A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

How to tell if a firewall alert is suspicious or not



 
 
Thread Tools Display Modes
  #1  
Old September 15th 05, 05:50 AM
Gerard Schroeder
external usenet poster
 
Posts: n/a
Default How to tell if a firewall alert is suspicious or not

How can I tell if a Sygate firewall alert is suspicious or not?

For example, I received this message from Sygate just now:

Sygate Personal Firewall:
Firefox (firefox.exe) is being contacted from a remote machine
[206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
Do you want to allow this program to access the network?

How can I tell if this is suspicious or not?
Ads
  #2  
Old September 15th 05, 07:14 AM
nutso fasst
external usenet poster
 
Posts: n/a
Default


"Gerard Schroeder" wrote in message Firefox
(firefox.exe) is being contacted from a remote machine
[206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
Do you want to allow this program to access the network?

How can I tell if this is suspicious or not?


Look at your TCP/IP configuration. Isn't that your SBC DNS server?

nf


  #3  
Old September 15th 05, 12:56 PM
Karl Levinson, mvp
external usenet poster
 
Posts: n/a
Default

There are ways you can research these things... however, you will get so
many of these alerts, and it is so fruitless to research them all, that I
strongly recommend you consider a firewall configuration that does not alert
you all the time with these things. Having a firewall ask the user to make
decisions is a security accident waiting to happen, and is also a
significant consumption of your time.

If and when you do want to research these things, you should look up what
the remote IP address is, for example starting with the DNS name lookup and
whois lookup at www.nwtools.com [which also gets the DNS name and a lot of
other things] or www.netsol.com to find out what that IP address is and
whether you or your computer could have had reason to contact it. This IP
is named dns1.snfcca.sbcglobal.net, which is a big hint that suggests this
is probably normal.

It's also useful to know what the protocol [e.g. TCP] and remote port number
is... the firewall alert below didn't seem to tell you, which is really
dumb. If the remote port was, say, TCP 80 or UDP 53, then that gives you
some level of assurance that this is a response to something your computer
requested. There is no such thing as "port 1258." There's TCP port 1258,
and UDP port 1258. Any firewall that doesn't know that this is important
information is dumb [although I generally like Sygate].

A really smart firewall would let you inspect the TCP flags and contents of
the incoming packet, but I guess that's too much to ask.


"Gerard Schroeder" wrote in message
.. .
How can I tell if a Sygate firewall alert is suspicious or not?

For example, I received this message from Sygate just now:

Sygate Personal Firewall:
Firefox (firefox.exe) is being contacted from a remote machine
[206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
Do you want to allow this program to access the network?

How can I tell if this is suspicious or not?



  #4  
Old September 15th 05, 01:51 PM
Duane Arnold
external usenet poster
 
Posts: n/a
Default


"Gerard Schroeder" wrote in message
.. .
How can I tell if a Sygate firewall alert is suspicious or not?

For example, I received this message from Sygate just now:

Sygate Personal Firewall:
Firefox (firefox.exe) is being contacted from a remote machine
[206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
Do you want to allow this program to access the network?

How can I tell if this is suspicious or not?


That's for you to determine by using a link like to one below and entering
the IP into the WhoIs search box and finding out of the IP is
dubious or not.

http://www.arin.net/index.html

However, the above is one of the problems with personal FW solutions with
features that try to control programs on the machine as they confuse the
end-user as they whine about nothing.

Duane


  #5  
Old September 15th 05, 02:04 PM
Gerard Schroeder
external usenet poster
 
Posts: n/a
Default

On Thu, 15 Sep 2005 07:56:07 -0400, Karl Levinson, mvp wrote:

There are ways you can research these things... however, you will get so
many of these alerts, and it is so fruitless to research them all

....
you should look up what the remote IP address is
www.nwtools.com or www.netsol.com

....
A really smart firewall would let you inspect the TCP flags and contents of
the incoming packet


I thank you for your detailed suggestions summarized below as:
1. There exists innocent common connections reported by the firewall
2. We can find the NAME of the IP address contacting us for clues
3. The content of the incoming packet may contain clues

Regarding the first interesting comment above:
- Is there a site where all the common innocent connections are listed?
- I searched (before I posted) and did not find one (but it may exist).
- If not, I don't mind starting a list (in this post perhaps?).

Regarding looking up the NAME of the IP address:
- WHY would my DNS provider suddently connect (this does not happen often)?
- I keep a list of the common contact requests & this isn't one of them.
- I said NO to the request & I don't see negative consequences.

Regarding the content of the incoming packets:
- Sygate Personal Firewall 5.6 provides a Yes/No/Details response
- The DETAILS button gives more information (cryptic to me, a novice).
- Again I wonder if there is a list of known non-dangerous contacts.

