Strange TCP Rule

Ms. M:

Quote:

---

allowing a certain IP to establish a TCP connection

---

I think the important word is establish. If this were replies from requests for ads the rule would not be required because the session would have already been established from Byte's machine. This is clearly a system to allow Symantec to connect to anyone's box anywhere, at any time.

Frankly it's a Sin..... Spoofed packets with the IP spoofed to the Symantec address, (which is clearly easy to find), could be used to activate all kinds of stuff on any port.....

Personally, I would uninstall Symantec's product and use something I could trust.

hey MsMittens , i dont think thats the case here, because there is no instance in the LOG's or sniffer capture's (Ethereal) of an instance where MSN messanger is trying to connect to any port or remote computer. But i keep getting my alerts as usual saying this IP is connecting to MSN messanger. for a security measure i scanned my PC at housecall and also by spy-bot but nothing is wrong. I would like to know 2 things can i share the IP here (i mean is it permitted). and the "strange" part is even though i get alerts i dont have any record of them in the Norton Firewall Log's on the otherhand the firewall record that MSN messanger tried to access online but was restricted. ill submit the ethereal log's in my next post.

I'm guessing that the IP is pretty freely available already.... All you need to do is look in the new rules and there it is.... I wouldn't post it here though just yet... No point making it even easier for people to find.

The reason you are getting the alerts is that you added that. The rule is probably like a "pass" rule in Snort that ignore the activity altogether. They don't want you to see their connections to you.

Frankly this is beginning to stink.

Make sure you remove your IP from both the decimal and the Hex of the Ethereal dump before you post it unless you really want to test Symantec's product..... ;)

Hi, well i am not at all good in ethereal filters so i am not going to post the capture file unless some one tells me how to remove my IP completely (i am sorry to be so paranoid and dumb). anyway i went through my windows firewall and i have about 10 entries of that IP but i am not ssure if it will serve any purpose. If i have the go ahead ill post the file. or should i remove the IP and just give you any details about connection which i am sorry to say is not much. you all know how windows log's work and how "protective" is windwos ICF.

hey guys i let Ethereal run for about half an hour, i see all IP address in it i communicated with EXCEPT THE ONE THAT IS CAUSING THE ALERTS. I KNOW THIS IS "NOT POSSIBLE" but any idea. and also i received 23 alerts.

use the filter

src host xxx.xxx.xxx.xxx

where the xxx.xxx.xxx.xxx is the IP address of Symantec in the rule

Shark i get an error saying "host was unexpected in this context". like i said it is not there is the list. very very unusual.

What version of Ethereal are you using?

I have 0.10.2 with WinPCap 3.01 Alpha on Win2k SP4 all patches and it works just fine... Of course I'm not getting any traffic because I don't have the Symantec product you have.

It's also not an error message I've ever seen before in Ethereal. I regularly get messages that say "Invalid Capture Filter" when I have a typo but not this one...... I can't even find a reference to it on Google.

I'm wondering if Symantec hasn't put some kind of filter on your machine to prevent it ever showing up....

One question I have to ask now.......

Is this a legal copy bought from a reputable vendor and installed from trustable media? It's kind of important to be sure of that right now..... ;)

ByTeWrangler, I have a Platinum support contract with Symantec. If you want to PM me the IP address, I can check the Platinum Knowledge Base to see if there is an explanation there.


Cheers:

Hey i use Ethereal v 0.10.5a with WinPcap v 3.1 beta 3. and i use this on WInXP with SP1 and portion of SP2.