If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
Firewall Log
I find that in C:\windows there is a
"pfirewall.log" that gets bigger (6MB) - I can stop the firewall and delete the file the restart the firewall. The log contains entries like 2005-01-05 19:14:19 DROP UDP 192.168.0.1 192.168.0.90 39562 162 135 - - - - - - - RECEIVE 2005-01-05 19:14:34 DROP UDP 192.168.0.1 192.168.0.90 39563 162 135 - - - - - - - RECEIVE 2005-01-05 19:14:49 DROP UDP 192.168.0.1 192.168.0.90 39564 162 135 - - - - - - - RECEIVE 2005-01-05 19:15:02 OPEN UDP 192.168.0.90 63.240.76.19 1038 53 - - - - - - - - - 2005-01-05 19:15:02 OPEN TCP 192.168.0.90 63.111.24.28 4282 80 - - - - - - - - - What do these entries mean? Is a "drop" a putative attack?! Rick Merrill |
Ads |
#2
|
|||
|
|||
Firewall Log
The contents of the firewall log can be frightening. unfortunately XP's
firewall log isn't very informative - hence I don't use it, simply because it monitors incoming traffic but not outgoing traffic. As a suggestion I would say download the free version of zone alarm www.zonelabs.com and use that instead. Your system is then protected both ways and the log is more informative, telling you what program accesses the web and what ip address it contacted. Judging by the contents of the log you have supplied and the IP addresses I wouldn't say that they were punitive attacks. The UDP 192.168.0.90 is probably svhost.exe contacting the server. the previous packages obviously failing. You should also be aware that your isp regularly 'pings' your connection to make sure you are still using it. This can account for a substantial amount of the data in the log files. If you are a dial up connection customer your ISP contract probably contains the following clause 'if you don't use the connection for 10 minutes (or whatever) your ISP can disconnect you. The 'pinging' help check for this use. On balance your machine is probably attacked 30 or 40 times an hour, sometimes more depending upon the time of day. I know mine is but I don't even bother checking the zone alarm log now. I know zone alarm is doing it's job. -- John Barnett MVP Associate Expert http://freespace.virgin.net/john.freelanceit/index.htm "Rick Merrill" wrote in message ... I find that in C:\windows there is a "pfirewall.log" that gets bigger (6MB) - I can stop the firewall and delete the file the restart the firewall. The log contains entries like 2005-01-05 19:14:19 DROP UDP 192.168.0.1 192.168.0.90 39562 162 135 - - - - - - - RECEIVE 2005-01-05 19:14:34 DROP UDP 192.168.0.1 192.168.0.90 39563 162 135 - - - - - - - RECEIVE 2005-01-05 19:14:49 DROP UDP 192.168.0.1 192.168.0.90 39564 162 135 - - - - - - - RECEIVE 2005-01-05 19:15:02 OPEN UDP 192.168.0.90 63.240.76.19 1038 53 - - - - - - - - - 2005-01-05 19:15:02 OPEN TCP 192.168.0.90 63.111.24.28 4282 80 - - - - - - - - - What do these entries mean? Is a "drop" a putative attack?! Rick Merrill |
#3
|
|||
|
|||
Firewall Log
"Rick Merrill" wrote in message
I find that in C:\windows there is a "pfirewall.log" that gets bigger (6MB) - I can stop the firewall and delete the file the restart the firewall. The log contains entries like 2005-01-05 19:14:19 DROP UDP 192.168.0.1 192.168.0.90 39562 162 135 - - - - - - - RECEIVE 2005-01-05 19:14:34 DROP UDP 192.168.0.1 192.168.0.90 39563 162 135 - - - - - - - RECEIVE 2005-01-05 19:14:49 DROP UDP 192.168.0.1 192.168.0.90 39564 162 135 - - - - - - - RECEIVE 2005-01-05 19:15:02 OPEN UDP 192.168.0.90 63.240.76.19 1038 53 - - - - - - - - - 2005-01-05 19:15:02 OPEN TCP 192.168.0.90 63.111.24.28 4282 80 - - - - - - - - - What do these entries mean? Is a "drop" a putative attack?! Rick Merrill I don't have that file. -- Frank Saunders, MS-MVP, IE/OE Please respond in Newsgroup only. Do not send email http://www.fjsmjs.com Protect your PC http://www.microsoft.com./athome/sec...t/default.aspx |
#4
|
|||
|
|||
XP Firewall Log description
To answer your question, the 3rd column is the action. Open means a
