I'm getting all these pings =( help a newbie

Discussion in 'other firewalls' started by Mr.Blaze, Aug 27, 2003.

Thread Status:
Not open for further replies.
  1. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :'(I'm getting all these pings and they are filling up my ZAP logs... Is there anyway to stop logging just those? I don't want to stop all logging, just all these pings??

    it sucks i get an alert in my log every second its insaine
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Blaze

    Which version of ZA are you using?
    I believe the latest Pro and Plus versions allow for expert rules where you may be able to create a block rule with no logging.

    Regards,

    CrazyM
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Hi Blaze,

    Yeah, this new worm is a real killer!! :eek: :mad:

    I've posted here a couple times that I like to leave my firewall logging everything just so I can see the same trends that people are talking about whenever something like the Blaster worm hits. (Of course, I have "alerting" turned off, so I don't get a popup for every event - that would be horrible for even a few dozen events, never mind the hundreds or thousands we're all getting now.)

    For people running ZAP (or ZA+) 4.0, they have the ability to use an expert rule to block the new worm related events without logging or alerting on them. But, every other type of blocked event will still be logged. It's the best of both worlds. :)

    To block the effects of these worms without logging them, you need to add an Expert Rule in ZAP 4.0... Open the ZAP user interface (from the systray) > select the Firewall panel > select the Expert tab...

    In the lower right of that page, press the "Add" button to create a new rule. (If you haven't used this section before, you may have to play with it a bit to get comfortable.)

    In the Add Rule screen, you'll want to fill it out so that it looks like this:

    [​IMG]

    Notice every field...

    Rank - is the number of the rule. (Since ZAP isn't a rule based firewall, most users won't have any expert rules yet. Note that the order rules get executed can be critical when the scope of one also includes what is covered by a rule with a narrower scope. But, we won't get into all that here. Making this rule #1 is the easiest way to handle it unless you have other rules covering 135/tcp or inbound pings.)

    Name - is a very short name for the rule. Pick any you want.

    Comments - is any text you want to explain the rule or leave it empty.

    State - is where you turn on/off a rule. Use the pulled down menu and tell ZAP this rule is to be "Enabled".

    Action - is where you either choose to allow or block something. You want to "Block" all the stuff you'll be describing in the rule below.

    Track - is where either alerting and/or logging is selected. Since the whole point of making this rule is to not do any alerting or logging, pick "None".

    The rule itself is worked out in the 4 boxes at the bottom of the screen...

    Source - Well, it's packets coming in from the Internet, so, hit the "Modify" button > go to "Add Location" and choose "Internet Zone". (This will replace the "Any" value that was there when you first brought the screen up.)

    Destination - Since you are blocking incoming packets, the "destination" is your computer, so hit "Modify" > "Add Location" > and choose "My Computer".

    Okay, we're almost done. The next box is the hardest since you have a second screen to fill out for each type of packet you'll be blocking...

    Protocol - The worm we're all fighting has two types of probes. Pings and incoming TCP port 135 hits. You need to add each of these separately... Hit "Modify" > "Add Protocol" > "Add Protocol"...

    Make the first protocol, the TCP port 135 block, look like this:

    [​IMG]

    Hit OK. Now, on Protocol again, hit "Modify" > "Add Protocol" > "Add Protocol" again and make the PING (ICMP) block rule look like this:

    [​IMG]

    Hit OK.

    The last box (Time) should just be left at Any, so this rule will be active all the time.

    Hit OK on this "Add Rule" screen to close it. This brings you back to the ZAP Firewall > Expert rule screen, hit the "Apply" button that is below and to the right of the Add button.

    Done. The rule is now active.

    This will simply block (stealth) all TCP port 135 and Pings coming in to your system from the Internet Zone. (That is important. I used the Internet Zone as the Source for these hits. This rule will not apply to Pings coming in from the Trusted Zone, so if you need Pings from your ISP or sites or games, enter their address in the trusted zone and this rule won't block them.)

    If you want, you can edit the rule and set it to "Disabled" at any point, just to see if the Pings are still happening. But for me, I must say I've had it enabled for a couple weeks now and truly - Silence is Golden. :D

    Edit: Oh, and here is the one-liner summary that should be visible on the expert rules page when the rule is active:

    [​IMG]
     
  4. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Correct, it's the Welchia, Blaster-D or Nachi worm (it's the worm tries to repair the Blaster infection and in doing so floods the networks with pings). My Snort ids identifies these connection requests as CyberKit 2.2 Windows attacks.
     
  5. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :D thank you LowWaterMark that worked like a charm

    thx guys for your input as well

    this wll help alot of newbies wondering if there being hack because of the hundreds of alerts from this nasty worm attack

    so if your a newbie and have zone alarm pro

    you need to do the albove otherwise you will think your being hack every second of the day when its just a worm going around attacking everything in sight
     
  6. libbo1

    libbo1 Registered Member

    Joined:
    May 28, 2003
    Posts:
    123
    Location:
    florida
    And I'm running ZA free. Don't have no fancy settings. :oops: So I just muted the hits!!!! Log em in and send them to dShield once a day. (Wonder if that does any good!!??)

