How to tell if a firewall alert is suspicious or not

[Guest]

Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

"Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
news:1q08azyjwaa34.bf3jp27hl5dk.dlg@40tude.net...

> Where would YOU go when you received any one of the messages previously
> posted when you didn't explicitly ask for that IP address to connect to
> you?

I do the same things I suggested in my post.

> THAT's THE WHOLE POINT OF THIS THREAD!
> With Sygate Personal Firewall (and I suspect all software firewalls), you
> can tell the program to silently ignore and simply LOG all these
> connections! My question was really WHICH OF THESE WOULD YOU IGNORE?

I think the best firewall configuration is one that doesn't give you any
popups whatsoever. Corporate firewalls don't give the firewall
administrator popups and ask him or her questions. They just work. The
same thing is true of hardware firewalls used in homes. Firewalls should
have just two situations: packets it knows are bad and it blocks without
question, and everything else that it lets through.

> > Having a firewall ask the user to make decisions is a security accident
> > waiting to happen, and is also a significant consumption of your time.
>
> Is there any other choice?

Yes... I don't have the latest version of Sygate, but I believe most
software firewalls have a configuration choice that does not cause any
popups. If Sygate doesn't, there's also www.kerio.com, www.zonealarm.com,
both of which are free. If you are already protected by a hardware
firewall, you may not really totally need that software firewall.

> 1. Which of these common requests is truly something to ignore

All of them.

> machine. It doesn't tell me WHY they would be contacting me. (Remember,

The problem is all you've got is what the firewall tells you, and it hasn't
told you everything you need to know. Very often, you will not be able to
100% determine the cause. You'll have to make a best guess, go with a gut
feeling, and move on. Even professionals who monitor computer networks for
intrusions do this as well.

Another possibly strategy would be to deny any packets you have questions
about. If something breaks, then you know it was probably something you
needed to allow. This is also the safest strategy.

> that server only contacted me once and I have been using this same setup
> for years). So, why, all of a sudden, would a machine which purports to be
> a DNS server, be contacting me?

I believe it is more likely that this was a reply to a connection your
computer made. The reply took too long to come back, and your firewall
stopped watching that connection, was surprised when the reply came back and
considered it a new connection. DNS servers should never be contacting you.
This situation can happen when you look up the IP address for a host name
where the DNS server is troubled or down and does not respond, and the
request times out 45 seconds or more later. It's happened to me.

> In defence of the Sygate Personal Firewall, there is a DETAILS button
which
> spits out a huge amount of cryptic (to a novice) information about
> something called a "packet" so the remote port MIGHT be in that listing.

Ah, that might help us a little. But I'm still leaning towards ignoring
this one, moving on, and pursuing a silent firewall configuration.

> I could post the DETAILED information if it would help (caution, it's
> cryptic at best).

Sure, go ahead.

 

[Guest]

Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

"Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
news:125fddwsx0agz.8ux1n0q8ec5.dlg@40tude.net...

> So, why, all of a sudden, would my DNS server be contacting me, out of the
> blue. And, why, does my network still (apparently) work even though I said
> NO to the request?

See my other post. More likely, this was a reply to your computer, but the
reply took so long, your firewall wrongly considers this a new inbound
connection. DNS especially does this due to having timeout values that are
greater than the timeout values in many stateful firewalls.

> What would be nice is for users to post (and for experts to doublecheck)
> what they consider to be innocuous requests uninitiated by them which
> appear in their yes/no request list from Sygate.
>
> I am willing to START that list of what appears to be common innocuous
> requests (for expert review).

It's not really that easy. If it was, someone would have done it already.
One problem is that each firewall reports things in different ways. Another
problem is that some Firefox traffic is good, and some might not be so good.
These sorts of things are very variable and conditional. However, you can
find some informative resources by searching www.google.com for firewall-faq
and also search for ids-faq. In particular, there are some good IDS FAQs on
Robert Graham's web site [google says it's at
http://www.robertgraham.com/pubs/network-intrusion-detection.html but I
can't get to that web site currently] and especially this, I strongly
recommend reading this:

http://www.mynetwatchman.com/kb/res-falsepos.htm

By the way, you may want to sign up with a free service like
www.mynetwatchman.com or www.dshield.org Those sites automatically report
hacking attempts blocked in your firewall to the ISPs responsible, and they
also let you see useful relevant information from other people's firewall
logs, which helps you determine whether something is just hitting you or is
hitting a lot of other people. You can't get that information any other
way.

 

[Guest]

Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

"Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
news:jwds0e2ucftd.hz4moqapcoq2.dlg@40tude.net...

> I am using a wireless D-Link (is that the router you bespeak of)?

Not specifically, but it qualifies. I'd OK the NDIS messages.

