temp-name
@com.au
| Can someone please shed some light on this Alert?
Hi
I'm running a wireless ADSL network at home with my Vaio Laptop to a DLINK Wirless ADSL Modem Router. It's a new laptop, running XP Pro and has Norton Internet Security 2005 installed.
Occasionally of late I keep getting these Norton alerts popping up that say "A recent attempt to attack your computer...etc etc". Something about an inbound UDP connection. Does anyone know what this means? I checked through the security logs and found these lines were recorded at the same time the alert appeared:
Details: Rule "Firewall Rule" ignored (0.0.0.0,bootps(67)).
Inbound UDP packet.
Local address,service is (255.255.255.255,bootps(67)).
Remote address,service is (0.0.0.0,bootpc(68)).
Process name is "N/A".
Maybe I'm just being paranoid, but I've noticed lately that another wireless network has been appearing in range of my network at home. A friend pointed me towards an app called NetStumber which when run, lists any wireless networks in range. My initial panic therefore was that the person running this nearby network also knows that I exist and is somehow attempting to access my computer.
Could the two be related? Can someone please translate what the Norton IS log is actually reporting?
Many, many thanks
Al |
|
richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs:
| Re: Can someone please shed some light on this Ale
Does this happen when you deliberately re-boot either the router the laptop? If so, it is probably only a small configuration problem.
You should have a thorough read of
»Security »How do I secure a wireless network (wireless router)?
or
»www2.dslreports.com/faq/8698
(there may be issues with one or other of these links for some people)
While you are doing all of that  , let's hope that you can get someone who knows both the router config options and NIS.
Questions you will need to answer
* versions of NIS and any updates done
* exact model of router, firmware version, etc.
And while I am at it, what is the update status of Windows XP? I can not emphasize enough that it ought to be fully updated, unless there are any known incompatibilities with the Vaio. Do you have a firewall elsewhere? Is the Windows Security Center turned on? Is the Internet Connection Firewall On or Off? What is the update status of the anti-viral component of NIS? What is running on the Vaio when this happens?
You may need to be patient. If in doubt, please wait for an expert answer. Meanwhile you should plan to be back here as much as possible, so please register so that we can get to know you!
Hmmm.. the header wants someone to shed light on an Ale. 
--
We are the music makers,We are the dreamers of dreams.Arthur William Edgar O'Shaugnessy |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
1 edit | reply to temp-name
Are there other computers on the network. Do they use DHCP to obtain an IP from the router? The packet above is a broadcast and is a DHCP discovery packet which is a normal part of the process of a computer obtaining an IP, on boot, if it is using DHCP.
For more info on how DHCP works a good link is
»support.microsoft.com/?kbid=169289
--
Dog and Butterfly |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
1 edit | Yeah, that's the way I read the log event he posted.
But, let's back up a bit for a moment on that rule itself. If that's the only event he's got at the time the Alert popped up, something needs a bit of tuning here regarding the rule itself.
First, it looks like a rule in what I believe is now called the General Rules section of NIS rules (used to be called system-wide rules). Furthermore, it looks like a user-customized rule in which both logging and alerting have been invoked. Not knowing exactly what the rule itself states, I would certainly advise turning off the alerting.
Well, hold on a sec. . . . Maybe something else is wrong with the way the rule is configured. Could we have some details on the specifics of the rule and what it was intended to accomplish? (I don't think it's one of the default rules, if only due to the label on the rule.)
Addendum: I also think it must be a custom rule because the action indicated is IGNORE; I don't believe that there are any default rules in NIS with an action of IGNORE (i.e., Monitor, Log Only).
--
Regards,
Joseph V. Morris |
|
temp-name
@gov.au
| Re: Can someone please explain this Alert
Hi everyone
Firstly, thank you all for your responses.
I'll just try and answer your questions as best I can:
1) These alerts can happen anytime i.e. last night while I was simply doing some work from home at about 9.41pm two alerts appeared (one of which is the IS log I posted)
2) My laptop uses DHCP. My partner occassionaly uses here work laptop on the network (they're the only two computers we have) but the alerts appeared when she wasn't on.
3) I am vigilant when it comes to Norton IS (version 2005) updates and windows updates. I'm running XP SP2 all fully updated.
4) Hi jvmorris - how would I get the details you mention i.e. "Could we have some details on the specifics of the rule and what it was intended to accomplish". That's a little above my head. I know that Norton IS is essentially configured as it would be out of the box. I think the only thing changes was that I bumped the security level up to the maximum (from memory, I set it to Supervisor...or similar)
5) My Router is a DLink ADSL Wireless Router Modem 54mbps + 4port 10/100 (Model 604t)
Ummm..I think that's it. Thanks again guys
Allan |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY | Do you have the wireless router/modem secured with encryption?
--
Dog and Butterfly |
|
temp-name
@203.13.x.x | Hi,
Yes, I have WEP enabled. Although I have come across numerous WEP cracking tools while looking around...not sure of their success however. |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| reply to temp-name
Okay, just item 4) for me . . .
said by temp-name:
. . . .
