TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
1 edit | reply to temp-name
Re: Can someone please shed some light on this Ale
Are there other computers on the network. Do they use DHCP to obtain an IP from the router? The packet above is a broadcast and is a DHCP discovery packet which is a normal part of the process of a computer obtaining an IP, on boot, if it is using DHCP.
For more info on how DHCP works a good link is
»support.microsoft.com/?kbid=169289
--
Dog and Butterfly |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
1 edit | Yeah, that's the way I read the log event he posted.
But, let's back up a bit for a moment on that rule itself. If that's the only event he's got at the time the Alert popped up, something needs a bit of tuning here regarding the rule itself.
First, it looks like a rule in what I believe is now called the General Rules section of NIS rules (used to be called system-wide rules). Furthermore, it looks like a user-customized rule in which both logging and alerting have been invoked. Not knowing exactly what the rule itself states, I would certainly advise turning off the alerting.
Well, hold on a sec. . . . Maybe something else is wrong with the way the rule is configured. Could we have some details on the specifics of the rule and what it was intended to accomplish? (I don't think it's one of the default rules, if only due to the label on the rule.)
Addendum: I also think it must be a custom rule because the action indicated is IGNORE; I don't believe that there are any default rules in NIS with an action of IGNORE (i.e., Monitor, Log Only).
--
Regards,
Joseph V. Morris |
|
temp-name
@gov.au
| Re: Can someone please explain this Alert
Hi everyone
Firstly, thank you all for your responses.
I'll just try and answer your questions as best I can:
1) These alerts can happen anytime i.e. last night while I was simply doing some work from home at about 9.41pm two alerts appeared (one of which is the IS log I posted)
2) My laptop uses DHCP. My partner occassionaly uses here work laptop on the network (they're the only two computers we have) but the alerts appeared when she wasn't on.
3) I am vigilant when it comes to Norton IS (version 2005) updates and windows updates. I'm running XP SP2 all fully updated.
4) Hi jvmorris - how would I get the details you mention i.e. "Could we have some details on the specifics of the rule and what it was intended to accomplish". That's a little above my head. I know that Norton IS is essentially configured as it would be out of the box. I think the only thing changes was that I bumped the security level up to the maximum (from memory, I set it to Supervisor...or similar)
5) My Router is a DLink ADSL Wireless Router Modem 54mbps + 4port 10/100 (Model 604t)
Ummm..I think that's it. Thanks again guys
Allan |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY | Do you have the wireless router/modem secured with encryption?
--
Dog and Butterfly |
|
temp-name
@203.13.x.x | Hi,
Yes, I have WEP enabled. Although I have come across numerous WEP cracking tools while looking around...not sure of their success however. |
|
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| reply to temp-name
Okay, just item 4) for me . . .
said by temp-name:
. . . .
4) Hi jvmorris - how would I get the details you mention i.e. "Could we have some details on the specifics of the rule and what it was intended to accomplish". That's a little above my head. I know that Norton IS is essentially configured as it would be out of the box. I think the only thing changes was that I bumped the security level up to the maximum (from memory, I set it to Supervisor...or similar). . . .
Well, the first thing you need to do is find the rule in question, the one labeled simply "Firewall Rule". I was rather hoping you yourself might know how to do this, since the version of NIS I'm currently running is NIS 2002 and Symantec has changed the User Interface since then. In the olden days, you'd open up the NIS console from the System Tray, select "Personal Firewall" and then click on "internet access control" (but I don't think it works this way anymore). I'm fairly certain that the rule in question is in what is now referred to as the "General Rules" (used to be System-Wide Rules) category. If nothing else, it's obviously not application-specific and the Rule Action appears to be set to IGNORE, rather than BLOCK or PERMIT.
If you can't find the rule on your own, we're going to have to wait until one of the NIS 2004/2005 users shows up and tells you how to find it.
Once you find the rule, you need to examine the rule details. To do that, you select the rule labeled "Firewall Rule" and then click on the command button that's labeled "Modify" (or somesuch). No, you're not going to modify the rule, this is simply the only way you're going to get to the details of the rule. So when you're finished recording the following information, just cancel out of the resulting window.
At any rate, at this point, you'll get a new window (probably labeled "Modify Rule" with six tabs. Unfortunately, you're going to have to step through each of these tabs and write down the user-modifiable inputs manually in order to post them here.
I think the first tab will be labeled Action and you'll find the "Monitor Internet Access" option selected. The next tab will probably be labeled Connections and you will probably find one of two options selected here: either "Connections from other computers" or "Connections to and from other computers". The third tab is most likely labeled Computers. There are any number of options that might be specified here, but I suspect it's most likely "Any Computer". The next tab is most likely labeled Communications and I'm not going to tell you what I expect to find here, but I think you're likely to find multiple options (at least two) (one for protocol and at least one for ports). Need to know the specific details in both fields. Next tab is labeled Tracking. What's selected there? The final tab is labeled Description and that's where you're going to find the label of "Firewall Rule".
Write all this down (very carefully) and post it back here. There are (thankfully rare) occasions in which a rule can get corrupted and that's why it's so important to be very precise about what you find in these fields.
In the good ole days, it was quite simple to use a third-party utility to do this. For example, here's what I would find in NIS 2002:
Rule 1 Monitor Ports
Category: NIS System Keeping
Rule in use: YES
Logging: NO
Protocol: TCP or UDP
Action: Ignore
Direction: Either
Application: Any Application
Local service: Any Service
Local Address: Any Address
Remote Service:
..........Port: 110
Remote Address: Any Address
But that's all gone now and you have to do it the hard way. :(
--
Regards, Joseph V. Morris |
|
richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs:
| reply to temp-name
Hi, Allan
If you *join*, your anonymity (other than what you choose to reveal  ) is guaranteed here, and there are possibilities for private messages on this server. As it is, your posts are revealing ip addresses and domains...
--
We are the music makers,We are the dreamers of dreams.Arthur William Edgar O'Shaugnessy |
|
TheWiseGuy
Dog And Butterfly
Premium,MVM
join:2002-07-04
Yonkers, NY
| reply to temp-name
said by temp-name:
Hi,
Yes, I have WEP enabled. Although I have come across numerous WEP cracking tools while looking around...not sure of their success however.
Yes WEP can be cracked, and I guess if it has been on your network, someone could be using DHCP to obtain an IP and use your network. The packet in that alert would not be a hack attack on your computer. I think it would be interesting to see the rule details as jvmorris  has stated.
--
Dog and Butterfly |
|
richtig
Music Is Emotion
Premium
join:2003-02-19
Australia
clubs:
| reply to richtig
said by richtig :Hi, Allan If you *join*, your anonymity (other than what you choose to reveal ) is guaranteed here, and there are possibilities for private messages on this server. As it is, your posts are revealing ip addresses and domains... My apologies. I did not mean to say that ip addresses are being revealed . Not on these posts. Of course your ip address is in every packet  .
--
We are the music makers,We are the dreamers of dreams.Arthur William Edgar O'Shaugnessy |
|
