[Dshield] Kiwi Syslog vs ZoneAlarm

Neil Richardson neilr at ieee.org
Mon Jul 8 15:36:20 GMT 2002

At 04:31 AM 7/8/2002, you wrote:
>When Zonealarm is running in HIGH security mode, it does not send back any
>response to the source, so the source will continue to retry. The amount of
>times a source will retry is determined by the Operating System TCP/IP 
>stack in
>Zonealarm probably assumes these packets are from a TCP retry and 
>therefore only
>reports the incident once, whilst your NG router records all the TCP retry
>packets as well.

    I had never thought about ZA's Stealth Mode and the "retry" packets 
    What you're saying makes sense, although I had originally thought that 
the delay would be closer to 5-10 seconds per packet (or longer); but when 
I open a DOS window and ping something that doesn't respond (nsa.gov) it 
takes about ~3-7 seconds between "Request timed out" messages, so the 
timing fits your idea (though 3 seconds seems a bit short in periods of 
high latency to me).

>Finally, about the packet data you are seeing, what TCP flags are set?
>Is there indeed data being sent on a SYN or is the NG reporting something 
>say TCP flag status etc?

    If Kiwi has this information, I don't know how to extract it: the only 
fields I can identify are Date/Time, Priority (Local7.Notice due to my 
debugging settings), Hostname (LAN IP of the router), and the "Message" 
which contained the "BigMouth: IP[Src=(....)" line I that quoted 
earlier.  It's possible that the "S04>R01mF" may be from the packet fields 
instead of the payload field, but offhand I can't think of what fields it'd 
be (although I freely admit I'm not as knowledgeable on packet structure as 
others here.  :-)


-Neil R.

Supreme Lord High Commander and Keeper of the Holy Potato
Random thought for the day:

    All wiyht.  Rho sritched mg kegtops awound?

More information about the list mailing list