September 25th, 2003, 01:53 AM
Firewall log forensics
Tigershark had a thread earlier today about some unusual activity, and I didn't have time to reply....I can't find the thread anymore.... :shrug:
I found a few links for the newer members (myself included) that will hopefully help to explain a little about what is going on with the logs.
And for a little help understanding terms with which we may not be familiar..
If somebody already posted these, please accept my apologies, I hadn't seen them here yet.
September 25th, 2003, 02:06 AM
Yeah on my Zone Alarm Usually the most command activity I get is A TCP Packet(Flag:S) The S flag means "Syn" Which is a connection request. I also get ICMP(Type:8) which is a ICMP echo request.
[gloworange]And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict\'s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. \"This is it... this is where I belong...\" I know everyone here... even if I\'ve never met them, never talked to them, may never hear from them again... I know you all...[/gloworange]
September 25th, 2003, 02:42 AM
Limpster, your ICMP(Type:8) , also known as and isolated pings is mostlikely a Welchia or Msblaster trying to contact you from someone's computer in your area.
AntiOnline Quick Forum Version 2b Click Here
September 25th, 2003, 02:57 AM
The only thing on my log recently is an incoming UDP from 10.18.200.1, type 67, trying to resolve itself a 255.255.255.255:68. I haven't figured out what that is from yet, but it just started yesterday, and had been hitting about every 10 minutes.
My spy detectors are not picking up anything, nor is my antivirus. Anybody have any ideas what that may be?
September 25th, 2003, 03:42 AM
groovicus, that would be the bootp protocol passing on to your machine your DHCP info...
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
September 25th, 2003, 04:41 AM
Thank you SoggyBottom. Ok, it's the boot protocol, I understand that. What I'm failing to understand (big surprise ) is why from that location? My IP is not even close to that range. Judging by your response though, it's nothing I should pay attention to.
September 25th, 2003, 04:46 AM
groovicus: bootp will use the broadcast address if it doesn't know its correct address.
The broadcast address is 255.255.255.255
3. Packet Format
All numbers shown are decimal, unless indicated otherwise. The BOOTP
packet is enclosed in a standard IP  UDP  datagram. For
simplicity it is assumed that the BOOTP packet is never fragmented.
Any numeric fields shown are packed in 'standard network byte order',
i.e. high order bits are sent first.
In the IP header of a bootrequest, the client fills in its own IP
source address if known, otherwise zero. When the server address is
unknown, the IP destination address will be the 'broadcast address'
255.255.255.255. This address means 'broadcast on the local cable,
(I don't know my net number)' .
search for bootp for more info