How to tell if a firewall alert is suspicious or not

How can I tell if a Sygate firewall alert is suspicious or not?
For example, I received this message from Sygate just now:
Sygate Personal Firewall:
Firefox (firefox.exe) is being contacted from a remote machine
[206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
Do you want to allow this program to access the network?
How can I tell if this is suspicious or not?
Reply to
Gerard Schroeder
Loading thread data ...
"Gerard Schroeder" wrote in message > Firefox (firefox.exe) is being contacted from a remote machine
Look at your TCP/IP configuration. Isn't that your SBC DNS server?
nf
Reply to
nutso fasst
There are ways you can research these things... however, you will get so many of these alerts, and it is so fruitless to research them all, that I strongly recommend you consider a firewall configuration that does not alert you all the time with these things. Having a firewall ask the user to make decisions is a security accident waiting to happen, and is also a significant consumption of your time.
If and when you do want to research these things, you should look up what the remote IP address is, for example starting with the DNS name lookup and whois lookup at
formatting link
[which also gets the DNS name and a lot of other things] or
formatting link
to find out what that IP address is and whether you or your computer could have had reason to contact it. This IP is named dns1.snfcca.sbcglobal.net, which is a big hint that suggests this is probably normal.
It's also useful to know what the protocol [e.g. TCP] and remote port number is... the firewall alert below didn't seem to tell you, which is really dumb. If the remote port was, say, TCP 80 or UDP 53, then that gives you some level of assurance that this is a response to something your computer requested. There is no such thing as "port 1258." There's TCP port 1258, and UDP port 1258. Any firewall that doesn't know that this is important information is dumb [although I generally like Sygate].
A really smart firewall would let you inspect the TCP flags and contents of the incoming packet, but I guess that's too much to ask.
Reply to
Karl Levinson, mvp
You make good points, and I really like your nwtools.com and netsol.com suggestions.
However, to expect the average user to understand what the different protocols are, what they do, and what ports are used for what, is a bit over the top. Like you hinted at, the firewall responses to incoming and outgoing packets should be as automated as possible for the average user.
And, yes, it is a bit too much to ask your firewall to let you inspect the packets. 99% of the users wouldn't have a clue anyway. And if you're competent enough to know what to look for, and have the time, then you're going to have to invest a bit more than fifty bucks for the privilege of doing so.
Since so many users don't even HAVE a decent software firewall installed, this poster is at least making an attempt to protect his system - I commend him for that!
Reply to
null
You can't. This is, why such messages are nonsense. BTW, they're useless, too, because also Sygate cannot prevent "phoning home" from malicious programs anyway, as my simple POC here shows:
formatting link
Yours, VB.
Reply to
Volker Birk
You made a good point about the inability to give good advice on how to respond, when we know nothing about his network or applications.
However, to tell him to trash the software firewall and rely strictly on a router is simply bad advice.
Unless the router performs stateful packet inspection and is highly configurable, etc., etc., etc., then the router alone will not be providing sufficient protection.
His use of a software firewall is not unreasonable, and your advice to get rid of it is unwise.
Reply to
null
That's for you to determine by using a link like to one below and entering the IP into the WhoIs search box and finding out of the IP is dubious or not.
formatting link
However, the above is one of the problems with personal FW solutions with features that try to control programs on the machine as they confuse the end-user as they whine about nothing.
Duane :)
Reply to
Duane Arnold
....
I thank you for your detailed suggestions summarized below as: 1. There exists innocent common connections reported by the firewall 2. We can find the NAME of the IP address contacting us for clues 3. The content of the incoming packet may contain clues
Regarding the first interesting comment above: - Is there a site where all the common innocent connections are listed? - I searched (before I posted) and did not find one (but it may exist). - If not, I don't mind starting a list (in this post perhaps?).
Regarding looking up the NAME of the IP address: - WHY would my DNS provider suddently connect (this does not happen often)? - I keep a list of the common contact requests & this isn't one of them. - I said NO to the request & I don't see negative consequences.
Regarding the content of the incoming packets: - Sygate Personal Firewall 5.6 provides a Yes/No/Details response - The DETAILS button gives more information (cryptic to me, a novice). - Again I wonder if there is a list of known non-dangerous contacts.
For we novices who still desire basic firewall protection, it would be nice to refer to a list of known generally non-dangerous requests to accept. I'll post separately (as it's slightly OT) the list I maintain of what I THINK are innocent requests (but I'm not sure) that I get every day so as to START this desired list (if it doesn't exist already).
The particular message I posted from my DNS server does NOT happen often so that is what startled me.
Reply to
Gerard Schroeder
Using DHCP, I don't specify a DNS server so I'd have no clue if that truly was my DNS server ... but I maintain a list of daily requests and this is NOT one of them.
So, why, all of a sudden, would my DNS server be contacting me, out of the blue. And, why, does my network still (apparently) work even though I said NO to the request?
What would be nice is for users to post (and for experts to doublecheck) what they consider to be innocuous requests uninitiated by them which appear in their yes/no request list from Sygate.
I am willing to START that list of what appears to be common innocuous requests (for expert review).
Here is my list of common requests not explicitly initiated by me which my Sygate Personal Firewall seems to report daily so that others may consult it before accepting or rejecting a Sygate Personal Firewall request to allow access:
NDIS User mode I/O Driver (ndisuio.sys) has received a Multicast packet from the remote machine [192.168.0.1]. Do you want to allow this program to access the network?
NDIS Filter Intermediate Driver (eacfilt.sys) has received a Multicast packet from the remote machine [192.168.0.1]. Do you want to allow this program to access the network?