For we novices who still desire basic firewall protection, it would be nice
to refer to a list of known generally non-dangerous requests to accept.
I'll post separately (as it's slightly OT) the list I maintain of what I
THINK are innocent requests (but I'm not sure) that I get every day so as
to START this desired list (if it doesn't exist already).

The particular message I posted from my DNS server does NOT happen often so
that is what startled me.
  #6  
Old September 15th 05, 02:20 PM
Gerard Schroeder
external usenet poster
 
Posts: n/a
Default

On Thu, 15 Sep 2005 06:14:04 GMT, nutso fasst wrote:

"Gerard Schroeder" wrote in message
How can I tell if this is suspicious or not?

Look at your TCP/IP configuration. Isn't that your SBC DNS server?


Using DHCP, I don't specify a DNS server so I'd have no clue if that truly
was my DNS server ... but I maintain a list of daily requests and this is
NOT one of them.

So, why, all of a sudden, would my DNS server be contacting me, out of the
blue. And, why, does my network still (apparently) work even though I said
NO to the request?

What would be nice is for users to post (and for experts to doublecheck)
what they consider to be innocuous requests uninitiated by them which
appear in their yes/no request list from Sygate.

I am willing to START that list of what appears to be common innocuous
requests (for expert review).

Here is my list of common requests not explicitly initiated by me which my
Sygate Personal Firewall seems to report daily so that others may consult
it before accepting or rejecting a Sygate Personal Firewall request to
allow access:

NDIS User mode I/O Driver (ndisuio.sys)
has received a Multicast packet from the remote machine [192.168.0.1].
Do you want to allow this program to access the network?

NDIS Filter Intermediate Driver (eacfilt.sys)
has received a Multicast packet from the remote machine [192.168.0.1].
Do you want to allow this program to access the network?

NDIS Filter Intermediate Driver (eacfilt.sys)
is trying to broadcast to [192.168.0.255]
using remote port 137 (NETBIOS-NS - Browsing request of NetBIOS over
TCP/IP).
Do you want to allow this program to access the network?

NDIS User mode I/O Driver (ndisuio.sys)
has received a Broadcast packet from the remote machine [192.168.0.100].
Do you want to allow this program to access the network?

Firefox (firefox.exe)
is being contacted from a remote machine news.google.com [216.239.37.147]
using local port 1615 (NETBILL-AUTH - NetBill Authorization Server).
Do you want to allow this program to access the network?

Firefox (firefox.exe)
is being contacted from a remote machine [206.13.28.12]
using local port 1258 (OPENNL - Open Network Library).
Do you want to allow this program to access the network?

Generic Host Process for Win32 Services (svchost.exe)
is trying to connect to [207.46.157.60]
using remote port 443 (HTTPS - HTTP protocol over TLS/SSL).
Do you want to allow this program to access the network?

Generic Host Process for Win32 Services (svchost.exe)
is trying to connect to time.windows.com [207.46.130.100
using remote port 123 (NTP - Network Time Protocol).
Do you want to allow this program to access the network?

Firefox (firefox.exe)
is being contacted from a remote machine [80.237.203.14]
using local port 4503
Do you want to allow this program to access the network?
  #7  
Old September 15th 05, 02:23 PM
null
external usenet poster
 
Posts: n/a
Default

Karl Levinson, mvp wrote:

There are ways you can research these things... however, you will get so
many of these alerts, and it is so fruitless to research them all, that I
strongly recommend you consider a firewall configuration that does not alert
you all the time with these things. Having a firewall ask the user to make
decisions is a security accident waiting to happen, and is also a
significant consumption of your time.

If and when you do want to research these things, you should look up what
the remote IP address is, for example starting with the DNS name lookup and
whois lookup at www.nwtools.com [which also gets the DNS name and a lot of
other things] or www.netsol.com to find out what that IP address is and
whether you or your computer could have had reason to contact it. This IP
is named dns1.snfcca.sbcglobal.net, which is a big hint that suggests this
is probably normal.

It's also useful to know what the protocol [e.g. TCP] and remote port number
is... the firewall alert below didn't seem to tell you, which is really
dumb. If the remote port was, say, TCP 80 or UDP 53, then that gives you
some level of assurance that this is a response to something your computer
requested. There is no such thing as "port 1258." There's TCP port 1258,
and UDP port 1258. Any firewall that doesn't know that this is important
information is dumb [although I generally like Sygate].

A really smart firewall would let you inspect the TCP flags and contents of
the incoming packet, but I guess that's too much to ask.


You make good points, and I really like your nwtools.com and netsol.com
suggestions.