    I envy you 'high cotton' dudes with all them fancy settings. I guess ima gettin my moneys worth though!!!! :p
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    LOL. :D

    There's nothing wrong with the way you are doing it. Stopping the alerts is the next best thing to something like the above. And it's great that you upload your alerts to DShield, I do that also, though obviously since I've stopped logging these specific ones, I'm no longer sending those in.

    In the case of this worm though, and the 150K infected systems, (that being the last number I heard, I'm not sure if it's a lot more now), I don't think DShield or others like myNetWatchman can have much of an effect on this.

    The ISPs all know the signature of infected systems and they could, if they wanted, identify the systems on thier networks sending out continuous pings or TCP port 135 connection attempts. In truth, I don't think they really need reporting groups to tell them that they have a massive number of infected systems on their hands. But, it certainly can't hurt.
     
  8. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Thanks LWM for the easy clear instructions. I saw your comments to the DSLR thread and came here to get the scoop. Thanks again, the dang pings have been driving me nuts. I will delete my ZoneLog Analyzer database {currently saturated with ten to fifteen thousand records, mostly pings} and start fresh after creating this rule. Warmly, Ran
     
  9. wmccona

    wmccona Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    1
    Location:
    Deptford, NJ
    Thanks a lot LowWaterMark.

    I recently upgraded to ZAP 4.0 after having used ZAF for the last couple of years, and your instructions were just what I was looking for to stop logging all those those Pings.

    Keep up the great work,
    Regards, Bill
     
  10. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :D yup thx lowawater great stuffs
     
  11. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Hmm...... do i dare ask how to write a rule for the same issue when using SPF Pro :rolleyes:
     
  12. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Rainwalker

    Could you create a similar rule in the Advanced Rules of Sygate?

    Regards,

    CrazyM
     
  13. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Pieter

    Thanks for the screenshots from Sygate.
    For your ICMP echo request example, should the direction not be just for inbound? That particular rule would likely not allow you to ping others - depending on your other Advanced rules and their priority.

    Regards,

    CrazyM
     
  15. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi CrazyM,

    You can count on me to make errors like that. :oops:
    Yes, it does. If you want it to block only incoming, you can choose "Incoming" on the "Ports and Protocols" tab under "Traffic Direction"
    I guess this way nobody would ever find out if I was infected with that worm? :p

    Regards,

    Pieter
     
  16. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Peter Crazy M
    Thank you Thank you :)
     
  17. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Opps.....I applied the SPF rule and nothing changed. Still in ping city. o_O By the way for awhile now whenever i drag n drop a smiley to this post and others i always get two instead of just the one.......browser issue o_O

    o_O
     
  18. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi Rainwalker,

    You didn't put a checkmark in the "Record this traffic in Packet Log" ?
    And can you check in the Traffic Log if the pings are being blocked by this rule and not by any other rule higher in the hierarchy.

    Regards,

    Pieter
     
  19. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    Thanks Pieter........ Rule is on top... box unchecked... my mistake ....i was thinking about the Traffic Log and hoping to stop recording there..Packet block is working.......anyway to stop logging of icmp pings in Traffic Log? :doubt:
     
  20. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    I don't think so.

    Traffic Log

    Simply put, this log logs all inbound and outbound traffic in detail that comes through your system/network.

    Quote from:
    http://bellsouthpwp.net/i/k/ikpe/SygateBasicsPt2.html#Logs
    Emphasis on "all" by me.

    But I'm not 100% sure about this.
    You could try the mail-link at the bottom of that site and see if King knows of a way to do what you want.
    Or try at the Sygate forums.

    Regards,

    Pieter
     
  21. Rainwalker

    Rainwalker Registered Member

    Joined:
    May 18, 2003
    Posts:
    2,106
    Location:
    USA
    OK... again Pieter thank you for your time and assistance.
     
  22. museheart

    museheart Registered Member

    Joined:
    Jan 3, 2003
    Posts:
    87
    Location:
    USA
    Excuse me but that is the cutest avatar I have ever seen!

    Now, I just have ZA regular. I have been getting all kinds of pings also...for weeks.

    I have Norton Anti Virus, Boclean and I was thinking about getting Norton Firewall or perhaps their whole security package.

    Does anyone have an opinion about Firewalls?
     
  23. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi museheart

    If that combo along with ZA works for you, no need to change unless you were wanting to try NPF/NIS specifically.

    That's a pretty broad question for this forum ;). Anything in particular you were after? (perhaps in a post of it's own to keep this one from going off topic)

    Regards,

    CrazyM
     
  24. museheart

    museheart Registered Member

    Joined:
    Jan 3, 2003
    Posts:
    87
    Location:
    USA
    Actually, I am not that crazy about Norton or ZA.
     
  25. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    :Dbump llook like some new newbies need help there should be a sticky on this
     
Loading...
Thread Status:
Not open for further replies.