> I only posted what I considered the unasked for messages (not the obvious
> ones).

Unasked for... You weren't visiting a secure web page when you got the HTTPS
message? Weren't looking at a PDF when the DNS server tried to contact
Acrobat? That would be odd indeed. As for some of the others, is it possible
a web page you were visiting pulled an advertisement or graphic from a
different address? Have you looked at the relevant transactions in context
in the firewall logs? Do you understand that local ports 1024-5000 are
typically ones YOUR system uses to connect to a remote system? And that once
a connection is made, the remote system communicates FROM the destination
port TO the port your system has connected from?

Next time you get a prompt referring to any of those local ports, try
opening a command prompt and typing 'netstat -a' and see if the port's
currently connected to something. I suspect the references to 'Open Network
Library' and 'NetBill Authorization Server' are bogus (pulled from the list
of 'registered ports'). But then, I'm no expert.

Ask on the Sygate forum.

nf

 

[null]

Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Gerard Schroeder wrote:

> The question becomes:
> 1. HOW do users learn MORE about the PURPOSE of this OPEN NETWORK LIBRARY?
> 2. HOW do we obtain possible REASONS for a machine contacting us on this
> port?
>
> That advice was the purpose of the original question.
>

I don't know of a simple answer to your questions. The only people I
have ever had contact with that could *possibly* explain the reasons for
*every* incoming/outgoing packet are security experts - most notably
firewall experts.

So, one of the posters gave a solution for you, a solution that I use
frequently: deny the request and see if anything breaks.

Good luck.

--
The reader should exercise normal caution and backup the Registry and
data files regularly, and especially before making any changes to their
PC, as well as performing regular virus and spyware scans. I am not
liable for problems or mishaps that occur from the reader using advice
posted here. No warranty, express or implied, is given with the posting
of this message.

 

[null]

Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Gerard Schroeder wrote:

> I'm confused whether the D-Link wired and wireless box I have connected to
> the DSL modem is considered the "router" you bespeak of. Is it?

I can't say with 100% certainty if the D-Link is a router, but it
probably is.

--
The reader should exercise normal caution and backup the Registry and
data files regularly, and especially before making any changes to their
PC, as well as performing regular virus and spyware scans. I am not
liable for problems or mishaps that occur from the reader using advice
posted here. No warranty, express or implied, is given with the posting
of this message.

 

[Guest]

Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Gerard Schroeder wrote:
> On Thu, 15 Sep 2005 06:14:04 GMT, nutso fasst wrote:
>
> > "Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
<snip>
> What would be nice is for users to post (and for experts to doublecheck)
> what they consider to be innocuous requests uninitiated by them which
> appear in their yes/no request list from Sygate.
>
> I am willing to START that list of what appears to be common innocuous
> requests (for expert review).

Google the name of the process initiating the outgoing connection.


> Here is my list of common requests not explicitly initiated by me which my
> Sygate Personal Firewall seems to report daily so that others may consult
> it before accepting or rejecting a Sygate Personal Firewall request to
> allow access:
>
> NDIS User mode I/O Driver (ndisuio.sys)
> has received a Multicast packet from the remote machine [192.168.0.1].
> Do you want to allow this program to access the network?

that's not important. 192.168.0.1 is from your LAN. if you receive
a packet from a computer on your LAN, it's not big deal!

> NDIS Filter Intermediate Driver (eacfilt.sys)
> has received a Multicast packet from the remote machine [192.168.0.1].
> Do you want to allow this program to access the network?

ditto

> NDIS Filter Intermediate Driver (eacfilt.sys)
> is trying to broadcast to [192.168.0.255]
> using remote port 137 (NETBIOS-NS - Browsing request of NetBIOS over
> TCP/IP).
> Do you want to allow this program to access the network?

So now this process, (you may google it), but it's clearly being
harmless. It is on your comp, and sending a packet to every computer on
your LAN.
Don't think that one of your computers is attacking another!

> NDIS User mode I/O Driver (ndisuio.sys)
> has received a Broadcast packet from the remote machine [192.168.0.100].
> Do you want to allow this program to access the network?

ditto


> Firefox (firefox.exe)
> is being contacted from a remote machine news.google.com [216.239.37.147]
> using local port 1615 (NETBILL-AUTH - NetBill Authorization Server).
> Do you want to allow this program to access the network?

I juse use firefox as a web browser. It just makes outgoing
connections. So, once the outgoing connection was made, packets go
either way. Each outgoing connection may use a diff port, I don't see
why this local port is called NETBILL-AUTH maybe i'm wrong. but
this is firefox, nothing to worry about.


