Like most of us who are new to firewalls [ me ] and have only been using them for awhile. We always seem to have dumb looks on our faces when we look at our firewall logs and we see :

[Zone Alarm Log File Example]
[I.P. numbers were changed ...]

FWIN,2003/11/21,02:17:54 -5:00 GMT,245.22.333.33:0,256.34.56.88:0,ICMP (type:8/subtype:0)
FWIN,2003/11/21,02:21:36 -5:00 GMT,234.34.456.45:0,234.33.345.00:0,ICMP (type:8/subtype:0)
FWIN,2003/11/21,02:23:06 -5:00 GMT,245.45.456.678:0,234.56.678.45:0,ICMP (type:8/subtype:0)
FWIN,2003/11/21,02:24:12 -5:00 GMT,267.45.567.56:0,245.456.678.67:0,ICMP (type:8/subtype:0)
PE,2003/11/21,02:30:16 -5:00 GMT,Outlook Express,167.345.678.45:53,N/A

Have you ever wanted to know what all this numbers and funny looking names mean ... Well while doing some searching on the net I stumbled upon this webpage:

http://www.robertgraham.com/pubs/firewall-seen.html


"This document explains what you see in firewall logs, especially what port numbers means. You can use this information to help figure out what hackers/worms are up to.

This document is intended for both security-experts maintaining corporate firewalls as well as home users of personal firewalls."
Well I thought that I would share this info with you guys and I hope that it helps many of you to better understand all that cryptic info recorded by your firewalls. That a lot of us just dont quite fully understand.

The Document Is Titled " FAQ: Firewall Forensics (What Am I Seeing)"

Also on this website this is 3 other FAQ's and they are follows:

IDS FAQ:http://www.robertgraham.com/pubs/net...detection.html

"All about network intrusion detection systems, how to sniff intruder's traffic from the wire and figure out if the traffic is hostile."
Sniffing FAQ:http://www.robertgraham.com/pubs/sniffing-faq.html

"General information on how to sniff traffic from the wire, including a guide on how to interpret what the bits/bytes mean."
Firewall Pr0n FAQ:http://www.robertgraham.com/pubs/firewall-pr0n.html

"System administrators of all types, but especially firewall admins and IDS admins, see the trails of porn surfing. Mostly, is just more embarrassing for the parties involved.
If any of you know of any other websites,documents etc .. please feel free to add the links so that we can all gain more understanding and knowledge."
This is a list of sites that I think are worthwhile checking ... I would have posted more links but I know that some people would probably not like that hope that you find these links useful as I have.
http://www.counterpane.com
http://www.snort.org
http://www.wilders.org
http://www.blackhat.com
http://www.linuxquestions.org
http://www.packetstormsecurity.nl
http://www.insecure.org