Help needed interpreting Sygate log

Discussion in 'other firewalls' started by StAnger, Nov 2, 2003.

Thread Status:
Not open for further replies.
  1. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    I recently installed Sygate 5.5 after reading about it here.
    It is doing it´s job very well, but I am puzzled as to what is going on. This started the first day I installed it, so I am also worried what might have happened before.

    F30003 RPC DCOM buffer overflow attempt detected
     

    Attached Files:

  2. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    What you are seeing in that message is a 'feature' that is becoming common in more and more end-user oriented software firewalls. It's starting to show up in Kerio, Sygate, NIS/NPF, and (I think) the latest versions of ZA Pro. It represents the extension of the software firewall product to also provide IDS (Intrusion Detection System) capabilities.

    Classically, firewalls simply either permitted or denied communication to a specific local port. IDSs, on the other hand, were passive monitors of the content of the incoming communication attempt. If the communication attempt had a certain recognized 'signature', then the communication would be flagged as potentially hostile in nature (and most likely logged). As matters evolved, some IDSs quit being passive and became active; i.e., they would block potentially harmful communications. In other words, IDSs were becoming more and more like firewalls, so it's not surprising that firewalls are now starting to add IDS capabilities. (For the most part, IDS capabilities weren't there in the first place because they tended to place a serious processing burden on the CPU actually inspecting the packets. Consequently, the IDS monitoring was typically done in parallel to the main communication. Well, now CPUs are getting sufficiently fast that the burden is no longer prohibitive.)

    To summarize: In your case, Sygate is blocking an unsolicited inbound communication (which it would probably do in any case), but it's also going further and telling you that the communication is potentially hostile -- and it's telling you the nature of the hostility. In a way, that's kind of neat -- as long as you don't get obsessed with poring over the logs. After all, the real purpose of a firewall is simply to protect you so that you can use the Internet safely, not to become a never-ending source of entertainment in and of itself.

    Well, that's a bit too simplistic, in retrospect. You see, IDSs can pick up some threats that would not necessarily be picked up by a traditional firewall. For example, you may visit a website (thereby requesting output from that site to your web browser). The website may be malicious in nature (or it may simply have been subverted by our buddies in the black hats). A traditional firewall would allow the response through, but an IDS-enhanced firewall would, in all probability, block the communication attempt. The problem with IDS is that it requires a 'signature' previously identified in order to function; otherwise, it's worthless. In other words, it functions in very much the same way that anti-virus software does.

    Hope that helps.
     
  3. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    Thank you. It does help a bit. I have learned something about the features of my firewall. There is one more thing in there that puzzles me. Look at the IP and MAC addresses. At first all these came from one IP address corresponding with one MAC address, and I reported the attacks? to the abuse addy of his (also mine) provider.
    When other IP´s joined in, I thought someone in that range is contaminating nearby computers with some virus and they were joining the strike-force. But after I saw the MAC addresses migrate from one IP to another, I didn't know what to think.
    If this comes across stupid, I apologize, but it reflects my knowledge of these matters. :)
     
  4. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    First, it's extremely difficult to analyze what was happening here from this screen-based snapshot, because a lot of information is being truncated. (And that's why I like a more detailed utility that always provides full information on the captured events.)
    Second, all of the displayed events are from what looks like a single IP subnet (unfortunately, as I type this, I can't see what that subnet is)
    Third, yes, all of the displayed events seem to involve three distinct MAC addresses which migrate from one remote IP address to another. Each 'subset' shows four events, but two distinct remote IP addresses. That looks like you're on a dial-up or dynamically assigned DSL/Cable subnet. I further note that the change in remote IP address typically occurs over an interval of about one hour.
    Consequently, I would assume that you're actually seeing three distinct machines that have been compromised on your ISP's subnet -- and that are looking for other vulnerable machines to attack.
    If you don't have the vulnerability (and I suspect you do not), there's nothing to worry about. You can, of course, notify your ISP, which can then check which subscriber was using the designated IP addresses at the time based on its own usage logs and they will then take (or fail to take) whatever corrective action they feel is necessary.
    I rather suspect that you are simply seeing compromised machines on your ISP's subnet that are looking for other vulnerable machines. In all probability, the owners of these machines have no idea of what has happened. That's why you should leave it to your ISP (or some service like www.mynetwatchman.com or www.dshield.org) to follow up on these intrusion attempts. I haven't bothered to look this particular intrusion up at www.incidents.org, so I'm uncertain as to what it might represent. But, again, this is something best handled either by your ISP or by MyNetwatchMan or DShield.
     
  5. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Nothing stupid about asking questions; that's what these forums are all about! In addition, who knows how many other people get to benefit from your asking this question and having answers posted :D
    I certainly learned something from Josephs answers.
     
  6. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    Detox,

    I forgot to welcome you aboard! But thanks for the kudos.

    My overly long responses are sort of a standing joke in the various NNTP newsgroups and UBB forums. Still, you've put your finger on part of the reason for their length (other than the fact that I'm just naturally long-winded :D ). I don't write my responses solely for the original poster (OP), but also with a consideration of the 'lurkers'. It's been a while since I've checked the stats here at Wilders, but last time I did, the lurkers outnumbered registered users by two to one! These guys don't typically post, but they do read. I've always felt something of an obligation to answer the questions that don't quite get published explicitly.

    Hence, your comment about 'there are no stupid questions' is doubly apropos. Some of the best questions (and responses) that I've seen in the various security newsgroups and forums were asked by people who were obviously concerned that they might be perceived as asking stupid questions. In many instances, a short answer will satisfy the OP, but a more extended answer can be more enlightening to the lurkers. (And, besides, that's what leads the lurkers to register! :) )
     
  7. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Then your answers are exactly the kind we need ;-)

    Certainly, I don't mean to hijack the thread; but be sure to ask any question that comes to mind, StAnger and anyone else hangin' around! ;)
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    :D i am always hanging around in the firewall forum...especially if the topic involves Sygate.

    StAnger - welcome to you, and thank you for your questions, as i have learned something new from the log you posted, and Joseph's answers (thank you Joseph!). Is this the pro version of Sygate you have? i have not installed the 5.5 yet, and had no idea there was a column that showed the MAC addresses. Firewalls just get more and more interesting!

    Regards,

    snap
     
  9. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    I lurk everywhere on this board. :)
    Try to help on the rare occasions I can, and ask when I need to. Most of the times you get a good and friendly answer here.

    It's Sygate 5.5 Pro yes. By now I think that I am seeing some kind of virus spreading. That list gets longer everyday and no response from the ISP. Only an automated one that they received my mail.
    The MAC addresses are nice, but confusing in this case. o_O
     
Loading...
Thread Status:
Not open for further replies.