Re: How to tell if a firewall alert is suspicious or not

From: Gerard Schroeder (Gshroeder22031_at_hotmail.com)
Date: 09/15/05 

Date: Thu, 15 Sep 2005 13:20:13 GMT

On Thu, 15 Sep 2005 06:14:04 GMT, nutso fasst wrote:

> "Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
>> How can I tell if this is suspicious or not?
> Look at your TCP/IP configuration. Isn't that your SBC DNS server?

Using DHCP, I don't specify a DNS server so I'd have no clue if that truly
was my DNS server ... but I maintain a list of daily requests and this is
NOT one of them.

So, why, all of a sudden, would my DNS server be contacting me, out of the
blue. And, why, does my network still (apparently) work even though I said
NO to the request?

What would be nice is for users to post (and for experts to doublecheck)
what they consider to be innocuous requests uninitiated by them which
appear in their yes/no request list from Sygate.

I am willing to START that list of what appears to be common innocuous
requests (for expert review).

Here is my list of common requests not explicitly initiated by me which my
Sygate Personal Firewall seems to report daily so that others may consult
it before accepting or rejecting a Sygate Personal Firewall request to
allow access:

NDIS User mode I/O Driver (ndisuio.sys)
has received a Multicast packet from the remote machine [192.168.0.1].
Do you want to allow this program to access the network?

NDIS Filter Intermediate Driver (eacfilt.sys)
has received a Multicast packet from the remote machine [192.168.0.1].
Do you want to allow this program to access the network?

NDIS Filter Intermediate Driver (eacfilt.sys)
is trying to broadcast to [192.168.0.255]
using remote port 137 (NETBIOS-NS - Browsing request of NetBIOS over
TCP/IP).
Do you want to allow this program to access the network?

NDIS User mode I/O Driver (ndisuio.sys)
has received a Broadcast packet from the remote machine [192.168.0.100].
Do you want to allow this program to access the network?

Firefox (firefox.exe)
is being contacted from a remote machine news.google.com [216.239.37.147]
using local port 1615 (NETBILL-AUTH - NetBill Authorization Server).
Do you want to allow this program to access the network?

Firefox (firefox.exe)
is being contacted from a remote machine [206.13.28.12]
using local port 1258 (OPENNL - Open Network Library).
Do you want to allow this program to access the network?

Generic Host Process for Win32 Services (svchost.exe)
is trying to connect to [207.46.157.60]
using remote port 443 (HTTPS - HTTP protocol over TLS/SSL).
Do you want to allow this program to access the network?

Generic Host Process for Win32 Services (svchost.exe)
is trying to connect to time.windows.com [207.46.130.100
using remote port 123 (NTP - Network Time Protocol).
Do you want to allow this program to access the network?

Firefox (firefox.exe)
is being contacted from a remote machine [80.237.203.14]
using local port 4503
Do you want to allow this program to access the network?