[Dshield] Daily Reports Reporting weird (long)

Rod Buike rodb at spectra.ca
Thu Sep 4 16:02:32 GMT 2003


Here is some samples taken from my ISA log and the result taken fro the
conversion.  Everything looks good to me but hey, I have been called
blind as a bat in the past :)

ISA Log:

#Software: Microsoft(R) Internet Security and Acceleration Server 2000
#Version: 1.0
#Date: 2003-09-04 00:00:09
#Fields: date	time	source-ip	destination-ip	protocol
param#1	param#2	filter-rule	interface

2003-09-04	15:38:06	208.30.146.6	64.4.80.2	ICMP
8	0	BLOCKED	64.4.68.34
2003-09-04	15:38:27	64.3.184.206	64.4.80.0	ICMP
8	0	BLOCKED	64.4.68.34
2003-09-04	15:38:27	64.3.184.206	64.4.80.1	ICMP
8	0	BLOCKED	64.4.68.34
2003-09-04	15:38:27	64.3.184.206	64.4.80.2	ICMP
8	0	BLOCKED	64.4.68.34
2003-09-04	15:38:27	64.3.184.206	64.4.80.5	ICMP
8	0	BLOCKED	64.4.68.34
2003-09-04	15:38:27	64.3.184.206	64.4.80.4	ICMP
8	0	BLOCKED	64.4.68.34
2003-09-04	15:38:27	64.3.184.206	64.4.80.7	ICMP
8	0	BLOCKED	64.4.68.34
2003-09-04	15:38:27	64.3.184.206	64.4.80.3	ICMP
8	0	BLOCKED	64.4.68.34
2003-09-04	15:38:27	64.3.184.206	64.4.80.6	ICMP
8	0	BLOCKED	64.4.68.34
2003-09-04	15:38:43	64.4.68.34	64.2.181.93	Tcp
135	3904	BLOCKED	64.4.68.34
2003-09-04	15:38:46	203.235.218.94	64.4.80.2	ICMP
8	0	BLOCKED	64.4.68.34
2003-09-04	15:38:46	64.4.68.34	64.2.181.93	Tcp
135	3904	BLOCKED	64.4.68.34
2003-09-04	15:38:46	64.4.68.34	64.2.181.93	Tcp
135	3904	BLOCKED	64.4.68.34
2003-09-04	15:38:52	64.4.68.34	64.2.181.93	Tcp
135	3904	BLOCKED	64.4.68.34
2003-09-04	15:38:52	64.4.68.34	64.2.181.93	Tcp
135	3904	BLOCKED	64.4.68.34
2003-09-04	15:38:56	172.135.119.102	64.4.80.2	ICMP
8	0	BLOCKED	64.4.68.34

And the result of the conversion:

#-------Beginning of Y:\IPPEXTD20030903.log--------
Comment line
------------------------------------------------------------------------
------------------------------------------------
#Software: Microsoft(R) Internet Security and Acceleration Server 2000
Comment line
------------------------------------------------------------------------
------------------------------------------------
#Version: 1.0
Comment line
------------------------------------------------------------------------
------------------------------------------------
#Date: 2003-09-03 00:00:08
Comment line
------------------------------------------------------------------------
------------------------------------------------
#Fields: date	time	source-ip	destination-ip	protocol
param#1	param#2	filter-rule	interface
Comment line

