SV: [Dshield] Kiwi Syslog vs ZoneAlarm

Johan Strand Johan.Strand at
Mon Jul 8 12:00:47 GMT 2002

Standard timout retries. This is a very common behaviour for TCP-based
connections. Try once ... wait a couple of seconds ... no resonse, try
again ... wait a little longer ... no response, give up.

I'm not sure about ZA, but I guess it knows about this behaviour and
doesn't log the retries as separate connnection attempts.


-----Ursprungligt meddelande-----
Från: Neil Richardson [mailto:neilr at]
Skickat: den 8 juli 2002 08:40
Till: list at
Ämne: [Dshield] Kiwi Syslog vs ZoneAlarm


    I hate to bother everyone with this, but I'm a bit out of my depth
would greatly appreciate some advice...

    I typically use ZoneAlarm (Personal, set to stealth-mode) for my 
firewalling needs.  However, ZA does not record the contents of the
merely the packet stats (To, from, to-port, from-port, etc.)  I also am 
using a NetGear router, which has it's own built-in firewall.  I am
to set up the NG firewall to monitor particularly important ports (like
and send the firewall log--packet data and all--to my monitoring 
machine.  At the suggestion of Wayne (IIRC), I installed Kiwi Syslog
on one of my internal machines (because the router sends it's logs in 
syslog format via UDP).

    For the moment, I have set NG to monitor a port I get the most
packets on (1433), log any traffic it gets, but then pass it through.  A

machine with ZA and Kiwi are sitting in the DMZ, so the packet falls in 
there and gets killed by ZA.  This way, I can compare the ZA log to the
log and make sure that NG correctly identified all the packets on that
(and that I haven't misconfigured anything).

    So far, packets logged in ZA are also logged by NG, but I noticed 
something strange: whenever a connection attempt is made, NG registers 
*three* identical packets: the second one ~3 seconds after the first,
the third one ~5 seconds after the second.

    My first thought was that it was the three packets involved in a 
standard TCP handshake, but there are three problems with this: A) The 
'source' and 'dest' ports would change for the second one, B) ZA is 
dropping the packets, not allowing the handshake, and C) the payload
be different (or empty).  However, it seems that every packet has an 
identical payload of 8 characters.

    Here is the most recent example from my logs (abbreviated due to 
excessively long lines.  My router is named BigMouth, and the listening 
machine is at

---------- Begin Excerpt ----------
7-7-02 23:19:54  BigMouth: IP[Src= Dst= TCP 
spo=02353 dpo=01433]}S04>R01mF
7-7-02 23:19:48  BigMouth: IP[Src= Dst= TCP 
spo=02353 dpo=01433]}S04>R01mF
7-7-02 23:19:45  BigMouth: IP[Src= Dst= TCP 
spo=02353 dpo=01433]}S04>R01mF
---------- End Excerpt ----------

    If anyone could suggest A) Why NG sees 3 packets but ZA only sees 1,
B) why the packet data is always "S04>R01mF" I would greatly appreciate


-Neil R.

Supreme Lord High Commander and Keeper of the Holy Potato
Random thought for the day:

    I'm not crazy!  I'm "reality impaired"...

Dshield mailing list
Dshield at
To change your subscription options (or unsubscribe), see:

More information about the list mailing list