Have been getting lots of weird firewall entries

Discussion in 'ESET Smart Security v3 Beta Forum' started by mvdu, Jun 29, 2007.

Thread Status:
Not open for further replies.
  1. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Many incorrect IP packet checksum log entries and a couple of supposed ARP Cache Poisoning Attacks. But the only info it gives on all of these entries is "0," which is between columns. I'm behind a router, and only my family has access to my small home network. So how could this be?

    I'm on a 32 bit Vista System.
     
  2. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    One note: the entries stopped when my mom turned off the downstairs computer. So it looks like false positives?
     
  3. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Update: seems I needed to allow svchost.eve in for the trusted zone. But why would those weird entries appear otherwise?
     
  4. Chappy

    Chappy Registered Member

    Joined:
    May 1, 2007
    Posts:
    69
    Interesting..

    I wonder why it would log Incorrect Checksum for a network ping, which is what I think was happening with svchost.
    Too bad we don't have some packet info to analyze, that would help, and I think the ARP Cache poisoning was probably a legit outside attack mixed in, or can you reproduce that by removing svchost from trusted zone again?
     
  5. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    I'll try removing it. I allowed svchost to connect in ONLY for the trusted zone and not internet. As far as I know, none of the computers has been acting strangely or has a virus.
     
  6. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Hmm.. still getting a couple of ARP poisoning alerts with svchost allowed to connect into the trusted zone. But the incorrect checksum alerts stopped. I still think this looks harmless, but I wish I could tell you more data.
     
  7. Chappy

    Chappy Registered Member

    Joined:
    May 1, 2007
    Posts:
    69
    I agree, I think it's rather benign too, and either way..it's getting stopped by ESS, so...:)

    Weird tho, why Incorrect Checksum for network pings? (if that's what svchost was doing, confirming network connectivity)
    What protocol were the packets in? ICMP? UDP?
     
    Last edited: Jul 1, 2007
  8. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    The Incorrect Checksum alerts have stopped, but I continue to get TCP Reverse Desynchronization Attacks and ARP Cache Poisoning alerts.

    Here's a log of the TCP Reverse Desynchronization Attack it supposedly detects:

    6/30/2007 11:47:56 PM Detected Reverse TCP Desynchronization attack 63.240.236.50:80 my computer:52022 TCP

    I noticed that the source address has been suspect (looked it up on MyNetWatchman,) but wouldn't the router stop it if real?
     
  9. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    I put Comodo on to compare with ESS. No attacks noted, but it does show some connections associated with the above entry. Could be harmless, but they are blocked nonetheless by both apps.
     
Thread Status:
Not open for further replies.