2003-09-04	15:38:06	208.30.146.6	64.4.80.2	ICMP
8	0	BLOCKED	64.4.68.34
  2003-09-04 15:38:06 +00:00 | 67994877 | 1 | 208.30.146.6 | 8 |
64.4.80.2 | 0 | ICMP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:27	64.3.184.206	64.4.80.0	ICMP
8	0	BLOCKED	64.4.68.34
  2003-09-04 15:38:27 +00:00 | 67994877 | 1 | 64.3.184.206 | 8 |
64.4.80.0 | 0 | ICMP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:27	64.3.184.206	64.4.80.1	ICMP
8	0	BLOCKED	64.4.68.34
  2003-09-04 15:38:27 +00:00 | 67994877 | 1 | 64.3.184.206 | 8 |
64.4.80.1 | 0 | ICMP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:27	64.3.184.206	64.4.80.2	ICMP
8	0	BLOCKED	64.4.68.34
  2003-09-04 15:38:27 +00:00 | 67994877 | 1 | 64.3.184.206 | 8 |
64.4.80.2 | 0 | ICMP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:27	64.3.184.206	64.4.80.5	ICMP
8	0	BLOCKED	64.4.68.34
  2003-09-04 15:38:27 +00:00 | 67994877 | 1 | 64.3.184.206 | 8 |
64.4.80.5 | 0 | ICMP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:27	64.3.184.206	64.4.80.4	ICMP
8	0	BLOCKED	64.4.68.34
  2003-09-04 15:38:27 +00:00 | 67994877 | 1 | 64.3.184.206 | 8 |
64.4.80.4 | 0 | ICMP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:27	64.3.184.206	64.4.80.7	ICMP
8	0	BLOCKED	64.4.68.34
  2003-09-04 15:38:27 +00:00 | 67994877 | 1 | 64.3.184.206 | 8 |
64.4.80.7 | 0 | ICMP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:27	64.3.184.206	64.4.80.3	ICMP
8	0	BLOCKED	64.4.68.34
  2003-09-04 15:38:27 +00:00 | 67994877 | 1 | 64.3.184.206 | 8 |
64.4.80.3 | 0 | ICMP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:27	64.3.184.206	64.4.80.6	ICMP
8	0	BLOCKED	64.4.68.34
  2003-09-04 15:38:27 +00:00 | 67994877 | 1 | 64.3.184.206 | 8 |
64.4.80.6 | 0 | ICMP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:43	64.4.68.34	64.2.181.93	Tcp
135	3904	BLOCKED	64.4.68.34
  2003-09-04 15:38:43 +00:00 | 67994877 | 1 | 64.4.68.34 | 135 |
64.2.181.93 | 3904 | TCP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:46	203.235.218.94	64.4.80.2	ICMP
8	0	BLOCKED	64.4.68.34
  2003-09-04 15:38:46 +00:00 | 67994877 | 1 | 203.235.218.94 | 8 |
64.4.80.2 | 0 | ICMP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:46	64.4.68.34	64.2.181.93	Tcp
135	3904	BLOCKED	64.4.68.34
  2003-09-04 15:38:46 +00:00 | 67994877 | 1 | 64.4.68.34 | 135 |
64.2.181.93 | 3904 | TCP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:46	64.4.68.34	64.2.181.93	Tcp
135	3904	BLOCKED	64.4.68.34
  2003-09-04 15:38:46 +00:00 | 67994877 | 1 | 64.4.68.34 | 135 |
64.2.181.93 | 3904 | TCP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:52	64.4.68.34	64.2.181.93	Tcp
135	3904	BLOCKED	64.4.68.34
  2003-09-04 15:38:52 +00:00 | 67994877 | 1 | 64.4.68.34 | 135 |
64.2.181.93 | 3904 | TCP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:52	64.4.68.34	64.2.181.93	Tcp
135	3904	BLOCKED	64.4.68.34
  2003-09-04 15:38:52 +00:00 | 67994877 | 1 | 64.4.68.34 | 135 |
64.2.181.93 | 3904 | TCP
------------------------------------------------------------------------
------------------------------------------------
2003-09-04	15:38:56	172.135.119.102	64.4.80.2	ICMP
8	0	BLOCKED	64.4.68.34
  2003-09-04 15:38:56 +00:00 | 67994877 | 1 | 172.135.119.102 | 8 |
64.4.80.2 | 0 | ICMP
------------------------------------------------------------------------
------------------------------------------------

And an excerpt from my daily reports that is causing issue:

Source - Ports - Scanned Host Name 
64.4.68.34 - 788 - lana-nexgen-68-34.mts.net

Source - Hostname - Packets - Targets - All Packets - All Targets -
First Seen 
64.4.68.34  lana-nexgen-68-34.mts.net   4234 280 8293 7 07-30-2003

Everything inbound is blocked with the exception of SMTP 25, HTTP 80,
POP3 110 and RDP 3389.  Most outgoing is opened but 135-139 and a few
others outbound are closed.

I am uncertain how my IP can be shown to be scanning itself, or what to
look for in the logs.

Rod

-----Original Message-----
From: Wayne Larmon [mailto:wlarmon at dshield.org] 
Sent: Wednesday, September 03, 2003 2:25 PM
To: General DShield Discussion List
Subject: RE: [Dshield] Daily Reports Reporting weird


> I signed up and installed the Firewall Client and started submitting
my
> ISA Server logs.  Daily reports flow in everyday and I notice
something
> weird.  My ISA servers external IP tops the list when it comes to Top
> Port Scanners and Top Sources.
>
> Is something configured wrong?  ISA or firewall client?

Did you configure ISA as is described at
http://www.dshield.org/clients/isa_setup.php

Did you look at the results of the conversion to see that the source IP
in
the ISA log are converted to the source IP in the DShield log?  The
relevent
section of a DShield log is

....Source IP<tab>Source Port<tab>Target IP<tab>Target Port....

http://www.dshield.org/specs.php#dshield_format

If there is a problem with CVTWIN's conversion, then contact me off list
so
we can resolve this.

Wayne Larmon
DShield.org
wlarmon at dshield.org





More information about the list mailing list