    11/9/2002 1:28:16 PM   Connection request   216.52.46.143   TCP(1307)
    11/9/2002 1:28:09 PM   Connection request   216.52.46.143   TCP(1295)
    11/9/2002 1:11:19 PM   Connection request   218.156.54.42   UDP(137)
    11/9/2002 1:09:55 PM   Connection request   217.65.231.179   TCP(1433)
    11/9/2002 1:07:20 PM   Connection request   63.25.190.16   UDP(137)
    11/9/2002 1:05:31 PM   Connection request   219.241.155.254   TCP(1433)
    11/9/2002 12:32:41 PM   Connection request   24.184.118.206   UDP(137)
    11/9/2002 12:29:46 PM   Connection request   211.227.86.27   UDP(137)
    11/9/2002 12:18:08 PM   Connection request   80.15.99.230   UDP(137)
    11/9/2002 12:16:24 PM   Connection request   80.24.12.200   UDP(137)
    11/9/2002 12:08:09 PM   Connection request   62.254.100.7   UDP(137)
    11/9/2002 12:07:58 PM   Connection request   24.232.38.167   UDP(137)
    11/9/2002 11:51:15 AM   Connection request   68.146.203.66   UDP(137)
    11/9/2002 11:49:04 AM   Connection request   65.198.225.82   UDP(137)
    11/9/2002 11:45:52 AM   Connection request   63.188.128.199   UDP(137)
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    Well, he´s not scanning for (known) trojans. Strange, how the same ports are being scanned over and over again.

    Regards,

    Pieter
     
  3. snowy

    snowy Guest

    YIKES!! I have the very same ports being hammered!!
    Plus..what looks like the same sub-range......
    I've disable the ports you listed.........an have a very sneaky feeling what port scanner is being used. although my computer wont accept a connection to the sub-range...its blocked...nevertheless....it will have to bypass two blocking programs..then the firewall......so far so good...but hard on the ye ole computer......
    so..looks like a planned attacked is taking place.?


    snowman
     
  4. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    A lot of time what you see in Outpost in that port range is communications from a website you have visited and left.
    When you surf to a site and take a look or whatever, and then leave, there is usually communications going on between the webite and its affiliates and your computer. You leave, but all of the communications don't get properly terminated. So the website keeps trying to reply back to you until it gets a fin/ack or whatever.
    Well, Outpost IDS sees these as unsolicited communications requests and in some cases scans, and logs them.
    The way I can tell the difference, is when I get a bunch like you have, I look in the DNS Cache log or properties and see if that IP has been logged in as one of the sites I visit.
    Now I know you know at least most of what I said. I don't know if you know that Outpost has a tendency to log all of that.
    Sorry if all of this is old news, but there may be some that can use the info some day. I would not be surprised if other firewalls did not do the same thing at least on occassion.
    It is not unusual for some sites to keep comming at you with traffic for hours after you leave. I have seen it.
     
  5. controler

    controler Guest

    root, I understand what you are saying but I have never had that info listed in the attack logs before using Outpost.
    This is the very first time.
     
  6. controler

    controler Guest

    I am not sure it is inappropriate to post the IP's here since they log firewall IP scans at Internet storm anyway.
     
  7. snowy

    snowy Guest

    Decided to do a quick check on this ip <216.52.46.143 > is is the first in Cont's log post:

    Internap Newtwork Services

    AKA: Akami Technoligies




    snowman
     
  8. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Akamai owns so much of the web for all kinds of uses, some actually legit, that's not surprising.
    Controller, you have been getting plenty of entries in the log all along havent you? Lots of UDP 137, and background radiation type stuff.
     
  9. controler

    controler Guest

    root , yes this is my first hits with port 137. I was guessing they weren't picking on us Minnesotaians :)
    Outpost just started adding those requests to it's ATTACK LOG
    they weren't doing that before.
    Also been monitoring my RunOnceEXLog.Txt file
     
  10. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Another tell tale sign if it may be this type of late (legitimate) traffic being blocked is to look at the source port. If you see source ports for common services you would be using at that time like HTTP (80), DNS (53), etc. affiliated with those entries, they are likely just packets arriving late and being dropped.

    I did not notice source ports in the logs, does Outpost not provide this information in the log viewer?
     
  11. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Hey Crazy, no, this version does not log that information in the attack detection module. Perhaps the next version will.
    I think the initial design philosophy of Outpost was to do the job quietly and efficiently, without a lot of bells and whistles in certain key areas. The designers deliberately left out trace back/get even type logging. I'm not sure why remote port was left out of this log. The information is available in the debug module, which is an extended logging set of files.
    Controller, I wonder why you have not been getting some logging there all along. I assume you have run scans to insure protection.
    Let me know if you want to dig into this some more. I'm outa here for the time being though.
     
  12. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hopefully it is something they do include in the next version. Having full details in the logs (including remote addr/port, local addr/port) goes a long way in determining what you may be seeing. I'm sure it is something you and other users here will follow-up on ;).

    As for leaving out things like back trace features, I agree. Not something most users should or need to be doing.
     
  13. controler

    controler Guest

    I for one would still like to see better logging in Outpost.
    root? I wasn't aware of the extra logging files. Where can I get those?
    I was trying out KAV's firewall on my new Install of Win ME on another desktop but I have haveing some conflicts with that.
    When all these new releases of firewalls and AV's come out I am not going to know what to do :D
    Has anyone heard if Outpost has released their 2.0 Beta yet?

    Thanks :)
     
  14. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    No, version 2 beta has not been released yet.
    The extended logging is available in the debug module. It was built to aid in debugging obviously, but it shows more info that the regular logs so it can be handy.
    The link is on this page.
     
Thread Status:
Not open for further replies.