Ralph,
The broadcasts are dhcp client request (udp 67) and dhcp server replies
(udp 68), I don't think you are in jeopardy ;~)
Wade B
> Ralph Los wrote:
>
> Replies in-line.
>
> ----------------------------------------|
> Ralph M. Los
> Sr. Security Engineer and Trainer
> EnterEdge Technology, L.L.C.
> [EMAIL PROTECTED]
> (770) 955-9899 x.206
> ----------------------------------------|
>
> ::-----Original Message-----
> ::From: Ravi Kumar Moluguri [mailto:[EMAIL PROTECTED]]
> ::Sent: Wednesday, April 03, 2002 2:24 PM
> ::To: [EMAIL PROTECTED]
> ::Cc: [EMAIL PROTECTED]
> ::Subject: Undertanding Sonicwall log entries
> ::
> ::
> ::
> :: Hi,
> ::
> :: We have Sonicwall firewall. I see lot of log statements
> ::such as the
> ::following. I contacted Sonicwall but they said everything is fine.
> ::
> ::Can anybody throw more light on the meaning of these entries
> ::especially (TCP connection dropped ,TCP FIN packet dropped )
> ::
> ::Thanks a lot in advance.
> ::
> ::------------------------------------------------------------------
> ::
> ::04/03/2002 07:34:36.064 - TCP connection dropped -
> ::Source:195.22.231.228,
> ::3880, WAN - Destination:63.107.113.254, 1080, LAN -
> ::'Socks' - Rule 0
> Reply--> This is someone scanning for open proxies; your firewall
> blocked it; you: 1, bad guys: 0
>
> ::
> ::04/03/2002 06:16:33.224 - TCP FIN packet dropped -
> ::Source:4.60.61.95,
> ::6346, WAN - Destination:63.107.113.254, 13436, LAN - -
> Reply--> Blah, this is worthless, sometimes it can mean a TCP/FIN
> scan, but mostly it is just
> lazy web servers and the SonicWall is being over-aggressive as
> it sees a TCP/FIN packet
> coming from a web server you visited a while ago, or maybe a
> load balancer, no worry here.
>
> ::
> ::
> ::04/03/2002 07:16:24.448 - ARP timeout - Source:0.0.0.0 -
> :: Destination:63.107.113.203 - -
> Reply--> Normal, although I've never seen that one on the SonicWall
> before
>
> ::
> ::04/03/2002 07:17:04.256 - Denied UDP packet from LAN -
> ::Source:10.1.11.98,
> ::68, LAN - Destination:255.255.255.255, 67, LAN - -
> Reply--> Uhhh....that's weird. Why is your lan-side sending out
> broadcasts on port 68-67? You may
> want to look into this; check host at 10.1.11.98 and see
> what's on it, maybe a trojan?
>
> ::
> ::04/03/2002 07:17:04.272 - Broadcast packet dropped -
> ::Source:10.1.11.99,
> ::67, LAN - Destination:255.255.255.255, 68, LAN - Code:17 -
> Reply--> YES, definitely work looking into, see above. I'd check this
> ASAP.
>
> ::
> ::04/03/2002 07:54:03.464 - ICMP packet dropped -
> ::Source:137.39.5.110, 3,
> ::WAN - Destination:63.107.113.254, 3, LAN - 'Dest
> ::Unreachable' - Rule 0
> Reply--> Without knowing your config, can't say for sure but seems
> normal; a router downstream from you
> is telling your firewall (doing NAT, most likely) that the
> host you're trying to connect to
> doesn't exist.
>
> Cheerio!
>
> ::
> ::-------------------------------------------------
> ::
> ::
> ::
> ::_________________________________________________________________
> ::Chat with friends online, try MSN Messenger:
> http://messenger.msn.com
> ::
> ::_______________________________________________
> ::Firewalls mailing list
> ::[EMAIL PROTECTED]
> ::http://lists.gnac.net/mailman/listinfo/firewal::ls
> ::
--
Wade Blackwell
Washington Mutual Bank
[EMAIL PROTECTED]
Network Security Architect
Aol & Yahoo instant messenger csewadeb
Calendar http://calendar.yahoo.com/csewadeb
(D)206.377.7426 (C)206.930.1822 (F)206.490.6797
smime.p7s
Description: S/MIME Cryptographic Signature
