[Dshield] Kiwi Syslog vs ZoneAlarm
neilr at ieee.org
Mon Jul 8 06:40:16 GMT 2002
I hate to bother everyone with this, but I'm a bit out of my depth and
would greatly appreciate some advice...
I typically use ZoneAlarm (Personal, set to stealth-mode) for my
firewalling needs. However, ZA does not record the contents of the packet,
merely the packet stats (To, from, to-port, from-port, etc.) I also am
using a NetGear router, which has it's own built-in firewall. I am trying
to set up the NG firewall to monitor particularly important ports (like 80)
and send the firewall log--packet data and all--to my monitoring
machine. At the suggestion of Wayne (IIRC), I installed Kiwi Syslog Daemon
on one of my internal machines (because the router sends it's logs in
syslog format via UDP).
For the moment, I have set NG to monitor a port I get the most blocked
packets on (1433), log any traffic it gets, but then pass it through. A
machine with ZA and Kiwi are sitting in the DMZ, so the packet falls in
there and gets killed by ZA. This way, I can compare the ZA log to the NG
log and make sure that NG correctly identified all the packets on that port
(and that I haven't misconfigured anything).
So far, packets logged in ZA are also logged by NG, but I noticed
something strange: whenever a connection attempt is made, NG registers
*three* identical packets: the second one ~3 seconds after the first, and
the third one ~5 seconds after the second.
My first thought was that it was the three packets involved in a
standard TCP handshake, but there are three problems with this: A) The
'source' and 'dest' ports would change for the second one, B) ZA is
dropping the packets, not allowing the handshake, and C) the payload should
be different (or empty). However, it seems that every packet has an
identical payload of 8 characters.
Here is the most recent example from my logs (abbreviated due to
excessively long lines. My router is named BigMouth, and the listening
machine is at 192.168.0.2):
---------- Begin Excerpt ----------
7-7-02 23:19:54 BigMouth: IP[Src=184.108.40.206 Dst=192.168.0.2 TCP
7-7-02 23:19:48 BigMouth: IP[Src=220.127.116.11 Dst=192.168.0.2 TCP
7-7-02 23:19:45 BigMouth: IP[Src=18.104.22.168 Dst=192.168.0.2 TCP
---------- End Excerpt ----------
If anyone could suggest A) Why NG sees 3 packets but ZA only sees 1, or
B) why the packet data is always "S04>R01mF" I would greatly appreciate it.
Supreme Lord High Commander and Keeper of the Holy Potato
Random thought for the day:
I'm not crazy! I'm "reality impaired"...
More information about the list