[Dshield] Kiwi Syslog vs ZoneAlarm

Dean White dean at achillean.com.au
Mon Jul 8 11:31:18 GMT 2002

Whilst I am unfamilar with the log format you have shown below, from what you 
are describing below, I believe you are seeing a TCP retry. 

If the source host does not receive a response to an initial SYN within a 
pre-determined time it sends the packet again. 
(A response can be a SYN+ACK, a reset or an ICMP unreachable message, ie. 
network or host unreachable, admin filtered etc.) TCP retry packets have the
same source/destination ports and initial sequence number etc. as the original
sent packet. This is what, I believe you are witnessing.

When Zonealarm is running in HIGH security mode, it does not send back any
response to the source, so the source will continue to retry. The amount of
times a source will retry is determined by the Operating System TCP/IP stack in

Zonealarm probably assumes these packets are from a TCP retry and therefore only
reports the incident once, whilst your NG router records all the TCP retry 
packets as well.

Finally, about the packet data you are seeing, what TCP flags are set? 
Is there indeed data being sent on a SYN or is the NG reporting something else,
say TCP flag status etc?

I hope this answers your question.

Dean White
Asia-Pac Incident Co-Ordinator

On Sun, Jul 07, 2002 at 11:40:16PM -0700, Neil Richardson wrote:
> Hello.
>     I hate to bother everyone with this, but I'm a bit out of my depth and 
> would greatly appreciate some advice...
>     I typically use ZoneAlarm (Personal, set to stealth-mode) for my 
> firewalling needs.  However, ZA does not record the contents of the packet, 
> merely the packet stats (To, from, to-port, from-port, etc.)  I also am 
> using a NetGear router, which has it's own built-in firewall.  I am trying 
> to set up the NG firewall to monitor particularly important ports (like 80) 
> and send the firewall log--packet data and all--to my monitoring 
> machine.  At the suggestion of Wayne (IIRC), I installed Kiwi Syslog Daemon 
> on one of my internal machines (because the router sends it's logs in 
> syslog format via UDP).
>     For the moment, I have set NG to monitor a port I get the most blocked 
> packets on (1433), log any traffic it gets, but then pass it through.  A 
> machine with ZA and Kiwi are sitting in the DMZ, so the packet falls in 
> there and gets killed by ZA.  This way, I can compare the ZA log to the NG 
> log and make sure that NG correctly identified all the packets on that port 
> (and that I haven't misconfigured anything).
>     So far, packets logged in ZA are also logged by NG, but I noticed 
> something strange: whenever a connection attempt is made, NG registers 
> *three* identical packets: the second one ~3 seconds after the first, and 
> the third one ~5 seconds after the second.
>     My first thought was that it was the three packets involved in a 
> standard TCP handshake, but there are three problems with this: A) The 
> 'source' and 'dest' ports would change for the second one, B) ZA is 
> dropping the packets, not allowing the handshake, and C) the payload should 
> be different (or empty).  However, it seems that every packet has an 
> identical payload of 8 characters.
>     Here is the most recent example from my logs (abbreviated due to 
> excessively long lines.  My router is named BigMouth, and the listening 
> machine is at
> ---------- Begin Excerpt ----------
> 7-7-02 23:19:54  BigMouth: IP[Src= Dst= TCP 
> spo=02353 dpo=01433]}S04>R01mF
> 7-7-02 23:19:48  BigMouth: IP[Src= Dst= TCP 
> spo=02353 dpo=01433]}S04>R01mF
> 7-7-02 23:19:45  BigMouth: IP[Src= Dst= TCP 
> spo=02353 dpo=01433]}S04>R01mF
> ---------- End Excerpt ----------
>     If anyone could suggest A) Why NG sees 3 packets but ZA only sees 1, or 
> B) why the packet data is always "S04>R01mF" I would greatly appreciate it.
> Thanks!
> -Neil R.
> -- 
> Supreme Lord High Commander and Keeper of the Holy Potato
> ----------
> Random thought for the day:
>     I'm not crazy!  I'm "reality impaired"...
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20020708/f36ff8f6/attachment.bin

More information about the list mailing list