Re: How to tell if a firewall alert is suspicious or not

From: Mike (honey_at_michaelmoyse.co.uk)
Date: 09/15/05


Date: Thu, 15 Sep 2005 15:48:26 +0100

Gerard Schroeder wrote:
> On Thu, 15 Sep 2005 07:56:07 -0400, Karl Levinson, mvp wrote:
>
>
>>There are ways you can research these things... however, you will get so
>>many of these alerts, and it is so fruitless to research them all
>
> ...
>
>>you should look up what the remote IP address is
>>www.nwtools.com or www.netsol.com
>
> ...
>
>>A really smart firewall would let you inspect the TCP flags and contents of
>>the incoming packet
>
>
> I thank you for your detailed suggestions summarized below as:
> 1. There exists innocent common connections reported by the firewall
> 2. We can find the NAME of the IP address contacting us for clues
> 3. The content of the incoming packet may contain clues
>
> Regarding the first interesting comment above:
> - Is there a site where all the common innocent connections are listed?
> - I searched (before I posted) and did not find one (but it may exist).
> - If not, I don't mind starting a list (in this post perhaps?).
>
> Regarding looking up the NAME of the IP address:
> - WHY would my DNS provider suddently connect (this does not happen often)?
> - I keep a list of the common contact requests & this isn't one of them.
> - I said NO to the request & I don't see negative consequences.
>
> Regarding the content of the incoming packets:
> - Sygate Personal Firewall 5.6 provides a Yes/No/Details response
> - The DETAILS button gives more information (cryptic to me, a novice).
> - Again I wonder if there is a list of known non-dangerous contacts.
>
> For we novices who still desire basic firewall protection, it would be nice
> to refer to a list of known generally non-dangerous requests to accept.

No!! Novices do not have the knowledge as you so patently demonstrate.
You need a hardware firewall like the ones built into Zyxel routers etc.
Tick the box that says enable firewall and just get on with using your
computer without all the silly pointless and misleading popups from your
software firewall.

> The particular message I posted from my DNS server does NOT happen often so
> that is what startled me.

If you had a router you would not have seen it or been startled plus you
would have been protected.



Relevant Pages

  • Re: How to tell if a firewall alert is suspicious or not
    ... There exists innocent common connections reported by the firewall ... The content of the incoming packet may contain clues ... You need a hardware firewall like the ones built into Zyxel routers etc. ... If you had a router you would not have seen it or been startled plus you ...
    (comp.security.firewalls)
  • Re: How to tell if a firewall alert is suspicious or not
    ... There exists innocent common connections reported by the firewall ... The content of the incoming packet may contain clues ... You need a hardware firewall like the ones built into Zyxel routers etc. ... If you had a router you would not have seen it or been startled plus you ...
    (microsoft.public.windowsxp.security_admin)
  • Re: port forwarding woes
    ... >> Your rule is for incoming packet from eth1. ... >> to 67.83.57.63:443 from local (ie. firewall) machine or from outside? ... 8-CPU Cluster, Hosting, NAS, Linux, LaTeX, python, vim, mutt, tin ...
    (comp.os.linux.security)
  • Re: port forwarding woes
    ... >> Your rule is for incoming packet from eth1. ... >> to 67.83.57.63:443 from local (ie. firewall) machine or from outside? ... 8-CPU Cluster, Hosting, NAS, Linux, LaTeX, python, vim, mutt, tin ...
    (comp.os.linux.security)