> Firefox (firefox.exe)
> is being contacted from a remote machine [206.13.28.12]
> using local port 1258 (OPENNL - Open Network Library).
> Do you want to allow this program to access the network?

ditto. dunno what this opennl is about - even after googling. but this
is firedox, surely not receiving an incoming connection .unless you're
not using it as just a web browser or something.

do you recognise OpenNL?!

> Generic Host Process for Win32 Services (svchost.exe)
> is trying to connect to [207.46.157.60]
> using remote port 443 (HTTPS - HTTP protocol over TLS/SSL).
> Do you want to allow this program to access the network?
>
> Generic Host Process for Win32 Services (svchost.exe)
> is trying to connect to time.windows.com [207.46.130.100
> using remote port 123 (NTP - Network Time Protocol).
> Do you want to allow this program to access the network?

windows does make these annoying outgoing connections. it may not be
worth checking out waht windows is doing. any outgoing connection from
svchost.exe should be considered fine. unless svchost.exe got
overwritten by a malicious version. You can't be that paranoid on a
windows system. trust svchost.exe ! it's a famous windows prcoess. as
sygate knows

> Firefox (firefox.exe)
> is being contacted from a remote machine [80.237.203.14]
> using local port 4503
> Do you want to allow this program to access the network?

yes
you want to use your web browser.

The windows firewall which blocks all incoming connections is very
good. Yes, malware may make outgoing connections. But at least you'll
let windows processes communicate outside. and you'll let your browser
communicate.

And has has been said. don't be afraid of some spyware transmitting.
If it's there, then remove it. If it were dangerous, it'd get past
your attempt at blocking outgoing connections anyawy.


Blocking outgoing connections as paranoidly as you are now causes the
mess that you have now. far more stress than any spyware!!!

 

[Guest]

Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Gerard Schroeder wrote:
> On Thu, 15 Sep 2005 15:48:26 +0100, Mike wrote:
>
> > Novices do not have the knowledge as you so patently demonstrate.
> > You need a hardware firewall like the ones built into Zyxel routers etc.
>
> Is the D-Link wireless/wired box connected to the DSL modem set up in the
> default configuration sufficient?

it is a great help. it blocks all incoming connections. Beyond that, do
not block all outgoing connections, or allow yourself to be hassled by
your personal firewall over it.

Use software, like Active Ports, that will list Established
Connections. At least it won't hassle you with popups. It gives the
process name. Do not look for great lists . Just google the name of
the process that is making the outgoing connection. And if you get 100
links saying it's spyware, then you should start running different
spyware removal utilities until you successfully get rid of it.

> Or is there something ELSE I should purchase to get this "hardware
> firewall"?

your 'home router'(actually a NAT device) blocks incoming. I have a
DLink one too.
You can go to http://192.168.0.1 and configure it. Or if that dosen't
work, find out its IP
open a command prompt start..run..cmd<ENTER> and type
ipconfig /all

and see what it says for 'Gateway' (That is your 'router').
do http://gatewayip

see, it has a firewall built in. But still, don't bother blocking
outgoing connections, even with that.

if you have spyware, get rid of it properly.

> > If you had a router you would not have seen it or been startled plus you
> > would have been protected.


and you do have a router. ('home router'). It blocks incoming. Which
is very good. You should look at outgoing but not be hassled with
popups. and not be paranoid. useg oogle on an unknown process making an
outgoing connection. just see if google says it's spyware.

 

[Guest]

Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Gerard Schroeder wrote:
> On Thu, 15 Sep 2005 19:25:21 -0600, Bruce Chambers wrote:
>
> >> Sygate Personal Firewall:
> >> Firefox (firefox.exe) is being contacted from a remote machine
> >> [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
> >> Do you want to allow this program to access the network?
>
> > Do you have another computer on your internal network with that
> > specific IP address? Is that computer allowed to connect to the
> > Internet via your computer?
>
> Of course not!
>
> If I had another machine on the same tiny home network with that IP address
> (which would be highly unlikely in a 192.168.0.XXX network), then I would
> NOT have posted that specific request in the list above as it would have
> been an obvious innocuous request.
>
> Again, knowing the machine name & owner is only HALF the story. Actually,
> it's only 1/3 the story as the following is important:
> 1. WHO is the owner of that machine?
> 2. WHAT is the purpose of the port being used?
> 3. WHY is that machine contacting me?
>
> Is this information available somewhere?
>
> Note that the WHO part is trivial to obtain, e.g., we can obtain that from:
> http://www.dnsstuff.com
> http://www.nwtools.com
> http://www.netsol.com
> http://remote.12dt.com/rns
> http://www.zoneedit.com/lookup.html
> etc.; but that doesn't tell us WHAT or WHY.
>
>
> The WHAT part, albeit often highly technical, is not too very difficult to
> obtain, e.g., we can use any of the following which describe the ports:
> http://www.bekkoame.ne.jp/~s_ita/port/port1200-1299.html
> http://www.seifried.org/security/ports/1000/1258.html
> http://www.iana.org/assignments/port-numbers
> http://www.sonomawireless.com/~ports/port1200-1299.html
> http://www.auditmypc.com/freescan/readingroom/portlist.asp
> etc.; but that doesn't tell us WHY they contacted us.
>
> The WHY part is the key question.
>
> For example, WHY would dns1.snfcca.sbcglobal.net contact my machine on tcp
> tdp/udp port 1258 named the Open Network Library?
>
> The question becomes:
> 1. HOW do users learn MORE about the PURPOSE of this OPEN NETWORK LIBRARY?
> 2. HOW do we obtain possible REASONS for a machine contacting us on this
> port?
>
> That advice was the purpose of the original question.

