The port 67/68 UDP broadcasts are probably DHCP. Perhaps re-negotiating a lease. Normally I see them with a source address of 0.0.0.0 when the PC first boots. -erik
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ralph Los Sent: Tuesday, April 09, 2002 11:13 AM To: 'Ravi Kumar Moluguri'; [EMAIL PROTECTED] Subject: RE: Undertanding Sonicwall log entries Replies in-line. ----------------------------------------| Ralph M. Los Sr. Security Engineer and Trainer EnterEdge Technology, L.L.C. [EMAIL PROTECTED] (770) 955-9899 x.206 ----------------------------------------| ::-----Original Message----- ::From: Ravi Kumar Moluguri [mailto:[EMAIL PROTECTED]] ::Sent: Wednesday, April 03, 2002 2:24 PM ::To: [EMAIL PROTECTED] ::Cc: [EMAIL PROTECTED] ::Subject: Undertanding Sonicwall log entries :: :: :: :: Hi, :: :: We have Sonicwall firewall. I see lot of log statements ::such as the ::following. I contacted Sonicwall but they said everything is fine. :: ::Can anybody throw more light on the meaning of these entries ::especially (TCP connection dropped ,TCP FIN packet dropped ) :: ::Thanks a lot in advance. :: ::------------------------------------------------------------------ :: ::04/03/2002 07:34:36.064 - TCP connection dropped - ::Source:195.22.231.228, ::3880, WAN - Destination:63.107.113.254, 1080, LAN - ::'Socks' - Rule 0 Reply--> This is someone scanning for open proxies; your firewall blocked it; you: 1, bad guys: 0 :: ::04/03/2002 06:16:33.224 - TCP FIN packet dropped - ::Source:4.60.61.95, ::6346, WAN - Destination:63.107.113.254, 13436, LAN - - Reply--> Blah, this is worthless, sometimes it can mean a TCP/FIN scan, but mostly it is just lazy web servers and the SonicWall is being over-aggressive as it sees a TCP/FIN packet coming from a web server you visited a while ago, or maybe a load balancer, no worry here. :: :: ::04/03/2002 07:16:24.448 - ARP timeout - Source:0.0.0.0 - :: Destination:63.107.113.203 - - Reply--> Normal, although I've never seen that one on the SonicWall before :: ::04/03/2002 07:17:04.256 - Denied UDP packet from LAN - ::Source:10.1.11.98, ::68, LAN - Destination:255.255.255.255, 67, LAN - - Reply--> Uhhh....that's weird. Why is your lan-side sending out broadcasts on port 68-67? You may want to look into this; check host at 10.1.11.98 and see what's on it, maybe a trojan? :: ::04/03/2002 07:17:04.272 - Broadcast packet dropped - ::Source:10.1.11.99, ::67, LAN - Destination:255.255.255.255, 68, LAN - Code:17 - Reply--> YES, definitely work looking into, see above. I'd check this ASAP. :: ::04/03/2002 07:54:03.464 - ICMP packet dropped - ::Source:137.39.5.110, 3, ::WAN - Destination:63.107.113.254, 3, LAN - 'Dest ::Unreachable' - Rule 0 Reply--> Without knowing your config, can't say for sure but seems normal; a router downstream from you is telling your firewall (doing NAT, most likely) that the host you're trying to connect to doesn't exist. Cheerio! :: ::------------------------------------------------- :: :: :: ::_________________________________________________________________ ::Chat with friends online, try MSN Messenger: http://messenger.msn.com :: ::_______________________________________________ ::Firewalls mailing list ::[EMAIL PROTECTED] ::http://lists.gnac.net/mailman/listinfo/firewal::ls :: _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
