SV: [Dshield] Kiwi Syslog vs ZoneAlarm

Johan Strand Johan.Strand at frontend.se
Mon Jul 8 12:00:47 GMT 2002


Standard timout retries. This is a very common behaviour for TCP-based
connections. Try once ... wait a couple of seconds ... no resonse, try
again ... wait a little longer ... no response, give up.

I'm not sure about ZA, but I guess it knows about this behaviour and
doesn't log the retries as separate connnection attempts.

	/Johan

-----Ursprungligt meddelande-----
Från: Neil Richardson [mailto:neilr at ieee.org]
Skickat: den 8 juli 2002 08:40
Till: list at dshield.org
Ämne: [Dshield] Kiwi Syslog vs ZoneAlarm


Hello.

    I hate to bother everyone with this, but I'm a bit out of my depth
and 
would greatly appreciate some advice...

    I typically use ZoneAlarm (Personal, set to stealth-mode) for my 
firewalling needs.  However, ZA does not record the contents of the
packet, 
merely the packet stats (To, from, to-port, from-port, etc.)  I also am 
using a NetGear router, which has it's own built-in firewall.  I am
trying 
to set up the NG firewall to monitor particularly important ports (like
80) 
and send the firewall log--packet data and all--to my monitoring 
machine.  At the suggestion of Wayne (IIRC), I installed Kiwi Syslog
Daemon 
on one of my internal machines (because the router sends it's logs in 
syslog format via UDP).

    For the moment, I have set NG to monitor a port I get the most
blocked 
packets on (1433), log any traffic it gets, but then pass it through.  A

machine with ZA and Kiwi are sitting in the DMZ, so the packet falls in 
there and gets killed by ZA.  This way, I can compare the ZA log to the
NG 
log and make sure that NG correctly identified all the packets on that
port 
(and that I haven't misconfigured anything).

    So far, packets logged in ZA are also logged by NG, but I noticed 
something strange: whenever a connection attempt is made, NG registers 
*three* identical packets: the second one ~3 seconds after the first,
and 
the third one ~5 seconds after the second.

    My first thought was that it was the three packets involved in a 
standard TCP handshake, but there are three problems with this: A) The 
'source' and 'dest' ports would change for the second one, B) ZA is 
dropping the packets, not allowing the handshake, and C) the payload
should 
be different (or empty).  However, it seems that every packet has an 
identical payload of 8 characters.

    Here is the most recent example from my logs (abbreviated due to 
excessively long lines.  My router is named BigMouth, and the listening 
machine is at 192.168.0.2):

---------- Begin Excerpt ----------
7-7-02 23:19:54  BigMouth: IP[Src=211.106.127.50 Dst=192.168.0.2 TCP 
spo=02353 dpo=01433]}S04>R01mF
7-7-02 23:19:48  BigMouth: IP[Src=211.106.127.50 Dst=192.168.0.2 TCP 
spo=02353 dpo=01433]}S04>R01mF
7-7-02 23:19:45  BigMouth: IP[Src=211.106.127.50 Dst=192.168.0.2 TCP 
spo=02353 dpo=01433]}S04>R01mF
---------- End Excerpt ----------


    If anyone could suggest A) Why NG sees 3 packets but ZA only sees 1,
or 
B) why the packet data is always "S04>R01mF" I would greatly appreciate
it.


Thanks!

-Neil R.

-- 
Supreme Lord High Commander and Keeper of the Holy Potato
----------
Random thought for the day:

    I'm not crazy!  I'm "reality impaired"...


_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list