[Dshield] Kiwi Syslog vs ZoneAlarm
neilr at ieee.org
Mon Jul 8 15:36:20 GMT 2002
At 04:31 AM 7/8/2002, you wrote:
>When Zonealarm is running in HIGH security mode, it does not send back any
>response to the source, so the source will continue to retry. The amount of
>times a source will retry is determined by the Operating System TCP/IP
>Zonealarm probably assumes these packets are from a TCP retry and
>reports the incident once, whilst your NG router records all the TCP retry
>packets as well.
I had never thought about ZA's Stealth Mode and the "retry" packets
What you're saying makes sense, although I had originally thought that
the delay would be closer to 5-10 seconds per packet (or longer); but when
I open a DOS window and ping something that doesn't respond (nsa.gov) it
takes about ~3-7 seconds between "Request timed out" messages, so the
timing fits your idea (though 3 seconds seems a bit short in periods of
high latency to me).
>Finally, about the packet data you are seeing, what TCP flags are set?
>Is there indeed data being sent on a SYN or is the NG reporting something
>say TCP flag status etc?
If Kiwi has this information, I don't know how to extract it: the only
fields I can identify are Date/Time, Priority (Local7.Notice due to my
debugging settings), Hostname (LAN IP of the router), and the "Message"
which contained the "BigMouth: IP[Src=(....)" line I that quoted
earlier. It's possible that the "S04>R01mF" may be from the packet fields
instead of the payload field, but offhand I can't think of what fields it'd
be (although I freely admit I'm not as knowledgeable on packet structure as
others here. :-)
Supreme Lord High Commander and Keeper of the Holy Potato
Random thought for the day:
All wiyht. Rho sritched mg kegtops awound?
More information about the list