How to tell if a firewall alert is suspicious or not

I am using a wireless D-Link (is that the router you bespeak of)?

I do run

formatting link
checks on all requests that the Sygate Personal Firewall pops up before putting the messages on the list of suspicious items. Also I don't put on the list messages which pop up from KNOWN events. For example, when I start the NNTP client, a message pops up which I tell the Sygate Personal Firewall program to accept forever (so that message only pops up once). Likewise with the web browser, email client, Microsoft Anti-Spyware update program, Windows Updater, Real Audio client, etc.

I only posted what I considered the unasked for messages (not the obvious ones).

Reply to
Gerard Schroeder
Loading thread data ...

Generally I do two obvious things each time I get a NEW message.

  1. I run a reverse-IP address lookup at
    formatting link
  2. I search Google Groups for the exact message (often I find others have the exact same question, with the exact same message, and IP address).

Should I do more? I'm hoping others can find THIS THREAD, for example, when they get the messages I just posted and therefore they'd get the advice we all so desperately need.

Where would YOU go when you received any one of the messages previously posted when you didn't explicitly ask for that IP address to connect to you?

THAT's THE WHOLE POINT OF THIS THREAD! With Sygate Personal Firewall (and I suspect all software firewalls), you can tell the program to silently ignore and simply LOG all these connections! My question was really WHICH OF THESE WOULD YOU IGNORE?

Is there any other choice? These requests were made to my machine and I must respond to them. Of course, I could simply say "Accept All Requests" but that would be folly. The question really becomes two questions:

  1. Which of these common requests is truly something to ignore
  2. Of those which aren't ignorable, HOW DO NOVICES FIGURE THEM OUT?

I generally use

formatting link
but your suggestion of adding for
formatting link
or
formatting link
is valid. I did that, for example, with the DHCP server request. But, that really only tells me who owns the machine. It doesn't tell me WHY they would be contacting me. (Remember, that server only contacted me once and I have been using this same setup for years). So, why, all of a sudden, would a machine which purports to be a DNS server, be contacting me?

In defence of the Sygate Personal Firewall, there is a DETAILS button which spits out a huge amount of cryptic (to a novice) information about something called a "packet" so the remote port MIGHT be in that listing.

I could post the DETAILED information if it would help (caution, it's cryptic at best).

Reply to
Gerard Schroeder

Is the D-Link wireless/wired box connected to the DSL modem set up in the default configuration sufficient?

Or is there something ELSE I should purchase to get this "hardware firewall"?

I've been using this setup for more than a year and this is the FIRST time that particular server contacted me (for whatever reason). That is what startled me and made me suspicious.

Reply to
Gerard Schroeder

That's only HALF the answer. All it tells you is WHO made the request. That doesn't tell you if the request is valid.

For example, the posted DNS address has NOT contacted me ever in the more than a year that my DSL to D-LINK setup has been in existance. So, WHY should a machine which purports to be a DNS machine all of a sudden contact me today?

On the other hand, many of the requests happen every day all day. That STILL doesn't make them innocuous; it just makes them "probably" not suspicious. That would include, for example, the NDIS User mode I/O Driver, the NDIS Filter Intermeidate Driver, the Generic Host Process for Win32 Services, etc. All I'm asking is for these events, none of which are explicitly user initiated, is it reasonable to tell the Sygate Personal Firewall to ACCEPT all these requests without complaint?

Reply to
Gerard Schroeder

Since NOBODY has mentioned the problem that this is only HALF the story, I wonder if I understand this correctly.

Knowing the machine "name" and "owner" is only HALF the story (isn't it)? The other half is for what PURPOSE did the machine contact my machine.

For example, when Adobe Acrobat 6.0 (Acrobat.exe) [206.13.31.12] contacts me on local port 1880 (VSAT-CONTROL - Gilat VSAT Control), I can find the name of the machine contacting me from

formatting link
as "dns1.scrmca.sbcglobal.net" ... but that does not tell me anything about WHY this SBCGlobal DNS server would be contacting Adobe Acrobat on port

1880 (whatever that port is for).

Knowing ONLY the name of the server contacting you, would YOU want to allow this program to access the network?

Reply to
Gerard Schroeder

Of course not!

If I had another machine on the same tiny home network with that IP address (which would be highly unlikely in a 192.168.0.XXX network), then I would NOT have posted that specific request in the list above as it would have been an obvious innocuous request.