NDIS Filter Intermediate Driver (eacfilt.sys) is trying to broadcast to [192.168.0.255] using remote port 137 (NETBIOS-NS - Browsing request of NetBIOS over TCP/IP). Do you want to allow this program to access the network?
NDIS User mode I/O Driver (ndisuio.sys) has received a Broadcast packet from the remote machine [192.168.0.100]. Do you want to allow this program to access the network?
Firefox (firefox.exe) is being contacted from a remote machine news.google.com [216.239.37.147] using local port 1615 (NETBILL-AUTH - NetBill Authorization Server). Do you want to allow this program to access the network?
Firefox (firefox.exe) is being contacted from a remote machine [206.13.28.12] using local port 1258 (OPENNL - Open Network Library). Do you want to allow this program to access the network?
Generic Host Process for Win32 Services (svchost.exe) is trying to connect to [207.46.157.60] using remote port 443 (HTTPS - HTTP protocol over TLS/SSL). Do you want to allow this program to access the network?
Generic Host Process for Win32 Services (svchost.exe) is trying to connect to time.windows.com [207.46.130.100 using remote port 123 (NTP - Network Time Protocol). Do you want to allow this program to access the network?
Firefox (firefox.exe) is being contacted from a remote machine [80.237.203.14] using local port 4503 Do you want to allow this program to access the network?
Reply to
Gerard Schroeder
The packet filter/personal FW solution is in serious whine mode asking the end-user unnecessary questions that the average home user just doesn't understand.
If the user's machine was sitting behind a simple NAT router for the protection and not running the PFW solution on the machine, none of the ridiculous authorization questions the end-user is dealing with would be asked.
Duane :)
Reply to
Duane Arnold
Without knowing what you were doing at the time, what applications you need to run, how your network is configured, if you indeed have a network and a host of other detail, there is no way of knowing. There is no 'correct' answer.
Example:- Generic Host Process for Win32 Services (svchost.exe) is trying to connect to time.windows.com [207.46.130.100 using remote port 123 (NTP - Network Time Protocol). Do you want to allow this program to access the network?
Well I might want to allow that because I want my clock to synchronise to time.windows.com but you may not want to use that server preferring uk.pool.ntp.org which is on a round robin DNS which will respond from a different server each time giving rise to yet another problem and so on and so on...
Ditch the stupid software and get a router.
Reply to
Mike
No!! Novices do not have the knowledge as you so patently demonstrate. You need a hardware firewall like the ones built into Zyxel routers etc. Tick the box that says enable firewall and just get on with using your computer without all the silly pointless and misleading popups from your software firewall.
If you had a router you would not have seen it or been startled plus you would have been protected.
Reply to
Mike
Dunno, and wish one of the experts had answered that. But DHCP simply assigns YOU an IP address, it doesn't eliminate the need for DNS. And you will have at least one alternate DNS server.
NDIS messages from 192.168.x.x suggest you have a wireless NAT router and your firewall is responding to messages from it. (Surely you are behind some kind of NAT, ICS perhaps.) If you're not using a wireless network, disable wireless configuration service.
As for such terms as HTTPS, SSL and NTP, Google them (and NAT, if necessary) and expand your understanding. HTTPS means you're connecting to a secure website.
You're suggesting the compilation of what could be an ever-expanding database of mostly-irrelevant details. Seems to me time would be better spent becoming more of an expert. Your choice of firewall apparently demands it.
Sygate has a product forum. Air your concerns there. Those dialogs are too obscure for "even inexperienced users" unwilling to spend time researching them.
nf
Reply to
nutso fasst
Firefox is a browser of the Mozilla. then, you can do the command line: tracert 206.13.28.12 and to know what/where this IP (or any) is, if it really works....
alf
Reply to
alfranze
No. It's a very good advice. Also he could use the Windows-Firewall.
The "Personal Firewalls" we tested all were terribly incompetently implemented. I doubt, that with a "Personal Firewall" he will be secure in any way.
The opposite is true.
Yours, VB.
Reply to
Volker Birk
Yes.
I don't know one. And I think, this will not be possible. There are too many possibilities for these. Why using a "Personal Firewall" at all, which is showing useless Popups?
There may be many reasons for this.
The point is, that this is a b0rken concept to ask the only person, who for sure does not know what to do here - you, the user.
It's OK, that not everybody is a networking expert. A good security solution has to work _without_ asking the user.
Why not using the Windows-Firewall and not having such problems?
Yours, VB.
Reply to
Volker Birk
Do you have another computer on your internal network with that specific IP address? Is that computer allowed to connect to the Internet via your computer?
Reply to
Bruce Chambers
I have DSL going to a D-Link just like everyone else.
Is this D-Link wired and wireless transmitter the "NAT Router" you bespeak of?
Reply to
Gerard Schroeder
Sorry about not being specific. I already pared the list down to those event which occur WITHOUT the users' explicit action. For example, I removed any request to/from the NNTP software which occur while using it. Likewise with POP3/SMTP clients, explicit actions from HTTP clients, etc.
The Sygate Personal Firewall software has the ability to "remember" a decision so the user, if they knew which to ignore, would not see those which make it into the innocuous list. That is mainly why I ask.
Again, I should have noted, I never explicitly told the Windows XP machine to synchronize the time so that is why this unasked for request made it onto the posted listing. Said another way, if I KNEW I had explicitly asked WinXP to synchronize the time, I would have removed that request from the list (by telling Sygate Personal Firewall to simply accept all of those requests in the future).
Isn't the D-Link wired and wireless box connected to the DSL modem a "router"?
Reply to
Gerard Schroeder
I'm confused whether the D-Link wired and wireless box I have connected to the DSL modem is considered the "router" you bespeak of. Is it?
Reply to
Gerard Schroeder

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.