Unsure of protocol...

Discussion in 'other firewalls' started by [30+]Darknight, May 10, 2004.

Thread Status:
Not open for further replies.
  1. [30+]Darknight

    [30+]Darknight Guest

    Hello again.

    I've been checking my firewall log and it keeps showing the same messages repeatedly. I'm not sure if this is standard checks for my firewall or if I have another problem... Could someone please decipher the messages to see if it's a problem or not??

    The messages are as follows:

    All of these fall in the Protocol section of my Zone Alarm firewall log

    TCP (flags:S)
    UDP
    ICMP (type8/subtype:0)

    And source IP's are alway different and they hit the firewall about every minute or so... any clues if this is normal or not??

    Thank you in advance..

    I hope I put this in the right forum...

    Dark
     
    [30+]Darknight, May 10, 2004
    #1
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,934
    Location:
    SW. Oklahoma
    There are attempts to access online computers all of the time as of late more than usual. Is your firewall blocking these attempts?
     
    bigc73542, May 10, 2004
    #2
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,280
    Location:
    New England
    Agreed. It sounds like you are describing a normal firewall log... that being, a long list of blocked events hitting against your firewall from a large number of external IP addresses, spread across the normal protocols that ZA protects you from. You will see a lot of logged blocks that are TCP sync packets, UDP or Pings. That is normal.

    If you want people here to analyze some specific traffic events, you'll need to open the ZA log file (usually in: c:\windows\internet logs\zalog.txt ) and copy & paste maybe 20 representative samples. You can replace your IP address with X.X.X.X if you like.
     
    LowWaterMark, May 10, 2004
    #3
  4. [30+]Darknight

    [30+]Darknight Guest

    @ Bigc73542

    Yes, as far as I can tell the fire wall is blocking these attempts.

    @LowWaterMark

    Here is a copy of some of (what I think is) todays log.

    ZoneAlarm Logging Client v4.5.594.000
    Windows XP-5.1.2600-Service Pack 1-SP
    type,date,time,source,destination,transport
    FWIN,2004/05/08,16:08:06 -4:00 GMT,4.10.123.84:3003,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:09:36 -4:00 GMT,4.8.15.157:3092,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:10:30 -4:00 GMT,4.10.142.122:0,4.10.X.X:0,ICMP (type:8/subtype:0)
    PE,2004/05/08,16:11:22 -4:00 GMT,Ghost Recon Game Editor,4.2.2.5:53,N/A
    FWIN,2004/05/08,16:11:22 -4:00 GMT,4.10.70.189:0,4.10.X.X:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/08,16:11:32 -4:00 GMT,4.10.233.73:2375,4.10.X.X:445,TCP (flags:S)
    FWIN,2004/05/08,16:11:32 -4:00 GMT,4.10.166.85:2396,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:11:48 -4:00 GMT,4.10.224.11:2770,4.10.X.X:445,TCP (flags:S)
    FWIN,2004/05/08,16:11:54 -4:00 GMT,4.10.187.5:1036,4.10.X.X:137,UDP
    FWIN,2004/05/08,16:12:30 -4:00 GMT,4.11.141.64:1408,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:12:38 -4:00 GMT,4.10.248.29:0,4.10.X.X:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/08,16:12:54 -4:00 GMT,4.10.162.47:0,4.10.X.X:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/08,16:13:04 -4:00 GMT,64.231.97.58:4284,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:13:08 -4:00 GMT,4.7.20.155:1235,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:13:42 -4:00 GMT,4.11.183.6:4060,4.10.X.X:445,TCP (flags:S)
    FWIN,2004/05/08,16:14:04 -4:00 GMT,4.10.224.11:0,4.10.X.X:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/08,16:14:28 -4:00 GMT,4.10.109.214:3063,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:15:08 -4:00 GMT,4.10.235.107:0,4.10.X.X:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/08,16:15:30 -4:00 GMT,4.8.137.45:3599,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:15:30 -4:00 GMT,4.10.8.90:2117,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:15:36 -4:00 GMT,4.15.104.127:4816,4.10.X.X:445,TCP (flags:S)
    FWIN,2004/05/08,16:15:42 -4:00 GMT,4.224.174.172:0,4.10.X.X:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/08,16:15:58 -4:00 GMT,4.10.32.223:4068,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:16:50 -4:00 GMT,4.10.19.156:3259,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:18:04 -4:00 GMT,4.10.167.50:0,4.10.X.X:0,ICMP (type:8/subtype:0)
    FWIN,2004/05/08,16:18:42 -4:00 GMT,4.10.232.201:4322,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:19:16 -4:00 GMT,4.10.134.241:4552,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:19:54 -4:00 GMT,4.10.187.5:1035,4.10.X.X:137,UDP
    FWIN,2004/05/08,16:20:04 -4:00 GMT,68.157.83.250:48747,4.10.X.X:137,UDP
    FWIN,2004/05/08,16:20:34 -4:00 GMT,4.10.144.123:0,4.10.X.X:0,ICMP (type:8/subtype:0)
    PE,2004/05/08,16:21:04 -4:00 GMT,Zone Labs Client,4.2.2.5:53,N/A
    FWIN,2004/05/08,16:21:34 -4:00 GMT,4.10.15.130:3573,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:22:46 -4:00 GMT,4.11.255.178:4044,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:22:52 -4:00 GMT,4.10.111.10:3027,4.10.X.X:445,TCP (flags:S)
    FWIN,2004/05/08,16:23:44 -4:00 GMT,4.8.199.65:3835,4.10.X.X:135,TCP (flags:S)
    FWIN,2004/05/08,16:23:58 -4:00 GMT,200.117.219.134:1027,4.10.X.X:137,UDP


    Anything unusual??

    Dark
     
    Last edited by a moderator: May 10, 2004
    [30+]Darknight, May 10, 2004
    #4
  5. FanJ

    FanJ Guest

    As LowWaterMark wrote:

    You can replace your IP address with X.X.X.X if you like.
     
    FanJ, May 10, 2004
    #5
  6. [30+]Darknight

    [30+]Darknight Guest

    Oops... I can't edit it either... Yikes..
     
    [30+]Darknight, May 10, 2004
    #6
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,280
    Location:
    New England
    Fixed. ;)
     
    LowWaterMark, May 10, 2004
    #7
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    18,280
    Location:
    New England
    Okay, that is normal looking blocked inbound traffic, per the current "state of the Internet" - latest worms out there, and all. ZA is blocking it all, so there's nothing to worry about.

    What you have to think about now is whether you want to get alerts (if you have that enabled) or even the blinking systray icon (tray alerts).

    You aren't getting constant ZA popups currently, are you? Those can be disabled, as can the tray alerts.
     
    LowWaterMark, May 10, 2004
    #8
  9. [30+]Darknight

    [30+]Darknight Guest

    Thanks for fixing my IP (I'm a total newbie).

    And, fortunately, I'm not getting the zone alarm pop ups... the hits may be coming from sources that I have previously told the system to alway block.

    I just tend to check my log a couple times a night to see if anything is amiss.
    The only thing I see is a little red and green bar at the bottom right of my screen...

    Thanks for all the help. I'm relieved to know that everything is functioning properly.

    Dark
     
    [30+]Darknight, May 10, 2004
    #9
  10. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,934
    Location:
    SW. Oklahoma
    It is always better to check than to just worry about a problem. I am glad it is just normal traffic.
    bigc
     
    bigc73542, May 10, 2004
    #10
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...