Again, knowing the machine name & owner is only HALF the story. Actually, it's only 1/3 the story as the following is important:

  1. WHO is the owner of that machine?
  2. WHAT is the purpose of the port being used?
  3. WHY is that machine contacting me?

Is this information available somewhere?

Note that the WHO part is trivial to obtain, e.g., we can obtain that from:

formatting link
formatting link
formatting link
formatting link
but that doesn't tell us WHAT or WHY.

The WHAT part, albeit often highly technical, is not too very difficult to obtain, e.g., we can use any of the following which describe the ports:

formatting link
but that doesn't tell us WHY they contacted us.

The WHY part is the key question.

For example, WHY would dns1.snfcca.sbcglobal.net contact my machine on tcp tdp/udp port 1258 named the Open Network Library?

The question becomes:

  1. HOW do users learn MORE about the PURPOSE of this OPEN NETWORK LIBRARY?
  2. HOW do we obtain possible REASONS for a machine contacting us on this port?

That advice was the purpose of the original question.

Reply to
Gerard Schroeder

Unfortunately, I don't know what a POC (point of contact?) is nor do I have a c compiler.

What does the breakout.c program do for us? Does it slip past the Sygate Personal Firewall somehow secretly and silently?

I think there are 3 parts to the problem, one of which is trival, the other of which is technical, and the third of which is the crux of the matter:

  1. WHO is it that is contacting us (all agree this is trivial to obtain but nearly meaningless in many cases as it doesn't tell us WHAT they are doing when they contact us or WHY they are doing it).
  2. WHAT the machine is doing when it contacts us (I suspect this is explained somewhere on the Internet based on the port being contacted, but so far all I've found is the posted listings of a NAME and quick DESCRIPTION of the port used). This is INCOMPLETE information as merely knowing the name of a protocol doesn't always help to understand WHAT is occurring. Plus, I routinely DENY all these requests and my machine seems to work fine so what is it that it is doing anyway?
  3. WHY would the machine contact us on the specified port. I believe this is the crux of the question. My question to you experts is to ask if there is a good web site which would explain WHY any particular machine would be contacting us on any particular port. If we knew WHY, we could then decide whether to allow this connection or now.

For example, WHY would Adobe Acrobat 6.0 (Acrobat.exe) be contacted from an SBCGlobal DNS machine [206.13.31.12] using local port 1880 (VSAT-CONTROL - Gilat VSAT Control)?

What could it possibly want? Why doesn't anything bad happen when I deny the request?

Reply to
Gerard Schroeder

Since the remote machine is gonna try to contact us anyway, wouldn't we have the same three problems no matter which personal firewall solution we used?

For example, if I used Windows XP Firewall, or ZoneAlarm (

formatting link
) or Kerio Personal Firewall (
formatting link
) or Sygate Personal Firewall (
formatting link
) or Outpost Firewall (
formatting link
) or whatever, WOULDN'T the offending machine STILL try to contact my machine?

And then, if it did, wouldn't we STILL have the THREE QUESTIONS:

  1. Who is trying to contact us?
  2. On what port are they trying to contact us?
  3. Why are they trying to contact us?

This seems, to me, to be such a common need for virtually every one of the millions of computer users out there, that the ANSWER to these three questions SHOULD be somewhere very easy to locate for we novice users?

I can't believe there is a single person out there on the Internet who doesn't have this very same problem. That's why it's so frustrating to me to not be able to find the all-important WHY information so desperately needed by millions of us users.

GS

Reply to
Gerard Schroeder

If Adobe Acrobat 6.0 (Acrobat.exe) is going to be contacted from a remote machine [206.13.31.12] using local port 1880 (VSAT-CONTROL - Gilat VSAT Control), what would Windows Firewall do differently from what Sygate, ZoneAlarm, Kerio, Outpost, etc. would do?

Reply to
Gerard Schroeder

I don't expect the user to know that. But I expect the firewall to include that information in the error message, for situations like this one where the user copies and pastes the error message to their firewall support or to a newsgroup for assistance. Not having those details really cripples whoever is trying to help the user. If necessary, the vendor can hide this information under a "Details" button on the message, and put them into the log file for posterity.

Reply to
Karl Levinson, mvp

I do the same things I suggested in my post.

I think the best firewall configuration is one that doesn't give you any popups whatsoever. Corporate firewalls don't give the firewall administrator popups and ask him or her questions. They just work. The same thing is true of hardware firewalls used in homes. Firewalls should have just two situations: packets it knows are bad and it blocks without question, and everything else that it lets through.

