Firewall log forensics
Results 1 to 7 of 7

Thread: Firewall log forensics

  1. #1
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019

    Firewall log forensics

    Tigershark had a thread earlier today about some unusual activity, and I didn't have time to reply....I can't find the thread anymore.... :shrug:

    I found a few links for the newer members (myself included) that will hopefully help to explain a little about what is going on with the logs.

    http://www.robertgraham.com/pubs/firewall-seen.html

    http://www.counterpane.com/log-analysis.html

    http://navigators.com/firewall.html

    And for a little help understanding terms with which we may not be familiar..

    http://www.webopedia.com/

    If somebody already posted these, please accept my apologies, I hadn't seen them here yet.

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    220
    Yeah on my Zone Alarm Usually the most command activity I get is A TCP Packet(Flag:S) The S flag means "Syn" Which is a connection request. I also get ICMP(Type:8) which is a ICMP echo request.
    [gloworange]And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict\'s veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. \"This is it... this is where I belong...\" I know everyone here... even if I\'ve never met them, never talked to them, may never hear from them again... I know you all...[/gloworange]

  3. #3
    Senior Member
    Join Date
    Sep 2003
    Posts
    279
    Limpster, your ICMP(Type:8) , also known as and isolated pings is mostlikely a Welchia or Msblaster trying to contact you from someone's computer in your area.
    AntiOnline Quick Forum Version 2b Click Here
    10010101000000110010001100111

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    The only thing on my log recently is an incoming UDP from 10.18.200.1, type 67, trying to resolve itself a 255.255.255.255:68. I haven't figured out what that is from yet, but it just started yesterday, and had been hitting about every 10 minutes.

    My spy detectors are not picking up anything, nor is my antivirus. Anybody have any ideas what that may be?

    Cheers!

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    groovicus, that would be the bootp protocol passing on to your machine your DHCP info...
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  6. #6
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,019
    Thank you SoggyBottom. Ok, it's the boot protocol, I understand that. What I'm failing to understand (big surprise ) is why from that location? My IP is not even close to that range. Judging by your response though, it's nothing I should pay attention to.

  7. #7
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    groovicus: bootp will use the broadcast address if it doesn't know its correct address.
    The broadcast address is 255.255.255.255

    3. Packet Format

    All numbers shown are decimal, unless indicated otherwise. The BOOTP
    packet is enclosed in a standard IP [8] UDP [7] datagram. For
    simplicity it is assumed that the BOOTP packet is never fragmented.
    Any numeric fields shown are packed in 'standard network byte order',
    i.e. high order bits are sent first.

    In the IP header of a bootrequest, the client fills in its own IP
    source address if known, otherwise zero. When the server address is
    unknown, the IP destination address will be the 'broadcast address'
    255.255.255.255. This address means 'broadcast on the local cable,
    (I don't know my net number)' [4].
    ftp://ftp.rfc-editor.org/in-notes/rfc951.txt


    http://www.rfc-editor.org/rfcsearch.html

    search for bootp for more info

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •