Welcome to ISAserver.org

What are these packets? VIRUS?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> What are these packets? VIRUS?

Page: [1]

Message

<< Older Topic Newer Topic >>

What are these packets? VIRUS? - 21.Aug.2004 6:04:00 AM

sevenup

Posts: 8
Joined: 21.Jan.2004
Status: offline

I found lots of record in my ISA2004 firewall log file.

ISA, 8/21/2004, 0:04:09, UDP, 10.10.10.3:137, 10.10.10.255:137, 10.10.10.3, Internal, Local Host, Denied, 0xc004000d, Default rule, NetBios Name Service, -, 0, 0, 0, 0, -, -, -, -, -, -, -, -, 0, 0, -, -, -
ISA, 8/21/2004, 0:04:09, UDP, 10.10.10.3:137, 10.10.10.255:137, 10.10.10.3, Internal, Local Host, Denied, 0xc004000d, Default rule, NetBios Name Service, -, 0, 0, 0, 0, -, -, -, -, -, -, -, -, 0, 0, -, -, -
ISA, 8/21/2004, 0:04:11, UDP, 10.10.10.3:137, 10.10.10.255:137, 10.10.10.3, Internal, Local Host, Denied, 0xc004000d, Default rule, NetBios Name Service, -, 0, 0, 0, 0, -, -, -, -, -, -, -, -, 0, 0, -, -, -
ISA, 8/21/2004, 0:04:11, UDP, 10.10.10.3:138, 10.10.10.255:138, 10.10.10.3, Internal, Local Host, Denied, 0xc004000d, Default rule, NetBios Datagram, -, 0, 0, 0, 0, -, -, -, -, -, -, -, -, 0, 0, -, -, -
ISA, 8/21/2004, 0:04:13, UDP, 10.10.10.3:137, 10.10.10.255:137, 10.10.10.3, Internal, Local Host, Denied, 0xc004000d, Default rule, NetBios Name Service, -, 0, 0, 0, 0, -, -, -, -, -, -, -, -, 0, 0, -, -, -
ISA, 8/21/2004, 0:04:13, UDP, 10.10.10.3:137, 10.10.10.255:137, 10.10.10.3, Internal, Local Host, Denied, 0xc004000d, Default rule, NetBios Name Service, -, 0, 0, 0, 0, -, -, -, -, -, -, -, -, 0, 0, -, -, -
ISA, 8/21/2004, 0:04:15, UDP, 10.10.10.3:137, 10.10.10.255:137, 10.10.10.3, Internal, Local Host, Denied, 0xc004000d, Default rule, NetBios Name Service, -, 0, 0, 0, 0, -, -, -, -, -, -, -, -, 0, 0, -, -, -
ISA, 8/21/2004, 0:04:15, UDP, 10.10.10.3:138, 10.10.10.255:138, 10.10.10.3, Internal, Local Host, Denied, 0xc004000d, Default rule, NetBios Datagram, -, 0, 0, 0, 0, -, -, -, -, -, -, -, -, 0, 0, -, -, -

In last week, the total dropped packet from a ip(such as 10.10.10.3) is about thousands, but in this week, the total dropped is increased to more than 500,000 each IP!

the 10.10.10.3 has the latest windows update hotfixs and installed Symantec antivirus CE 9.0 client.it seems all works fine.

what's the problem? a new unkown worms??

pls help !

[ August 21, 2004, 06:06 AM: Message edited by: sevenup ]

Post #: 1

Featured Links*

RE: What are these packets? VIRUS? - 22.Aug.2004 3:40:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi 7,

Looks like normal limited subnet broadcasts to me.

HTH,
Tom

(in reply to sevenup)

Post #: 2

RE: What are these packets? VIRUS? - 8.Sep.2004 7:37:00 PM

sevenup

Posts: 8
Joined: 21.Jan.2004
Status: offline

it is terriable!
I just found my isa2004 firewall log file on 0907 is about 400MB.the past days, the size each day is about 40MB.

and now, 0908 log file is more then 1.18GB!

i found these in the report file each day:
in 0907 dropped packets:

No User Dropped Packets % of Total Dropped Packets
1 xxx.xxx.xxx.252 1218998 68.90 %
2 xxx.xxx.xxx.238 228252 12.90 %
3 xxx.xxx.xxx.188 224376 12.70 %
the rest IPs are less 8000 packets each

in 0908 dropped packets:
No User Dropped Packets % of Total Dropped Packets
1 xxx.xxx.xxx.252 4600736 84.60 %
2 xxx.xxx.xxx.238 575409 10.60 %
3 xxx.xxx.xxx.188 155063 2.90 %

I really don't know what these server are doing?!

(in reply to sevenup)

Post #: 3

RE: What are these packets? VIRUS? - 10.Sep.2004 5:50:00 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Seven,

It thinks its about time you put together a WINS infrastructure if you require NetBIOS name resolution.

HTH,
Tom

(in reply to sevenup)

Post #: 4

RE: What are these packets? VIRUS? - 10.Sep.2004 6:43:00 AM

sevenup

Posts: 8
Joined: 21.Jan.2004
Status: offline

can I config isa2004 firewall log to not record these events?
In isa2000, I can disable packet filter log.
but in isa2004, seems the firewall log combine the packet filter log together.

(in reply to sevenup)

Post #: 5

RE: What are these packets? VIRUS? - 10.Sep.2004 3:26:00 PM

gatorz

Posts: 17
Joined: 28.Feb.2004
Status: offline

Create an Access Rule to deny this specific traffic. Then under the action tab of the access rule uncheck "Log requests matching this rule"

HTH

(in reply to sevenup)

Post #: 6

RE: What are these packets? VIRUS? - 12.Sep.2004 4:09:00 PM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Gator,

Exactly!

Thanks!
Tom

(in reply to sevenup)

Post #: 7

RE: What are these packets? VIRUS? - 12.Sep.2004 5:48:00 PM

sevenup

Posts: 8
Joined: 21.Jan.2004
Status: offline

I found MUST Disable the Log option for the ALL DENY rule.

and add access rule for user with log option turnon

add deny rule for user or IP with log option turnon for monitoring the VIRUS act or user application debug.

and it's OK now.
the log file each day is about 10MB just like the isa2k's log file.

(in reply to sevenup)

Post #: 8