Yes... I don't have the latest version of Sygate, but I believe most software firewalls have a configuration choice that does not cause any popups. If Sygate doesn't, there's also

formatting link
formatting link
both of which are free. If you are already protected by a hardware firewall, you may not really totally need that software firewall.

All of them.

The problem is all you've got is what the firewall tells you, and it hasn't told you everything you need to know. Very often, you will not be able to

100% determine the cause. You'll have to make a best guess, go with a gut feeling, and move on. Even professionals who monitor computer networks for intrusions do this as well.

Another possibly strategy would be to deny any packets you have questions about. If something breaks, then you know it was probably something you needed to allow. This is also the safest strategy.

I believe it is more likely that this was a reply to a connection your computer made. The reply took too long to come back, and your firewall stopped watching that connection, was surprised when the reply came back and considered it a new connection. DNS servers should never be contacting you. This situation can happen when you look up the IP address for a host name where the DNS server is troubled or down and does not respond, and the request times out 45 seconds or more later. It's happened to me.

Ah, that might help us a little. But I'm still leaning towards ignoring this one, moving on, and pursuing a silent firewall configuration.

Sure, go ahead.

Reply to
Karl Levinson, mvp

See my other post. More likely, this was a reply to your computer, but the reply took so long, your firewall wrongly considers this a new inbound connection. DNS especially does this due to having timeout values that are greater than the timeout values in many stateful firewalls.

It's not really that easy. If it was, someone would have done it already. One problem is that each firewall reports things in different ways. Another problem is that some Firefox traffic is good, and some might not be so good. These sorts of things are very variable and conditional. However, you can find some informative resources by searching

formatting link
for firewall-faq and also search for ids-faq. In particular, there are some good IDS FAQs on Robert Graham's web site [google says it's at
formatting link
but I can't get to that web site currently] and especially this, I strongly recommend reading this:

formatting link
By the way, you may want to sign up with a free service like
formatting link
or
formatting link
Those sites automatically report hacking attempts blocked in your firewall to the ISPs responsible, and they also let you see useful relevant information from other people's firewall logs, which helps you determine whether something is just hitting you or is hitting a lot of other people. You can't get that information any other way.

Reply to
Karl Levinson, mvp

Not specifically, but it qualifies. I'd OK the NDIS messages.

Unasked for... You weren't visiting a secure web page when you got the HTTPS message? Weren't looking at a PDF when the DNS server tried to contact Acrobat? That would be odd indeed. As for some of the others, is it possible a web page you were visiting pulled an advertisement or graphic from a different address? Have you looked at the relevant transactions in context in the firewall logs? Do you understand that local ports 1024-5000 are typically ones YOUR system uses to connect to a remote system? And that once a connection is made, the remote system communicates FROM the destination port TO the port your system has connected from?

Next time you get a prompt referring to any of those local ports, try opening a command prompt and typing 'netstat -a' and see if the port's currently connected to something. I suspect the references to 'Open Network Library' and 'NetBill Authorization Server' are bogus (pulled from the list of 'registered ports'). But then, I'm no expert.

Ask on the Sygate forum.

nf

Reply to
nutso fasst

Nothing. And why should it do so?

If you're trusting in Adobe and like their products, just use them. Before you use them, configure them as you like. The online update feature can be switched off (and should not BTW).

Your "Personal Firewall" is only making a show to "stop" this "perhaps malicious" connect() to make _you_ feel good and safe. Your computer is not more secure because of this in any way. This is, why I'm calling it a placebo software.

(BTW: Acrobat is contacting to the outside host, not vice versa).

If Adobe would want to do someting really bad, they would do it in a way, your "Personal Firewall" does not recognize, and it would not show any popus, just like with my POC.

This is what I'm trying to tell - if the application want's to be controllable, usually because it's not malware, then and only then your "Personal Firewall" is able to control.

But this has nothing to do with security.

There is one exception: the malware, which is programmed as dumb as the "Personal Firewals" themselves ;-) But, believe me: this is not the malware which is dangerous and you should frighten ;-)

For fighting malware, there is only one way, which really works: do not run it on your computer. How to achieve this, is a good topic for a discussion about security.

Yours, VB.

Reply to
Volker Birk

It is.

Yours, VB.

Reply to
Volker Birk

Oh, sorry ;-) A POC is a proof of concept, some code, which shows, that it's working what I'm saying. In this case, it's some code which is "phoning home".

No, it does it visible and obvious ;-) Because it's a POC, I didn't want to hide what it does.

