Does anything in this log look strange?

Discussion in 'LnS English Forum' started by MrGump, Sep 11, 2011.

Thread Status:
Not open for further replies.
  1. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    394
    I was hoping someone would take a quick look at the screen grab and let me know if anything looks strange. I can't say I'm experiencing any trouble that I know of, but the moment I connected to the net the log filled up pretty quickly. Thanks *puppy*
     

    Attached Files:

    • aa.PNG
      aa.PNG
      File size:
      190.2 KB
      Views:
      55
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Please e-mail me the installed Ruleset file, I want to take a look at something.
     
  3. Escalader

    Escalader Registered Member

    Joined:
    Dec 12, 2005
    Posts:
    3,710
    Location:
    Land of the Mooses
    These 192.xxx.yyy.zzz's all look like router communications to me.
     
  4. ruinebabine

    ruinebabine Registered Member

    Joined:
    Aug 6, 2007
    Posts:
    1,097
    Location:
    QC
    My logging seems to look very similar to yours (using most recent Phantom's ruleset).
     

    Attached Files:

  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Those NetBIOS packets can be silently blocked, .. its the UDP: SPF NTP-Rsp rule that has me curious...

    There are the two NTP rules, UDP: SPF NTP-Req & UDP: SPF NTP-Rsp, both set to log, we shouldn’t be seeing NTP rules triggering on those types of packets unless something wasn’t right.
     
  6. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    MrGump had a screen shot with NTP rules in strange context. In case this helps but is old info:
    NTP- entries I saw under P-rules 008.2. I run WinXP. I'm not even sure what my rules where when those NTP- entries occured, possibly network shares not yet/not correctly setup. And at that time I had DHCP issues which Phant0m subsequently changed.

    (1) on my LAN .56 and .57 was printer, .63 was another computer. Might have been some timing issues as well.
    06-23-11,10:46:06 U-8 'Block : All other packet' 192.168.54.255 UDP Ports Dest:netbios-dgm Src:netbios-dgm
    06-23-11,10:47:05 U-9 'Block : All other packet' 192.168.54.255 UDP Ports Dest:netbios-dgm Src:netbios-dgm
    06-23-11,10:50:41 D+10 'UDP: SPF NTP-Rsp ' 192.168.54.56 UDP Ports Dest:netbios-dgm Src:netbios-dgm - see screen shot with details below
    06-23-11,10:51:06 U-11 'Block : All other packet' 192.168.54.255 UDP Ports Dest:netbios-dgm Src:netbios-dgm
    06-23-11,10:55:06 U-12 'Block : All other packet' 192.168.54.255 UDP Ports Dest:netbios-dgm Src:netbios-dgm

    07-26-11,09:50:24 D+0 'UDP: SPF NTP-Rsp ' 0.0.0.0 UDP Ports Dest:67 Src:68
    07-26-11,09:50:56 U-1 'Block : All other packet' 192.168.54.57 UDP Ports Dest:8611 Src:1075
    07-26-11,09:51:24 U-2 'Block : All other packet' 255.255.255.255 UDP Ports Dest:8611 Src:1080
    07-26-11,09:51:24 U-3 'Block : All other packet' 255.255.255.255 UDP Ports Dest:8611 Src:1080
    07-26-11,09:52:43 D+4 'UDP: SPF NTP-Rsp ' 192.168.54.57 UDP Ports Dest:1092 Src:8611
    07-26-11,09:53:12 U-5 'Block : All other packet' 255.255.255.255 UDP Ports Dest:8611 Src:1096
    07-26-11,09:53:12 U-6 'Block : All other packet' 255.255.255.255 UDP Ports Dest:8611 Src:1096

    07-28-11,13:41:02,UTC,D,1,0,'UDP: SPF NTP-Rsp',0800,142,0.0.0.0,255.255.255.255,17,68,67
    07-28-11,13:41:02,UTC,D,1,1,'UDP: SPF NTP-Rsp',0800,142,0.0.0.0,255.255.255.255,17,68,67
    07-28-11,13:52:24,UTC,D,1,2,'UDP: SPF NTP-Rsp',0800,142,0.0.0.0,255.255.255.255,17,68,67
    07-28-11,13:52:24,UTC,D,1,3,'UDP: SPF NTP-Rsp',0800,142,0.0.0.0,255.255.255.255,17,68,67
    07-28-11,14:02:04,UTC,U,1,4,'ICMP: SPF Echo-Req',0800,74,192.168.54.60,192.168.54.63,1,8,0
    07-28-11,14:02:04,UTC,D,1,5,'ICMP: SPF Tracert-Rsp2',0800,74,192.168.54.63,192.168.54.60,1,0,0

    (2) Direct connection - no routers, no LAN. These were also under 008.2. Not LAN. They seem to be related to outbound destination unreachable to all these random packets floating about. I haven't run direct connection since
    07-26-11,17:01:15 D-1021 '-TCP: Block Incoming con' 125.19.69.2 TCP Ports Dest:43539 Src:55867
    07-26-11,17:01:17 U-1022 'Block : All other packet' 173.252.39.184 ICMP Type:3 Code:3
    07-26-11,17:01:17 D+1023 'UDP: SPF NTP-Rsp ' 173.252.39.184 UDP Ports Dest:43539 Src:38141
    07-26-11,17:01:21 D-1024 '-TCP: Block Incoming con' 125.19.69.2 TCP Ports Dest:43539 Src:55867
    07-26-11,17:01:24 D-1025 '-TCP: Block Incoming con' 187.65.17.104 TCP Ports Dest:43539 Src:32797
    07-26-11,17:01:25 D+1026 'UDP: SPF NTP-Rsp ' 78.8.20.62 UDP Ports Dest:43539 Src:26574
    07-26-11,17:01:25 U-1027 'Block : All other packet' 78.8.20.62 ICMP Type:3 Code:3
    07-26-11,17:01:27 D-1028 '-TCP: Block Incoming con' 187.65.17.104 TCP Ports Dest:43539 Src:32797
    07-26-11,17:01:28 D+1029 'UDP: SPF NTP-Rsp ' 84.35.239.50 UDP Ports Dest:43539 Src:26645
    07-26-11,17:01:28 U-1030 'Block : All other packet' 84.35.239.50 ICMP Type:3 Code:3
    07-26-11,17:01:33 D-1031 '-TCP: Block Incoming con' 187.65.17.104 TCP Ports Dest:43539 Src:32797
    07-26-11,17:01:52 D+1032 'UDP: SPF NTP-Rsp ' 94.108.223.110 UDP Ports Dest:43539 Src:52051