4) Hi jvmorris - how would I get the details you mention i.e. "Could we have some details on the specifics of the rule and what it was intended to accomplish". That's a little above my head. I know that Norton IS is essentially configured as it would be out of the box. I think the only thing changes was that I bumped the security level up to the maximum (from memory, I set it to Supervisor...or similar). . . .
Well, the first thing you need to do is find the rule in question, the one labeled simply "Firewall Rule". I was rather hoping you yourself might know how to do this, since the version of NIS I'm currently running is NIS 2002 and Symantec has changed the User Interface since then. In the olden days, you'd open up the NIS console from the System Tray, select "Personal Firewall" and then click on "internet access control" (but I don't think it works this way anymore). I'm fairly certain that the rule in question is in what is now referred to as the "General Rules" (used to be System-Wide Rules) category. If nothing else, it's obviously not application-specific and the Rule Action appears to be set to IGNORE, rather than BLOCK or PERMIT.
If you can't find the rule on your own, we're going to have to wait until one of the NIS 2004/2005 users shows up and tells you how to find it.
Once you find the rule, you need to examine the rule details. To do that, you select the rule labeled "Firewall Rule" and then click on the command button that's labeled "Modify" (or somesuch). No, you're not going to modify the rule, this is simply the only way you're going to get to the details of the rule. So when you're finished recording the following information, just cancel out of the resulting window.
At any rate, at this point, you'll get a new window (probably labeled "Modify Rule" with six tabs. Unfortunately, you're going to have to step through each of these tabs and write down the user-modifiable inputs manually in order to post them here.
I think the first tab will be labeled Action and you'll find the "Monitor Internet Access" option selected. The next tab will probably be labeled Connections and you will probably find one of two options selected here: either "Connections from other computers" or "Connections to and from other computers". The third tab is most likely labeled Computers. There are any number of options that might be specified here, but I suspect it's most likely "Any Computer". The next tab is most likely labeled Communications and I'm not going to tell you what I expect to find here, but I think you're likely to find multiple options (at least two) (one for protocol and at least one for ports). Need to know the specific details in both fields. Next tab is labeled Tracking. What's selected there? The final tab is labeled Description and that's where you're going to find the label of "Firewall Rule".
Write all this down (very carefully) and post it back here. There are (thankfully rare) occasions in which a rule can get corrupted and that's why it's so important to be very precise about what you find in these fields.
In the good ole days, it was quite simple to use a third-party utility to do this. For example, here's what I would find in NIS 2002:
Rule 1 Monitor Ports
Category: NIS System Keeping
Rule in use: YES
Logging: NO
Protocol: TCP or UDP
Action: Ignore
Direction: Either
Application: Any Application
Local service: Any Service
Local Address: Any Address
Remote Service:
..........Port: 110
Remote Address: Any Address
But that's all gone now and you have to do it the hard way. :(
--
Regards, Joseph V. Morris |
|
richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs:
| reply to temp-name
Hi, Allan
If you *join*, your anonymity (other than what you choose to reveal ) is guaranteed here, and there are possibilities for private messages on this server. As it is, your posts are revealing ip addresses and domains...
--
We are the music makers,We are the dreamers of dreams.Arthur William Edgar O'Shaugnessy |
|
dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs:
 ·Comcast
| reply to temp-name
Re: Can someone please shed some light on this Alert?
I'm not very proficient in security, nor wireless and am still learning, but I have NIS 2005, and a D-link wireless 624 with wpa security on the router (these nice folks in this forum helped me change from wep to wpa »D-Link )
NIS was also warning of an "attack" on my computer from the same address. At the time I had window's setting up my wireless, switched to my Atheros Client Utility and allowed access for that program in NIS and no more warnings. I'm just assuming I had something set up wrong in my firewall:).
--
want to know what I'm doing? |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to temp-name
Re: Can someone please explain this Alert
said by temp-name:
Hi,
Yes, I have WEP enabled. Although I have come across numerous WEP cracking tools while looking around...not sure of their success however.
Yes WEP can be cracked, and I guess if it has been on your network, someone could be using DHCP to obtain an IP and use your network. The packet in that alert would not be a hack attack on your computer. I think it would be interesting to see the rule details as jvmorris  has stated.
--
Dog and Butterfly |
|
dandelion
Premium,MVM
join:2003-04-29
Germantown, TN
clubs:
·Comcast
| reply to temp-name
Re: Can someone please shed some light on this Alert?
I spoke too soon-just got the message again right before I signed on to my computer after signing on, no more messages (firewall is supposed to prevent any communication when in screensaver mode):
Rule "Block Window File Sharing" blocked communication local address (my router) process name is "system", the popup said it was blocked on 0.0.0.0. but I don't see that on the log.(do you get this message right before signon?)
--
want to know what I'm doing? |
|
richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs:
| reply to richtig
Re: Can someone please explain this Alert
said by richtig :Hi, Allan If you *join*, your anonymity (other than what you choose to reveal ) is guaranteed here, and there are possibilities for private messages on this server. As it is, your posts are revealing ip addresses and domains... My apologies. I did not mean to say that ip addresses are being revealed . Not on these posts. Of course your ip address is in every packet  .
--
We are the music makers,We are the dreamers of dreams.Arthur William Edgar O'Shaugnessy |
|
