interesting alerts on Zonealarm recently - what do I do?

Turn off alerts.

Remove ZoneAlarm, of course.

Inspect the traffic with a sniffer (e.g. Wireshark [1]) to find out what's the payload of these packets. It should suffice if you install the sniffer on the same machine ZA is installed on, but in case it doesn't you have to tap the wire.

Also check the configuration of your router. Any port-forwardings? Is the firmware up-to-date? Run a portscan against the router (from the outside) to check if there are any ports open on the external interface. Netgear routers have become infamous for being vulnerable.

You tell ZA to trust the Device IP of the router. The router iss doing the scanning, which is harmless. It's either that or remove ZA from the machine.

Duane :)

Set your router addres range ie. for ex. 192.168.1.0/255.255.255.0 to trusted zone in ZA.

TCP 2869 is used for uPnP framework. TCP 1077 is IMGames port (instant messanger games).

Did you use some IM software and try to play a game?

I think you should take Ansgar advice and inspect this with WireShark more carefully. Maybe router is just announcing itself to uPnP framework interfece, maybe you and/or your son try to play IM game, maybe this is something else. There is too much maybe. Inspect this.

Great advice - many thanks to all. It happened when my son came home and plugged in to the network. But he has left and it is still happening.

Maybe one of MS's "updates" is now doing this.

MS updates have nothing to do with the Device IP of the router making contact with the machines that are connected to it. ZA has no business even reporting it.

Duane :)

Just follow Ansgar procedure. If you don't have running IM software, and this is still happening, and it never happened before, you should really do what Ansgar told you to do. BTW Check or ask your son did he change anything in your router or your computer configuration.

No

That is true, ZA shouldn't block that. But the question is why is that start to happen? If that communication existed before, ZA would probably block it before as well as now. Why it started after his son connected with his laptop? IMHO I belive everything is OK, his son probably reconfigured something, and now ZA has to be reconfigured as well. But a little inspection before that conclusion would be nice thing to do. Why? He has "uPnP communication", what is possible result of that communication? forwarded port. I belive that sudden possible attempt to forward a port, no metter how small possibility of port forwarding is, require little attention.

How do you know that nobody captured the router from the outside and is doing nasty things to the inside?

Someone from the outside captured the Device IP of the router to do what, which they cannot do? Someone from the outside has captured the router, installed firmware on the router, and that firmware is now using the Device IP of the router to attack, mind you, attack the machines connected to the router.

You want to explain your thoughts and opinions as to how someone can capture the router and the Device IP of the router to attack the machines connected to the router. I will love to hear this, but I am proably going to regret it.

Someone from the outside captured the Device IP of the router to do

You know that many home (DSL) routers running some kind of embedded os like Linux. Some of them even have management ports (http, ssh or else) running on the wan side the help the isp managing the device (firmware updates etc.). If you get access to this routers you are able to connect to the inside using your favorite tools

I know this, but I would say that it's not happening in the OP's case. No one is going out of their way to do this on his home user network.