Legit Attacks or Noise?

Discussion in 'other firewalls' started by FireDancer, Aug 14, 2003.

Thread Status:
Not open for further replies.
  1. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Hi All,

    I am still in learning mode and I am now trying to learn to decipher logs, I am still new to my firewall and all of its
    componants.. but coming along nicley with the help of others.

    I recived these logs last night and want to know if they are just noise from the internet or legitimate attacks..
    Any advise would be greatly appreciated. Here is a snippet of what started last night at around 10 pm my time and ended around 2 am.

    Regards,
    FireDancer
     

    Attached Files:

  2. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    Go into your firewall administration, advanced, misc tab, and uncheck 'log suspicious packets' as its mostly logs garbage, the logs are mostly useless as they are just timed out packets that arrived after the service stopped listening. Personally I can't even believe they even used the word attack when its used completely out of context.

    The block lower ports rule is a rule you made, other than that everything is fine.

    If the packets were not inspected there is no way to know their true intent, so they are merely probes when blocked.
     
  3. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi FireDancer

    Short answer, noise and nothing to worry about.

    As BlitzenZeus suggested, most of those entries for "TCP ack packet attack" will just be packets arriving late. In your log sample, the remote service 80/http (came from the service/port used by web servers) and local service 1914/ephemeral port (ports in this range 1024-5000 are used by your system as part of an active outbound connection) indicate this. If you leave the "log suspicious packets" enabled, your logs will fill up quickly with these types of entries.

    The blocked outbound netbios is not unusual either. When you visit some web sites they will make a call to netbios. In this case your rules did not permit this and blocked it. This is good and as it should be.

    Going to that same site in your logs (Windows update) I will get the same entry in my firewall log:
    2003/08/14, 10:07:00.834, GMT -0700, 2011, Device 2, Blocked outgoing UDP packet (no matching rule), src=192.168.1.5, dst=207.46.134.93, sport=137, dport=137

    Regards,

    CrazyM
     
  4. FireDancer

    FireDancer Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    316
    Blitz & CrazyM,

    Thanks so much for all your help!!! I am feeling a bit more confident in my rules and making them. Still alot to learn and can be kind of a slow process at times but well worth it.

    Very Best Regards,
    FireDancer
     
Thread Status:
Not open for further replies.