Windows Security Log gets crowded!



We recently installed Windows Server 2008 on a server and we have
noticed that the Windows Security Log is crowded with events like the
ones below (several thousands every day). We realize that they are
from some kind of multicast, but we just want to get rid of them. It
is however a bit difficult since we don't know the cause. Any Help
will be greatly appreciated.

Thanks,
Mattias


Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2008-06-26 02:00:15
Event ID: 5157
Task Category: Filtering Platform Connection
Level: Information
Keywords: Audit Failure
User: N/A
Computer: cosmo.lundalogik.local
Description:
The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID: 716
Application Name: \device\harddiskvolume2\windows
\system32\svchost.exe

Network Information:
Direction: Inbound
Source Address: 224.0.0.252
Source Port: 5355
Destination Address: 192.168.35.56
Destination Port: 49425
Protocol: 17

Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";>
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5157</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2008-06-26T00:00:15.364Z" />
<EventRecordID>65636</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="92" />
<Channel>Security</Channel>
<Computer>cosmo.lundalogik.local</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessID">716</Data>
<Data Name="Application">\device\harddiskvolume2\windows
\system32\svchost.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">224.0.0.252</Data>
<Data Name="SourcePort">5355</Data>
<Data Name="DestAddress">192.168.35.56</Data>
<Data Name="DestPort">49425</Data>
<Data Name="Protocol">17</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">44</Data>
</EventData>
</Event>
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 2008-06-26 02:00:15
Event ID: 5157
Task Category: Filtering Platform Connection
Level: Information
Keywords: Audit Failure
User: N/A
Computer: cosmo.lundalogik.local
Description:
The Windows Filtering Platform has blocked a connection.

Application Information:
Process ID: 716
Application Name: \device\harddiskvolume2\windows
\system32\svchost.exe

Network Information:
Direction: Inbound
Source Address: ff02::1:3
Source Port: 5355
Destination Address: fe80::e530:9589:5d64:74f3
Destination Port: 54188
Protocol: 17

Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 46
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event";>
<System>
<Provider Name="Microsoft-Windows-Security-Auditing"
Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>5157</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12810</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2008-06-26T00:00:15.348Z" />
<EventRecordID>65633</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="92" />
<Channel>Security</Channel>
<Computer>cosmo.lundalogik.local</Computer>
<Security />
</System>
<EventData>
<Data Name="ProcessID">716</Data>
<Data Name="Application">\device\harddiskvolume2\windows
\system32\svchost.exe</Data>
<Data Name="Direction">%%14592</Data>
<Data Name="SourceAddress">ff02::1:3</Data>
<Data Name="SourcePort">5355</Data>
<Data Name="DestAddress">fe80::e530:9589:5d64:74f3</Data>
<Data Name="DestPort">54188</Data>
<Data Name="Protocol">17</Data>
<Data Name="FilterRTID">0</Data>
<Data Name="LayerName">%%14610</Data>
<Data Name="LayerRTID">46</Data>
</EventData>
</Event>
.



Relevant Pages

  • Re: Windows Security Log gets crowded!
    ... Log Name: Security ... Task Category: Filtering Platform Connection ... The Windows Filtering Platform has blocked a connection. ... Filter Information: ...
    (microsoft.public.windows.server.security)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)
  • [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
    (Securiteam)
  • Re: The Myth of the secure Mac
    ... OEM Windows XP Home goes for a bit under $100. ... >> secure than Home. ... Though this really has nothing to do with security. ... Microsoft counts on third-party developers to provide more ...
    (comp.sys.mac.advocacy)
  • SecurityFocus Microsoft Newsletter # 149
    ... MICROSOFT VULNERABILITY SUMMARY ... EveryBuddy Long Message Denial Of Service Vulnerability ... Intellitactics Network Security Manager ... Windows operating systems. ...
    (Focus-Microsoft)