port was opened. If a dropped packet was inbound, it might have been pests wandering the Internet, probes wandering the Internet, or just background noise (e.g. broadcast messages) on the Internet. Like radio broadcasts, broadcast messages are intended for everybody, but no individual in particular. Among other reasons, outbound packets might be dropped if an outbound communication request was made (e.g. request for email or a web page) with no connection to the Internet, or if a request was redirected internally and could not be resolved. TCP and UDP are communication protocols you will often see in a log. ICMP is a protocol used by Ping and Tracert. Ping does not use TCP or UDP. Addresses on the Internet (IP addresses) are the 4 numbers separated by dots. The first IP address is the source IP address, and the second IP address is the destination. Among many others, addresses starting with 192.168 are internal inside your PC, not external. So all 5 packets originated internally, and the first 3 had internal destinations. the last 2 numbers are the port number used by the source system, and the port number used by the target system, respectively. Sometimes your PC is the source, and sometimes your PC is the target, depending on whether your PC is sending or receiving the transmission. Port 80 is used by Internet browsers for communicating in HTTP protocol. Port 53 is used to communicate with a DNS server (that translates www addresses into IP addresses that computers understand). The meaning of other TCP/UDP ports can be found at http://www.iana.org/assignments/port-numbers You can quickly find your own IP address by clicking on the icon in the lower right that looks 2 monitors (if you have 2 icons like this, it's the one that shows the name of your Internet connection, when you rest your mouse pointer on it.), and clicking the tab labeled Details. As your firewall log grows, you will see that most dropped packets are just background noise, or pests and probes that wander and search the Internet looking for an opportunity (but not you or any particular individual). If something/somebody were specifically targeting you for an attack, you would likely see a sudden series of many dropped packets from the same external IP address, using many different ports. http://www.pcworld.com/reviews/artic...39,pg,1,00.asp Switching to one of the firewalls recommended in this article is very good advice. Go with ZoneAlarm if you love to learn and are not impatient with learning curves. After installing TrendMicro's security suite and dropping XP's firewall, i found that TrendMicro's initial settings left some ports on my PC visible (open or closed) to predators on the internet, before i figured out how to make them invisible. which ports were visible depended on whether i was running with XP SP1 or SP2. TrendMicro's security suite and the purchased versions of ZoneAlarm have many other nice, additional features. TrendMicro's security suite has a very good antivirus component, along with Wi-Fi and personal data protection, though the spyware component had poor results in the tests cited in the article. ZoneAlarm is much more versatile (herein lies the learning curve) in allowing you to allow/disallow inbound requests depending on IP address, and in filtering different types of cookies and different types of mobile code (ActiveX, VBscript, Java script, etc.) on a website-by-website basis. Rick Merrill wrote: I find that in C:\windows there is a "pfirewall.log" that gets bigger (6MB) - I can stop the firewall and delete the file the restart the firewall. The log contains entries like 2005-01-05 19:14:19 DROP UDP 192.168.0.1 192.168.0.90 39562 162 135 - - - - - - - RECEIVE 2005-01-05 19:14:34 DROP UDP 192.168.0.1 192.168.0.90 39563 162 135 - - - - - - - RECEIVE 2005-01-05 19:14:49 DROP UDP 192.168.0.1 192.168.0.90 39564 162 135 - - - - - - - RECEIVE 2005-01-05 19:15:02 OPEN UDP 192.168.0.90 63.240.76.19 1038 53 - - - - - - - - - 2005-01-05 19:15:02 OPEN TCP 192.168.0.90 63.111.24.28 4282 80 - - - - - - - - - What do these entries mean? Is a "drop" a putative attack?! Rick Merrill |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
XP Firewall and ICS | Alex McClane | Security and Administration with Windows XP | 7 | December 31st 04 03:04 AM |
Windows Firewall with RAS (incoming connection) | [email protected] | Networking and the Internet with Windows XP | 0 | December 29th 04 11:29 AM |
Being spyed on and password cracked | Jermaine Johnson | Security and Administration with Windows XP | 3 | December 22nd 04 10:55 PM |
Firewall makes c: inaccessible on LAN | George | General XP issues or comments | 1 | November 1st 04 04:50 AM |
Firewall rant | Jerry | Security and Administration with Windows XP | 1 | September 5th 04 02:36 AM |