However, to expect the average user to understand what the different
protocols are, what they do, and what ports are used for what, is a bit
over the top. Like you hinted at, the firewall responses to incoming and
outgoing packets should be as automated as possible for the average user.

And, yes, it is a bit too much to ask your firewall to let you inspect
the packets. 99% of the users wouldn't have a clue anyway. And if you're
competent enough to know what to look for, and have the time, then
you're going to have to invest a bit more than fifty bucks for the
privilege of doing so.

Since so many users don't even HAVE a decent software firewall
installed, this poster is at least making an attempt to protect his
system - I commend him for that!


--
The reader should exercise normal caution and backup the Registry and
data files regularly, and especially before making any changes to their
PC, as well as performing regular virus and spyware scans. I am not
liable for problems or mishaps that occur from the reader using advice
posted here. No warranty, express or implied, is given with the posting
of this message.

  #8  
Old September 15th 05, 02:43 PM
Duane Arnold
external usenet poster
 
Posts: n/a
Default

The packet filter/personal FW solution is in serious whine mode asking the
end-user unnecessary questions that the average home user just doesn't
understand.

If the user's machine was sitting behind a simple NAT router for the
protection and not running the PFW solution on the machine, none of the
ridiculous authorization questions the end-user is dealing with would be
asked.

Duane
  #9  
Old September 15th 05, 03:44 PM
Mike
external usenet poster
 
Posts: n/a
Default

Gerard Schroeder wrote:
On Thu, 15 Sep 2005 06:14:04 GMT, nutso fasst wrote:


"Gerard Schroeder" wrote in message

How can I tell if this is suspicious or not?


Look at your TCP/IP configuration. Isn't that your SBC DNS server?



Using DHCP, I don't specify a DNS server so I'd have no clue if that truly
was my DNS server ... but I maintain a list of daily requests and this is
NOT one of them.

So, why, all of a sudden, would my DNS server be contacting me, out of the
blue. And, why, does my network still (apparently) work even though I said
NO to the request?

What would be nice is for users to post (and for experts to doublecheck)
what they consider to be innocuous requests uninitiated by them which
appear in their yes/no request list from Sygate.

I am willing to START that list of what appears to be common innocuous
requests (for expert review).


Snip pointless list

Without knowing what you were doing at the time, what applications you
need to run, how your network is configured, if you indeed have a
network and a host of other detail, there is no way of knowing. There is
no 'correct' answer.

Example:-
Generic Host Process for Win32 Services (svchost.exe)
is trying to connect to time.windows.com [207.46.130.100
using remote port 123 (NTP - Network Time Protocol).
Do you want to allow this program to access the network?

Well I might want to allow that because I want my clock to synchronise
to time.windows.com but you may not want to use that server preferring
uk.pool.ntp.org which is on a round robin DNS which will respond from a
different server each time giving rise to yet another problem and so on
and so on...

Ditch the stupid software and get a router.
  #10  
Old September 15th 05, 03:48 PM
Mike
external usenet poster
 
Posts: n/a
Default

Gerard Schroeder wrote:
On Thu, 15 Sep 2005 07:56:07 -0400, Karl Levinson, mvp wrote:


There are ways you can research these things... however, you will get so
many of these alerts, and it is so fruitless to research them all


...

you should look up what the remote IP address is
www.nwtools.com or www.netsol.com


...

A really smart firewall would let you inspect the TCP flags and contents of
the incoming packet



I thank you for your detailed suggestions summarized below as:
1. There exists innocent common connections reported by the firewall
2. We can find the NAME of the IP address contacting us for clues
3. The content of the incoming packet may contain clues

Regarding the first interesting comment above:
- Is there a site where all the common innocent connections are listed?
- I searched (before I posted) and did not find one (but it may exist).
- If not, I don't mind starting a list (in this post perhaps?).

Regarding looking up the NAME of the IP address:
- WHY would my DNS provider suddently connect (this does not happen often)?
- I keep a list of the common contact requests & this isn't one of them.
- I said NO to the request & I don't see negative consequences.

Regarding the content of the incoming packets:
- Sygate Personal Firewall 5.6 provides a Yes/No/Details response
- The DETAILS button gives more information (cryptic to me, a novice).
- Again I wonder if there is a list of known non-dangerous contacts.

For we novices who still desire basic firewall protection, it would be nice
to refer to a list of known generally non-dangerous requests to accept.


No!! Novices do not have the knowledge as you so patently demonstrate.
You need a hardware firewall like the ones built into Zyxel routers etc.
Tick the box that says enable firewall and just get on with using your
computer without all the silly pointless and misleading popups from your
software firewall.