Anyway, on

formatting link
you'll find a precompiled version. This one needs Internet Explorer already running, when you start it.

All what you're discussing here, is not the topic. We're not talking about applications on hosts in the Internet, which try to contact your host, but about applications running on your host trying to contact hosts in the Internet.

Nothing happens if you deny that. But: why are you asked such questions by your "Personal Firewall", if that has nothing to do with security?

BTW: sorry, that I have to remove the microsoft.* hierarchy, because my news server does not have it.

Yours, VB.

Reply to
Volker Birk

No.

Inbound connections can be filtered by any host based packet filter, like the Windows-Firewall or any "Personal Firewall", too.

The difference is with outbound connections.

Yes, with inbound connections. But: why should your "Firewall" inform you about that with a popup the user usually does not understand?

Why not blocking, and that's all?

If you don't want to be contacted any way, just like most of the home users, why not just denying anything, and that's it? It's not your problem then.

This is not possible.

The 1st question, you will not be able to answer, because you don't know the person (if any), who triggered the contact, and you will not be able to localize her/him.

The second question is not interesting, if you don't want to offer any services at all, as most of the home users do (usually, they want to use the web, email, perhaps some games or IM, or the usenet ;-) and that's it).

The third question usually you never will find out any way.

So what?

I personally think,

millions of users just want to use their PC for using email and web, some work, and playing games.

And they want doing this in a safe way. They want reliable systems, which they can use for doing this, and they don't want to have such problems at all.

Good and secure systems have to be designed this way. This means the opposite of opening such useless popups with such confusing texts and questions, which a regular user cannot decide, because she/he not only is missing the background information about it, but also does not want to decide and to deal with anyway.

I think, you might be an exception here ;-)

If you're interested in computing security, then there is only one way to learn: learn about how all is working with this computer stuff and the networking things ;-)

A good start is Craig Hunts book "TCP/IP", published by O'Reilly. And then lern to program yourself. For learning, how the TCP/IP protocol family really works, try Richard Stevens Book "UNIX Network Programming", read at least the first volume. For understanding this, you sould first learn (if you didn't yet) how to use the programming language C.

Yours, VB.

Reply to
Volker Birk

True, but you can catch lots of outbound malware traffic that exists because machines were taken out of the defence perimeter, then brought back into the network, with outgoing IDS at the gateway. It happens, unless you take extreme measures on the PC's. Even if, it gives you a second line of defence and/or warning when something does go wrong with a PC.

With regards to tunnels, you can also only permit tunnels to appropriate destinations and block the rest.

-Russ.

Reply to
Somebody.

I think, you're misinterpreting this message completely. I assume, that the Acrobat program is running on your own host, and if you're reciting correctly, then 206.13.31.12 was your own IP address.

Perhaps you first should try to understand what an IP address is, what a port is (it's not a "door" or even a "harbour", but only a maintainance number), and how sockets are working and what they're used for.

Perhaps you could start with Craig Hunt's book, as I mentioned already.

First you should understand, how classical operating systems work, like

*NIX systems or Windows.

They have to parts, a kernel and the userland, in which programs, which are running, are called "processes".

The kernel is a program, which controlles anything which is going on, including the other programs, the processes.

To make a stable system, code of processes may not influence memory of the other processes at all - this the kernel is asserting with a technic called "protection". This means, if code of a process tries to do any I/O itself, or tries to influence the memory of other processes, then the kernel just stops this process immediately - on Windows systems, "Dr. Watson" arrives ;-)

But sometimes it's necessary, that two processes can communicate. For example, you want to have results of your spreadsheet in your wordprocessor. Technics, which are allowing this as exceptions from the protection, are called "Inter-Process Communication", IPC.

(IPC has to be controlled by the kernel, BTW. It is a big design flaw in Windows, that uncontrolled IPC with Windows messages is possible between processes which open Windows on the same Desktop.)

Sometimes, IPC has to be done through the network. For example, if the process, which represents/implements your webbrowser should show information from a webserver, which is represented by another process, perhaps on another machine, then this will be implemented with IPC also: IPC through the net.

Usually, it's implemented with network protocols like TCP, and with an API like the BSD socket API (this is i.e. with Linux, BSDs and Windows, with commercial UNIXes you'll have XTI as an alternative to the socket API).

With Internet Protocol and TCP it is so, that any network interface in the network has a unique number, the IP address. This is a 32bit number, unfortunately usually written in a very strange way (writing decimal numbers for each single octet, separated by dots like "206.13.31.12").

