Q
Problem solve Get help with specific problems with your technologies, process and projects.

Interpretting firewall security alert messages

If you can't decipher the security alert messages from your firewall, information security threats expert Ed Skoudis can help with some of the interpretation. In this SearchSecurity.com Q&A, Ed Skoudis uses a sample alert message to explain whether your firewall is doing its job.

Ed Skoudis
By
I have been receiving these security alert messages from our firewall nearly every day:

TCP Packet - Source:144.120.8.89,39341 Destination:192.168.1.1,25 - [DOS] TCP Packet - Source:210.7.0.36,3473 Destination:210.7.12.23,135 - [DOS] Thu, 2006-10-19 16:30:03 – UDP Packet - Source:192.168.1.111,1443 Destination:202.62.124.238,53 - [Any(ALL) match]

What is this?

I'd need more information to know for sure, such as the IP addresses in your network topology map. Still, given what you have provided, we see an attempted connection to a mail server (TCP port 25) on your internal network (192.168 IP addresses are used for internal networks and are non-routable across the Internet.). Next, it looks like one of your own Windows machines tried to connect to another Windows system. This was done via Windows file and printer sharing with NetBIOS over TCP (TCP port 135). And, finally, one of your internal systems (again, based on the 192.168 address) most likely tried to send a domain name system request (UDP port 53). Each of these by themselves is innocuous. Someone may have mis-configured or mistyped an IP address, which then caused these packets to be sent. Or, perhaps some script kiddies were doing some widespread scans, and you fell into their cross hairs. Either way, your firewall is most likely doing its job and blocking this type of access.

If you want to get more information, I recommend that you configure a sniffer, such as the easy-to-use Wireshark tool. You can then sniff traffic on the internal interface of your router, and look for additional packets coming from 144.120.8.89 and 202.62.124.238. As another option, if you can get access to any of the 192.168 machines here (or any others for that matter), and they are Windows machines, you can run this command to get more details about what is going on:

C:> netstat –nao 1 | find "[IP_addr_of_other_side" | find "[port]"

The netstat command shows TCP and UDP ports that are in use. The –n means that we want numbers (not names) of ports and machines. The –a indicates our preference for all traffic. The –o means that we want the Process ID (PID) of the program using that port. The 1 will make this command run every second, again and again.

Then, the output is scraped for any indication of the IP address of the other side. Look for packets going to or from the ports in question, namely 25, 135, and 53. Let the command run for a little while, and see if and when one of the machines sends such a packet. When it does, look at the PID, and find it in Task Manager. If using Windows XP, 2003 or Vista, you can also use this command:

C:> wmic process list brief

Then, you'll know the process sending it, so you can check whether it is valid, and you can look over its configuration.

More information:

  • Use a packet sniffer to determine whether an email message is encrypted or not.
  • Visit SearchSecurity.com's network firewall resource center.
    • This was last published in February 2007

    Dig Deeper on Network device security: Appliances, firewalls and switches

    SearchCloudSecurity
    SearchNetworking
    SearchCIO
    SearchEnterpriseDesktop
    SearchCloudComputing
    ComputerWeekly.com
    Close