Firewall alerts...how do you proceed?

[Blunted One]

Since we upgraded our firewall and I set the logs to be sent to me every day I have a noticed a few IPs that keep coming up in the logs. They seem to be port scans and TCP syn/fin packets that are dropped.

Some examples are...

TCP Syn/Fin packet dropped - 82.212.73.154, 32459, WAN

IP spoof dropped - 172.191.116.174, 8, LAN - 172.190.12.34, 512, WAN

Possible port scan dropped - 66.64.57.66, 80, WAN - **.**.**.***, 5445, WAN - TCP scanned port list, 5433, 5433, 5433, 5433, 5433

ASPACK packed executable file blocked - 85.102.255.189, 16853,

MEW11 SE packed executable file blocked - 195.60.180.75, 2016, WAN

and so on.

Should I do anything about this? I have run some lookups and find that these come from different places and companies throughout the US and world. Is this normal...should I send emails or call these companies informing them to stop with the scans and such? What are they trying to do? SPAM? VIRUS? Break into our company?

Thanks for any advice you can give me as I am new to this firewall monitoring

[ShagDevil]

Blunted One,
The fact that your firewall is logging these events should provide you some reassurance that it's doing it's job. While I'm not entirely familiar with all the traffic your firewall is stopping, I will say that as long as it's not coming from inside your own network, you should be fine.
I can't sit here and say what's good and bad and indifferent simply because I don't know what programs you use, nor what type of typical traffic that occurs on your network.
Surely someone here can elaborate on the types of traffic you are getting in your logs. As for doing lookups on IP's, you really never know what you're getting into. It could be a zombie machine, someone connecting through a proxy, some guy on the street using an open wi-fi network. And while you think you may be emailing a hacker, you might just be emailing Mrs Smith who will have no clue what the hell you're talking about because her computer is hijacked with some virus/spyware and she doesn't know.
I'd continue on your course of action and just keep monitoring your logs and make sure you don't have any unwanted traffic coming from inside your network.

[cheyenne1212]

As ShagDevil said, as long as your seeing this in your logs, this means your Firewall appliance is working.


Anytime you have a device connected to the public network, your gonna see this type of stuff.


Most of the time sending emails to these companies about port scans and what not is just a waste of time....if you ever get continous repeated attacks from the same IP that might be worth reporting to the appropriate company assocated with that IP, but overall a port scan is similiar to casing a place....its not illegal to look, but its illegal to come inside without permission.


Also from what I can tell,

ASPACk and MEW11 SE are prgrams that compress files to make them easier to transport. They're suppose to help network load time.

I wouldn't worry to much about those.

All the other entries there is going to be what you see on a dail basis when monitoring a Firewall.

[yuris]

Its normal that you get that kind of logs since you are on internet. But what i would do is, install a sniffer behind your firewall and monitor all connections, and check for intrusion, or you can use snort for instrusion detection, log it all, and if you get an instrusion, send it to your ISP to check the IP first, it could be hijaked or a proxy, if not hijaked im not sure if it is legal for the ISP monitor that IP activity, but you could allways ask.

[slarty]

You COULD find the netblock owner, and send a message to abuse@ them.

However, it's extremely unlikely they would do anything, and you'd expend a lot of effort.

There is a 99.9% chance that it is a worm probing your IP address for a vulnerable service anyway, so it's not the fault of the machine owner (at least, not through malice, only negligence)

Slarty