difficult to know those answers, especially on a windows machine. So,
ppl don't.

the key thing is knowing that it isn't malware.

Believe me, you can go further than you are in asking HOW and WHY. You
could download Ethereal - a packet sniffer, and start asking why this
program is sending this or that. It doesn't matter. You have to know
what Processes/Programs you trust.
I have no idea what that openNL was though. i'd have thought that local
ports on the client side wouldn't have names. Anyhow. you trust
firefox, don't you? And the Program/Process was firefox, so let it be.

And if you see a process that you don't understnad what it does. then
google, - Who cares what it does - all that matters is if it's a famous
trojan process.

if you're having problems with slow itnernet access, then it most
probably is spyware. And if the spyware were really dangerous, it'd
get past you. maybe replacing it'd have replaced a known microsoft
process , added some code, that process now makes an outgoing
connection. you may want to run spyware spyware checks.


Try using the windows firewall only for a year, and see if you have
problems. By the way. You are alraedy blocking incoming connections
with your router. So the windows firewall is doing the same thing, but
it's just another layer of security. Even turning off the windows
firewall won't be a prob, 'cos you're still blocking incoming
connections anyway.

 

[Guest]

Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

I always wonder what to do when you get a spoofed IP through your NAT.

For example, this Sygate personal firewall message got me wondering what
was REALLY going on here.

NT Kernel System (ntoskrnl.exe) is trying to send an ICMP Type 8 (Echo
Request) packet to [202.232.13.185].
Do you want to allow this program to access the network?

Yes No Details

Details:
File Version : 5.1.2600.2622
File Description : NT Kernel & System (ntoskrnl.exe)
File Path : C:\WINDOWS\system32\ntoskrnl.exe
Process ID : 0x4 (Heximal) 4 (Decimal)

Connection origin : local initiated
Protocol : ICMP
Local Address : 192.168.0.108
ICMP Type : 8 (Echo Request)
ICMP Code : 0
Remote Name :
Remote Address : 202.232.13.185

Ethernet packet details:
Ethernet II (Packet Length: 120)
Destination: 00-80-c8-b0-33-8a
Source: 00-20-e0-2d-07-a5
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 4
Protocol: 0x1 (ICMP - Internet Control Message Protocol)
Header checksum: 0x891b (Correct)
Source: 192.168.0.108
Destination: 202.232.13.185
Internet Control Message Protocol
Type: 8 (Echo Request)
Code: 0
Data (68 bytes)

Binary dump of the packet:
0000: 00 80 C8 B0 69 8A 00 20 : E0 8F 07 A5 08 00 45 00 | ....i.. ......E.
0010: 00 5C 01 6B 00 00 04 01 : 1B 89 C0 A8 00 64 CA E8 | .\.k.........d..
0020: 0D B9 08 00 E4 FF 03 00 : 10 00 00 00 00 00 00 00 | ................
0030: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
0040: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
0050: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................
0060: 00 00 00 00 00 00 00 00 : 00 00 4A 45 44 45 46 43 | ..........JEDEFC
0070: 41 43 41 43 41 43 41 43 : | ACACACAC

 

[Guest]

Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Sun, 18 Sep 2005 23:25:47 GMT, Milrose Lewis wrote:

> NT Kernel System (ntoskrnl.exe) is trying to send an ICMP Type 8 (Echo
> Request) packet to [202.232.13.185].
> Do you want to allow this program to access the network?

That's a KNOWN TROJAN. Kill it! DO NOT let it access your SYSTEM!

You have BIG PROBLEMS if that is occurring.
I suggest you immediately run a full system scan by going to
http://grc.com/default.htm (press on the "Shields Up" link)

While you're at it, scan for the trojan that initiated this request
http://www.windowsecurity.com/trojanscan (works only with IE)

Since your system was obviously compromised, request a full system audit
https://secure1.securityspace.com/smysecure/basic_index.html

Only after running these three programs that everyone runs monthly will
your system be safe from that trojan you have!