Results 1 to 4 of 4

Thread: log all traffic

Hybrid View

  1. #1
    miamia Guest

    Default log all traffic

    Hello,Is there any way in ZA how to log all traffic from my computer ? My hardware firewall sent me information about attack from my pc|192.168.1.34:3015 |63.217.30.60:80 |ATTACK syn flood TCP (L to W1)
    |192.168.1.34:28801 |84.245.95.236:23404 |ATTACK ports scan UDP (L to W1)so I would like to find out which software did it.
    thanks

    Operating System:Windows XP Pro
    Software Version:8.0
    Product Name:ZoneAlarm Internet Security Suite

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: log all traffic

    http://www.coolwhois.com/d/63.217.30.60
    (Beyond The Network America Inc)
    Good chance this is an internert server for files (ads, images, content, etc) for the browser (as this is using port 80 or the http)


    http://www.coolwhois.com/d/84.245.95.236
    (I think this maybe your provider)
    Could be the provider is doing some maintenace and security (checking for illegal users and illegal home based web servers) or just checking to see if the clients are still established for the nodes of the local subnets of it's own network (and subnetworks).

    See syn flood tcp definition:

    http://www.iss.net/security_center/a...od/default.htm

    Port scan by UDP is rare and there should be seen ICMP connections along with this if this is an actual genuine port scan by UDP.

    It could be the router is set to be too sensitive to attacks whereas this could be normal traffic.

    Logging all traffic is already done by the Zone Alarm.
    Just look at the log viewer.
    Also set the alerts higher than presently set - the unusual port activity should be seen in the ZA alerts.

    Oldsod.
    Best regards.
    oldsod

  3. #3
    miamia Guest

    Default Re: log all traffic

    hello Oldsod :-)
    thanks for prompt reply.I checked 84.245.95.236
    but unfortunately
    it is not my ISP - but it does not matter..


    and logs - I asked because in Firewall logs I see only entries with action taken:blocked. I checked logs for firewall, programs, etc but I cannot find these entries (63.217.30.60, 84.245.95.236) in my log files.

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: log all traffic

    Hi Mia
    If there is any P2P or online games played, this could be a possible source of the connections.
    Or if there are other unusual programs such as Skye for example.

    As for your original question please do all of the following advice:

    1). To set the general Alerts for the Programs to a higher level of control - this will produce more alerts than the average. Hopefully something will appear in an Alert from the ZoneAlarm.

    Open the ZoneAlarm | Program Control | Main | Advanced button | Access Permissions tab.
    Set everything for both the Connection Attempts and Server Attempts to "Always ask ....".
    Apply and OK the window.

    2). To set the individual programs to ask for the usual connections to a higher level of control - this will produce more alerts than the average. Hopefully something will appear in an Alert from the ZoneAlarm.

    Open the ZoneAlarm | Program Control | Programs.
    Under the Access set the Internet to Ask (blue question mark).
    Under the Server, set both the Trusted and Internet to Ask (blue question mark).

    This needs to be used as there are previously allowed programs which could be the source of the unusual connections seen by your router. This new change of the individual program accesses and server should help you.

    3). To ensure all Alerts are shown.

    Open the ZoneAlarm | Alerts & Logs | Main | Alert Events Shown and set the radio button for the High

    4). To ensure all Events are logged.

    Open the ZoneAlarm | Alerts & Logs | Main | Event Logging and set the radio button to On.

    5). To ensure all Programs are logged.

    Open the ZoneAlarm | Alerts & Logs | Main | Program Logging and set the radio button to High.

    6). To set the Programs logging to a higher level of control.

    Open the ZoneAlarm | Alerts & Logs | Main | Program Logging | Custom button | Program Logs tab and press the "Select All" button.
    OK the window.

    7). To set the Programs logging and Alerts to a higher level of control.

    Open the ZoneAlarm | Alerts & Logs | Main | Advanced button | Alert Events tab and press the "Check All" button.
    Apply and OK the window.

    8). To create specific Expert Rules in the ZoneAlarm Firewall concerning these two IPs for exact logging and alerts.

    Open the ZoneAlarm | Firewall | Expert.
    Right Click anywhere on the blank space of the inside panel or press the Add button in the lower right hand corner of the panel.

    In the new Add Rule window, enter these items into the appropriate places as described:

    Rank: 1
    Name: Suspect IPs
    State: Enabled
    Action: Block
    Track: Alert and Log
    Source: My Computer
    Destination:
    *Left click the Modify button.
    *Select the Add Location.
    *Select IP Range
    In the new IP Range window

    Enter pccwglobal.com into the Description.
    In the first IP Address box enter 63.216.0.0
    In the second IP Address box enter 63.223.255.255
    OK the Add IP Range window.

    *Now repeat this procedure once again for the second questionable IP.
    *Left click the Modify button.
    *Select the Add Location.
    *Select IP Range
    In the new IP Range window

    Enter netlabplus.sk into the Description.
    In the first IP Address box enter 84.245.64.0
    In the second IP Address box enter 84.245.95.255
    OK the Add IP Range window.

    * the Destination panel should show both of the new entries by the Description.

    [NOTE: I selected the entire IP ranges not the specific IPs to ensure a complete coverage. This can be changed to the exact IPs if needed or wanted.]

    Protocol: Any
    * The Any is the default setting, as I can not see any need to refine the protcol to specific protcols such as just TCP or TCP & UDP.

    OK the New Rule window that is finished.
    Press the Apply button in the lower right hand corner of the Expert panel.

    [NOTE: Add any new IPs to the Destination as needed as they occur or appear or previously occured.]

