when Localhost is the Local and Remote address

I don't know if this is correct, and if it is, I am sure I'm not the first one to realize it, but...if you look at your firewall log and you observe that for a connection both the local and the remote address are "localhost" would that mean that that your something from your host file was attempting to connect with Internet Explorer.

If true, then can't you sort of use it as sort of a website scumminess detector? I mean if these things are being blocked at the same time you are perusing a particular site, it is suggestive isn't it?

Anyway, in these case, I had about a hundred hits from localhost with a couple of minutes, all clustered around a visit to a particular site. Not a porn site, not a gambling site...a news site. I guess so many hits because they must just keep right on trying to send what ever it is they are sending.

I've never been good about reading logs and deducing anything from their contents, but I have always been annoyed from the fact that I don't often know what sites are responsible for what. I am the sort who basically won't do any interaction with a site if I know them to cross the line of their visitors privacy, and security, so it would be nice to know if I am interpreting the log correctly. Unfortunately, I have no way of knowing what particular item in the host file was blocking anyway. I'm sure some of the things in it aren't outrageouly bad.

-HandsOff

 

Any half-decent firewall log should include the URLs of web sites your browser accesses. If yours does not, you may find a proxy filter like Privoxy worth checking out - it can filter HTML (being based on JunkBuster) but also keeps a log of the websites your browser tries to connect to.

Going back to your original point - it is perfectly possible to have network connections from localhost to localhost for legitimate reasons (notably if you were chaining local proxies - like having your browser connect to Proxomitron, Proxomitron connect to Privoxy and Privoxy connect to Tor which is my setup) so such connections cannot be a guarantee of suspicious behaviour for everyone.

 

Yes, P2000, I see what you mean. My suspicions were aroused about something so I jumped to a conclusion. I just thought wouldn't it be nice if you could assess a bad site that easily.

I do have a very satisfactory firewall. It may not be a big favorite around here, but I think NPF2003 does an outstanding job. So good, infact, that I have had very little reason to look at the logs in the first place. I certainly have not suffered the indignity of having my firewall shut down by some malware programs, as I have seen with brand-x firewall.

To Low H20,
Actually, I took a screenshot of the activity but in the end decided it would seem like an accusation towards a site based on evidence that I was not sure of.

SITWs, now my couriosity is aroused, i will have to take a look!

My idea was wide of the target, but I am happy to have gained a couple more grains of knowledge.