The particular message I posted from my DNS server does NOT happen often so
that is what startled me.


If you had a router you would not have seen it or been startled plus you
would have been protected.


  #11  
Old September 15th 05, 04:02 PM
null
external usenet poster
 
Posts: n/a
Default

Mike wrote:


Ditch the stupid software and get a router.



You made a good point about the inability to give good advice on how to
respond, when we know nothing about his network or applications.

However, to tell him to trash the software firewall and rely strictly on
a router is simply bad advice.

Unless the router performs stateful packet inspection and is highly
configurable, etc., etc., etc., then the router alone will not be
providing sufficient protection.

His use of a software firewall is not unreasonable, and your advice to
get rid of it is unwise.

--
The reader should exercise normal caution and backup the Registry and
data files regularly, and especially before making any changes to their
PC, as well as performing regular virus and spyware scans. I am not
liable for problems or mishaps that occur from the reader using advice
posted here. No warranty, express or implied, is given with the posting
of this message.

  #12  
Old September 15th 05, 07:11 PM
nutso fasst
external usenet poster
 
Posts: n/a
Default


"Gerard Schroeder" wrote in message
...
So, why, all of a sudden, would my DNS server be contacting me, out of the
blue.


Dunno, and wish one of the experts had answered that. But DHCP simply
assigns YOU an IP address, it doesn't eliminate the need for DNS. And you
will have at least one alternate DNS server.

NDIS User mode I/O Driver (ndisuio.sys)
has received a Multicast packet from the remote machine [192.168.0.1].


NDIS messages from 192.168.x.x suggest you have a wireless NAT router and
your firewall is responding to messages from it. (Surely you are behind some
kind of NAT, ICS perhaps.) If you're not using a wireless network, disable
wireless configuration service.

As for such terms as HTTPS, SSL and NTP, Google them (and NAT, if necessary)
and expand your understanding. HTTPS means you're connecting to a secure
website.

You're suggesting the compilation of what could be an ever-expanding
database of mostly-irrelevant details. Seems to me time would be better
spent becoming more of an expert. Your choice of firewall apparently demands
it.

Sygate has a product forum. Air your concerns there. Those dialogs are too
obscure for "even inexperienced users" unwilling to spend time researching
them.

nf


  #13  
Old September 15th 05, 10:14 PM
alfranze
external usenet poster
 
Posts: n/a
Default

Firefox is a browser of the Mozilla.
then, you can do the command line: tracert 206.13.28.12 and to know
what/where this IP (or any) is, if it really works....

alf


"Gerard Schroeder" wrote in message
.. .
How can I tell if a Sygate firewall alert is suspicious or not?

For example, I received this message from Sygate just now:

Sygate Personal Firewall:
Firefox (firefox.exe) is being contacted from a remote machine
[206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
Do you want to allow this program to access the network?

How can I tell if this is suspicious or not?



  #14  
Old September 16th 05, 02:25 AM
Bruce Chambers
external usenet poster
 
Posts: n/a
Default

Gerard Schroeder wrote:
How can I tell if a Sygate firewall alert is suspicious or not?

For example, I received this message from Sygate just now:

Sygate Personal Firewall:
Firefox (firefox.exe) is being contacted from a remote machine
[206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
Do you want to allow this program to access the network?

How can I tell if this is suspicious or not?



Do you have another computer on your internal network with that
specific IP address? Is that computer allowed to connect to the
Internet via your computer?


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
  #15  
Old September 16th 05, 05:22 AM
Gerard Schroeder
external usenet poster
 
Posts: n/a
Default

On Thu, 15 Sep 2005 13:43:02 GMT, Duane Arnold wrote:

If the user's machine was sitting behind a simple NAT router for the
protection and not running the PFW solution on the machine, none of the
ridiculous authorization questions the end-user is dealing with would be
asked.


I have DSL going to a D-Link just like everyone else.

Is this D-Link wired and wireless transmitter the "NAT Router" you bespeak
of?
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Windows Firewall not working (Error 10047) mistefani Security and Administration with Windows XP 4 October 1st 06 11:52 PM
Problem about Window Xp SP2 firewall and the buildin FTP command ping Windows Service Pack 2 2 June 23rd 05 02:47 PM
XPsp2 firewall - bug? - disables on certain networks RJ Windows Service Pack 2 7 January 24th 05 10:55 AM
XP (SP2) and Firewall Alert Setting... JFF KRWD Windows Service Pack 2 3 October 21st 04 03:14 PM
Windows Firewall Walter Hall Security and Administration with Windows XP 1 September 27th 04 09:05 PM






All times are GMT +1. The time now is 05:40 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.