    9). To create specific Expert Rules in the ZoneAlarm Firewall concerning the unusual destination port for exact logging and alerts.

    Open the ZoneAlarm | Firewall | Expert.
    Right Click anywhere on the blank space of the inside panel or press the Add button in the lower right hand corner of the panel.

    In the new Add Rule window, enter these items into the appropriate places as described:

    Rank: 2
    Name: Suspect Ports
    State: Enabled
    Action: Block
    Track: Alert and Log
    Source: My Computer
    Destination:
    *Left click the Modify button.
    *Select the Add Location.
    Select the "Internet Zone"

    Protocol:
    *Left click the Modify button.
    *Select the Add Protocol.
    *Select the Add Protocol.
    *In the new Add Protocol windows:
    In the Protocol drop down select TCP & UDP
    Enter Port 23404 into the Description.
    Enter 23404 into the Destination Port.
    Leave the Source port as the default setting of Any

    OK the Add Protocol window.

    [NOTE: Add any new ports to the Protocol as needed as they occur or appear or previously occured.]

    OK the New Rule window that is finished.
    Press the Apply button in the lower right hand corner of the Expert panel.


    10). To create specific Expert Rules in the ZoneAlarm Firewall concerning the usual destination port for the HTTP and HTTPS to any Internet Address for exact logging and alerts.

    Open the ZoneAlarm | Firewall | Expert.
    Right Click anywhere on the blank space of the inside panel or press the Add button in the lower right hand corner of the panel.

    In the new Add Rule window, enter these items into the appropriate places as described:

    Rank: 3
    Name: Browser
    [NOTE: the name or term Browser is used loosely, as port 80 and port 443 traffic can be used by almost anything such as troyans, bots, updaters, email clients,etc]
    State: Enabled
    Action: Enabled
    Track: Alert and Log
    Source: My Computer
    Destination:
    *Left click the Modify button.
    *Select the Add Location.
    Select the "Internet Zone"

    Protocol:
    *Left click the Modify button.
    *Select the Add Protocol.
    *Select the Add Protocol.
    *In the new Add Protocol windows:
    In the Protocol drop down select TCP & UDP
    Enter HHTP into the Description.
    Enter 80 into the Destination Port.
    Leave the Source port as the default setting of Any
    [NOTE: this normally should be using the port range of 1023-5000 for the Source. But since we are attempting to check all of the outgoing traffic, the default ANY will cover the entire port range of 1-65535]
    OK the Add Protocol window.

    *Left click the Modify button.
    *Select the Add Protocol.
    *Select the Add Protocol.
    *In the new Add Protocol windows:
    In the Protocol drop down select TCP & UDP
    Enter HHTPS into the Description.
    Enter 443 into the Destination Port.
    Leave the Source port as the default setting of Any
    [NOTE: this normally should be using the port range of 1023-5000 for the Source. But since we are attempting to check all of the outgoing traffic, the default ANY will cover the entire port range of 1-65535]
    OK the Add Protocol window.

    * the Protocol panel should show both of the new entries by the Description.

    OK the New Rule window that is finished.
    Press the Apply button in the lower right hand corner of the Expert panel.



    Now close the ZoneAlarm.
    Use the "Shutdown the ZA..." in the right click of the ZA icon in the windows tray.
    Restart the ZoneAlarm in the Start | All Programs | ZoneAlarm | ZoneAlarm Security.
    Your Zone Alarm firewall now should be set up properly for extra alerts and better logging.

    But only the specific ports and IP mentioned will be covered by the new Expert Rules in the Firewall.
    You should now see the Zone Alarm Alert on the desktop for ever HTTP and HTTPS outgoing connection that occurs as they are occuring. Furthermore all of these HTTP and HTTPS connections will be logged by the ZoneAlarm - there will be nothing missed for any outgoing http and https traffic.
    And also for any possible connection to the mystery IPs.


    The actual packet filtering logs produced by the ZA are archived in the WINDOWS\Internet Logs folder. Using the notepad.exe look in the ZALog.txt, ZALog*.txt and the fwpktlog.txt files.
    Any of the previous mystery connections can be seen - use the Find of the notepad.exe to speed up the search.
    While you are still in the WINDOWS\Internet Logs folder, is there any LSPConflict.txt to be seen and does the fwdbglog.txt have any significant information? I am just curious more than anything else about the details found in the fwdbglog.txt and a possible LSPConflict.txt.

    If there is a possbility of some sort of malware producing these unknown connections, there are a few other further possbilities to examine.
    These apply to all software firewalls, not just the ZoneAlarm specifically:[*]A troyan inserts it's own .dll into the window's winsock. This will bypass the firewall packet filtering and the result is the software firewall never sees the packets from the troyan and therefore is not able to either log or control these unknown packets.
    Checking the window's winsock is simple - verify all winsock .dlls by using the "netsh winsock show catalog" command in the command prompt (do not use the quotation marks).[*]Rootkits operate by installing a driver (.sys) which is often capable of making "silent" connections, thus avoiding any filtering by a software firewall.
    Some rootkits install their own TCP/IP stack, seperate from the window's native TCP/IP stack, thus avoiding any possible detection by the firewall or even by windows itself.[*]Rogue toolbars or BHO for browser such as the Internet Explorer will use the default allowed access permission for the browser to connect out.
    The rogue connections will be logged by the firewall along with the usual outgoing connections.[*]The windows has been infected already and is control of another party. This party could use any application either by a new installation or by any previous and valid known file to create connections or operate the computer to their own means.[*]Update the antivirus and complete a full scan of the hard disk drive to insure there is no installed malware.

    Best regards.
    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •