Interpretting firewall security alert messages
If you can't decipher the security alert messages from your firewall, information security threats expert Ed Skoudis can help with some of the interpretation. In this SearchSecurity.com Q&A, Ed Skoudis uses a sample alert message to explain whether your firewall is doing its job.
TCP Packet - Source:144.120.8.89,39341 Destination:192.168.1.1,25 - [DOS] TCP Packet - Source:210.7.0.36,3473 Destination:210.7.12.23,135 - [DOS] Thu, 2006-10-19 16:30:03 – UDP Packet - Source:192.168.1.111,1443 Destination:202.62.124.238,53 - [Any(ALL) match]
What is this?
If you want to get more information, I recommend that you configure a sniffer, such as the easy-to-use Wireshark tool. You can then sniff traffic on the internal interface of your router, and look for additional packets coming from 144.120.8.89 and 202.62.124.238. As another option, if you can get access to any of the 192.168 machines here (or any others for that matter), and they are Windows machines, you can run this command to get more details about what is going on:
C:> netstat –nao 1 | find "[IP_addr_of_other_side" | find "[port]"
The netstat command shows TCP and UDP ports that are in use. The –n means that we want numbers (not names) of ports and machines. The –a indicates our preference for all traffic. The –o means that we want the Process ID (PID) of the program using that port. The 1 will make this command run every second, again and again.
Then, the output is scraped for any indication of the IP address of the other side. Look for packets going to or from the ports in question, namely 25, 135, and 53. Let the command run for a little while, and see if and when one of the machines sends such a packet. When it does, look at the PID, and find it in Task Manager. If using Windows XP, 2003 or Vista, you can also use this command:
C:> wmic process list brief
Then, you'll know the process sending it, so you can check whether it is valid, and you can look over its configuration.
More information: