Firewall logs can be said that a hodgepodge, which will save the system information received from a variety of unsafe time, type and so on. By analyzing these logs, you can have occurred or are being found in a system intrusion.
Firewall log is not complicated, but it still needs to understand to understand some basic concepts (such as port, protocol, etc.). Although not the same for each firewall logs, but much the same way in the record, including: time, to allow or block (Accept or Block), communication type, source IP address, source port, destination address and destination port, etc.. This will be a "Sky Net Firewall" log as an example, let us know how to analyze firewall logs, and then identify vulnerabilities and possible attacks.
"Skynet firewall" All irregularities will intercept and record the data packet to the log, if you choose monitor all TCP and UDP packets, then each of you to send and receive data packets will be recorded.
1,139 port attack
Figure 1 shows the log shows: from a computer within the LAN is trying to access your computer's 139 ports, but the operation was unsuccessful.
Port 139 is NetBIOS protocol used by the port, install the TCP / IP protocol at the same time, NetBIOS will be installed as the default settings to the system. 139 ports open means that the hard disk may be shared in the network; online hackers can also be computer NetBIOS know you all!
Tip: "NetBIOS" is the network input-output system, despite the current TCP / IP protocol to become widely used transport protocol, but to provide the NetBEUI protocol NetBIOS LAN is still widely used.
While in the "Sky Net Firewall," the monitor, this hidden danger is not being used. But we can not remain indifferent, should try to make up this loophole. For a machine connected to the Internet, NetBIOS completely useless, it can be removed.
So how do you know this source address of behavior? If it is a remote address, there may be other software in use is a virus scan or mischief, but in Figure 1 192.168.30.15X such as address and the machine is in the same LAN and the crew did not use the software on the attack, after the original inspection found that the computer is in the "Nimda virus."
2.80 port attack
In the "Sky Net Firewall", assuming you receive information like this, it means: In the 18 29 20 this time, and from the IP address of 61.128.89. × × a user tries to connect to your computer , and scan your computer for open port 80 (this is Web services to open ports).
If you have received from the external IP high port (greater than 1024) launched a similar TCP connection requests, you have to care whether the other computer in the "Code Red" and tried to attack you (there may be people using the software attacks). Because this virus is only transmitted with IIS service system, so ordinary users need not worry.
If you worry about your own Web server is "Code Red" virus attack, the firewall can be installed on the server, and set rules for the application to intercept. If it is found the machine trying to access other hosts on port 80, you should check whether their systems have this virus.
3, ping probing attacks
In the "Sky Net Firewall," the log will record some of the users on the machine continued to ping the log, sometimes manifested as from a number of addresses on the machine ping attack (Figure 2). Excluded people in addition to the ping, we must pay attention to the source address may be from a machine similar to "shock" and other viruses are at play. Therefore, in terms of the machine, pressing thing is to install Microsoft's "shock" patch.
4, IGMP attack
IGMP no use for Windows general users, but Win9X operating system kernel defects, there is an IGMP vulnerability of its own, so people who would use this loophole to specify a host to send a large number of IGMP packets, so that Windows operating system, network layer destruction, lead to crashes, which in the firewall log will also be recorded (Figure 3). To deal with such situations is best to install the patch on the IGMP packet.
Sometimes, however, received such a reminder does not necessarily mean that hackers or virus attacks, in a local area network will have received from the gateway of a similar packets; another video broadcast services, some machines will the user to send such data packets, so do not be too alarmed.
Particularly to illustrate that not all blocked packets mean someone is against you, and some normal packets as you set the security level is too high and not comply with safety rules, will be intercepted and alarm.