    Pic08.png
     
  7. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    E-mail me the ruleset file, I'll take a look at it.
     
  8. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    Phant0m,
    IF you're addressing me - stuff's too old here and mostly gone. I only have rules from 6/28 and 7/28 and no idea if they would correspond to the log segments I posted. One thing I'm sure of - at that time the Networking flag was not enabled in the .ini file and I had to allow IngressFilter_Pnet by editing your rule. And I recall having to import from the LnS site filesharing rules which aren't needed at all when your rules are properly setup :)
     
  9. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Send all of them, ... we shouldn’t be seeing ‘UDP: SPF NTP-Rsp’ without seeing also ‘UDP: SPF NTP-Req’ packet loggings.

    ‘UDP: SPF NTP-Rsp’ should be SPF configured, without SPF configured, its a simple rule to allow packets based on Ethernet type and IP protocol, so in the simple state it’ll trigger for any UDP packet. With SPF configured on that rule, only the corresponding responses to NTP requests are permitted .. matching IP addresses and ports, ... this is how it suppose to work.
     
  10. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    394
    done :)
     
  11. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Thanks!

    Those 'UDP: SPF NTP-Rsp' observed after adding, deleting or modifying the rules?

    If you restart the computer, and coming back, and without any changes to the ruleset, do you still observe 'UDP: SPF NTP-Rsp' logging?
     
  12. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    I think that's exactly what was going on then, I even wrote myself a sticky note to that effect then and couldn't understand why NTP was triggered.
    Few .rls files in email. Phant0m your're talking to a complete idiot. I don't even think I had SPF set in advanced in those times. Not only that, is possible I edited that rule without having the raw rules checked. I know the rule is for ports 123 local and remote, but was it like that two months ago? By now I can think of a thousand possible errors I made.
    If I'm right about the sins I committed, it might be a suggestion that the Phantom installer remind us, all in one place, to do this and that <list> ... in the firewall GUI.
    Reminder - this was all under 008.2.
     
  13. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    394

    I cleared all logs then restarted my pc and launched FireFox, attached is all the logs created. Hope this is what you wanted *puppy*
     

    Attached Files:

    • bb.PNG
      bb.PNG
      File size:
      172.1 KB
      Views:
      17
  14. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,272
    MrGump,
    1. did you set the Networking flag in the .ini flag and told it your IP range on the LAN?
    2. Could you, please, not make full screen screen grabs so that we can read them without having to go out to buy new glasses? :)
     
  15. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    394
    1.) no i didn't. I installed LnS then ran Phant0ms Deluxe tool which installed the Phant0m rule-set and that's it.

    2.) I think you can click the image twice and it will become larger :argh: works for me
     
  16. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Not what I was talking about, these advanced rules will work regardless if using Look ‘n’ Stop Advanced Mode or not, but I am talking pseudo-stateful rule creation support for connectionless protocols.

    I’ve checked MrGump NTP SPF rules, and I checked the NTP SPF rules in all your backup copies, the NTP SPF rules looks all good. To me, this seems like something funky with Look ‘n’ Stop and should be reported to Frederic.

    I’m going to see if I can reproduce you guys experiences, and take it from there. So for now simply disable the two NTP SPF rules.
     
  17. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    394
    disabled:


    UDP:SPF NTP-Req---- network time protocall

    &

    UDP:SPF NTP-Rsp---- ''''

    I disabled them by clicking the green box with a check mark and removing it. Hope that was right, I did not see a disable button anywhere *puppy*

    ty Phant0m
     
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    The frustrating thing about this anomaly, I’ve never experienced it, and I’m not able to reproduce it on either computers!
     
  19. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    If you disable the Req rule, does the Rsp rule still trigger?
     
  20. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    394
    is there anything I can tell you about my setup that might help?

    I use a dual band 2.4 and 5ghz wifi router and a docsis 3 modem. Netgear WNDR 3700

    Windows 7 Ultimate 64 bits

    the rule has not triggered yet since removing them both

    thank you for your continued help, Phant0m
     
  21. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    I wish it was that easy, I think only Frederic can help you now... I would contact Frederic, but the e-mail service Fred uses don’t like my e-mails.

    You could try exporting those NTP rules and deleting the current ones, and import them back in and leaving them on top of the ruleset and see if the response rule still triggers the same.
     
  22. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    394
    has disabling those two rules put me at any risk? :eek:
     
  23. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    lol, no.
     
  24. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    You could view the 'UDP: SPF NTP-Rsp' rule using official Raw Edition plugin and comparing your fields with mine and see if Look 'n' Stop is loading correctly this rule settings.
     

    Attached Files:

  25. MrGump

    MrGump Registered Member

    Joined:
    Sep 5, 2009
    Posts:
    394
    ill try that, can i find that plugin on your site?
     
Thread Status:
Not open for further replies.