Replies in-line.
----------------------------------------|
Ralph M. Los
Sr. Security Engineer and Trainer
EnterEdge Technology, L.L.C.
[EMAIL PROTECTED]
(770) 955-9899 x.206
----------------------------------------|
::-----Original Message-----
::From: Ravi Kumar Moluguri [mailto:[EMAIL PROTECTED]]
::Sent: Wednesday, April 03, 2002 2:24 PM
::To: [EMAIL PROTECTED]
::Cc: [EMAIL PROTECTED]
::Subject: Undertanding Sonicwall log entries
::
::
::
:: Hi,
::
:: We have Sonicwall firewall. I see lot of log statements
::such as the
::following. I contacted Sonicwall but they said everything is fine.
::
::Can anybody throw more light on the meaning of these entries
::especially (TCP connection dropped ,TCP FIN packet dropped )
::
::Thanks a lot in advance.
::
::------------------------------------------------------------------
::
::04/03/2002 07:34:36.064 - TCP connection dropped -
::Source:195.22.231.228,
::3880, WAN - Destination:63.107.113.254, 1080, LAN -
::'Socks' - Rule 0
Reply--> This is someone scanning for open proxies; your firewall blocked it; you: 1, bad guys: 0
::
::04/03/2002 06:16:33.224 - TCP FIN packet dropped -
::Source:4.60.61.95,
::6346, WAN - Destination:63.107.113.254, 13436, LAN - -
Reply--> Blah, this is worthless, sometimes it can mean a TCP/FIN scan, but mostly it is just
lazy web servers and the SonicWall is being over-aggressive as it sees a TCP/FIN packet
coming from a web server you visited a while ago, or maybe a load balancer, no worry here.
::
::
::04/03/2002 07:16:24.448 - ARP timeout - Source:0.0.0.0 -
:: Destination:63.107.113.203 - -
Reply--> Normal, although I've never seen that one on the SonicWall before
::
::04/03/2002 07:17:04.256 - Denied UDP packet from LAN -
::Source:10.1.11.98,
::68, LAN - Destination:255.255.255.255, 67, LAN - -
Reply--> Uhhh....that's weird. Why is your lan-side sending out broadcasts on port 68-67? You may
want to look into this; check host at 10.1.11.98 and see what's on it, maybe a trojan?
::
::04/03/2002 07:17:04.272 - Broadcast packet dropped -
::Source:10.1.11.99,
::67, LAN - Destination:255.255.255.255, 68, LAN - Code:17 -
Reply--> YES, definitely work looking into, see above. I'd check this ASAP.
::
::04/03/2002 07:54:03.464 - ICMP packet dropped -
::Source:137.39.5.110, 3,
::WAN - Destination:63.107.113.254, 3, LAN - 'Dest
::Unreachable' - Rule 0
Reply--> Without knowing your config, can't say for sure but seems normal; a router downstream from you
is telling your firewall (doing NAT, most likely) that the host you're trying to connect to
doesn't exist.
Cheerio!
::
::-------------------------------------------------
::
::
::
::_________________________________________________________________
::Chat with friends online, try MSN Messenger: http://messenger.msn.com
::
::_______________________________________________
::Firewalls mailing list
::[EMAIL PROTECTED]
::http://lists.gnac.net/mailman/listinfo/firewal::ls
::