TCP sockets are a technic to have a bidirectional communication connection from one process running on one machine to a second process running on the same machine or another one in the network.

It is possible, that more than one process can communicate through one network interface with a TCP socket at one time; so we need a second maintainance number to identify one connection from one process to another.

This is done by adding a port number. The protocol, TCP, the interface number, the IP address, and third the port number are identifying one endpoint of a TCP connection; two sets of those three numbers (also the protocols are numbered, TCP is number 6) identify one single connection.

The port number is a 16bit number, which is not 0.

With TCP, all communication is following the client/server pattern. That means, one process has the role of the server, and one process has the role of the client.

For example, a webserver has the role of the server, and a webbrowser has the role of the client.

To initiate a TCP connection, first the server has to "listen" on a port. That means, it opens one endpoint with the system call listen(), which means, that the process tells the kernel, that if there will be information arriving on this network interface (or any network interface, if the endpoint is opened for interface 0.0.0.0), which leads into initiating a TCP connection, then the kernel should send this information to the server process, which called listen() for this type of connection, say: for this port number.

If a webbrowser now wants to open a TCP connection to our webserver (in this example), then it sends a speacial IP packet, which is called a SYN cookie, see RFC 793, together with the information, on which port it wants to send this information. To do this, also the webbrowser has to open an TCP endpoint first on it's own machine and on one interface there. It does this by using the system call connect(), which opens such an endpoint from the process, in which the webbrowser is running, to the network kernel, and second such a TCP syncookie is being sent to the other machine by the kernel (you remember, only the kernel code is allowed to do I/O ;-)

If the other kernel is answering with SYN,ACK, then it want's to communicate and is trying to establish the TCP connection with it's webserver. The kernel with the webbrowser then answers with ACK, which means, that now all is clear, and the connection is established (see

3.4 in RFC 793).

Since then, when one of both processes is writing data to its endpoint of the TCP connection, its kernel is sending this in a reliable way to the other kernel, which is transmitting this data to the other process, which can read it and vice versa.

This is how TCP works.

Perhaps you now can start to interpret the message of your "Personal Firewall" ;-)

Hint: you only know the names of the files, in which the programs are stored, which are building processes when run, like "acrobat.exe", for your own machine.

About processes of other machines you know nothing like that. You only know, with what maintainance number - port number - their network connection to you is being managed by the kernel of the other machine.

Yours, VB.

Reply to
Volker Birk

Gerard Schroeder wrote in news: snipped-for-privacy@40tude.net:

Well that's true and Sygate is really not telling you either.

I don't know why you'll have to figure it out. For me when the ISP's DNS servers wanted to contact the public or external WAN IP used by the FW appliance, it was due to me configuring a static IP on one of the machine's NIC on the LAN. I set the machine's NIC back to using DHCP IP and I have not seen the DNS servers trying to initiate contact with my network.

You must have a Win XP machine as you're talking about NDIS User mode where in my case the wireless NIC driver was using NDIS User Mode to phone home to several sites. So at the time I set BlackIce to not allow communications by the NDIS User Mode driver. I am not using wireless anymore, so I disable Wireless Zero Configuration Service on XP to close that door.

It comes down to you knowing what's happening and who is doing it and not using Sygate like a crutch because Sygate is not giving you the true picture. You talk about NDIS User Mode and whatnot SVChost.exe (Generic Host Process), which are just doing their jobs and that is to communicate on the network LAN or WAN. It's not those processes that are initiating the communication as they only do it on the behalf of other processes that are making the requests. You need to determine what those processes are that are doing it and make determinations if it's legit or not and take the appropriate action.

One uses the proper tools like Process Explorer to look at processes and see what processes hidden ones are using a particular process and not use Sygate like some kind of a crutch.

Long version

formatting link

Short version

formatting link
The link talks about tools you can use.

Long version

formatting link

Short version

formatting link
And for the particular Windows O/S you are using, you can go get a Windows Resource Kit book that will tell you everything about the O/S and what is happening. You may be able to check one out at the public library.

I don't have any solutions such as BlackIce with its Application Control running on my machines, because personal FW solutions that are using it are a worthless feature IMHO.

I have BlackIce running on my laptop, but the Application Control feature is disabled as I don't need it asking me the ridiculous questions as I got a good take on what's happening or I know how to use the proper tools and find out what is happening.

Some other tips and there is one for Win 2K too.

formatting link
The buck stops with you and the O/S. It doesn't stop anywhere else.

Duane :)

Reply to
Duane Arnold

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.