SonicWall Firewall Log Messages

Archived from groups: comp.security.firewalls (More info?)

Recently installed a SonicWall TZ170 firewall in my home network
environment. Set up the log to record everything just so I could get an
idea of traffic that was being dropped..

I now find that 90% of my log entries are of the following type:

TCP connection dropped 221.119.213.184, 63690, WAN 24.155.81.xxx,
47519, WAN Type: 47519


I x'd out my IP for obvious reasons.

My question is, I keep getting all these hits from various source IP's to
port 47519. I have no clue what that port is or what the connect attempts
are looking for. Is this possibly a file sharing program that one of my
kids may be running?

Thanks..
7 answers Last reply
More about sonicwall firewall messages
  1. Archived from groups: comp.security.firewalls (More info?)

    "JDB" <jbelle@evitria.com> wrote in message
    news:10h9ka91dva9793@corp.supernews.com...
    > Recently installed a SonicWall TZ170 firewall in my home network
    > environment. Set up the log to record everything just so I could get
    an
    > idea of traffic that was being dropped..
    >
    > I now find that 90% of my log entries are of the following type:
    >
    > TCP connection dropped 221.119.213.184, 63690, WAN
    24.155.81.xxx,
    > 47519, WAN Type: 47519
    >
    > I x'd out my IP for obvious reasons.
    >
    > My question is, I keep getting all these hits from various source IP's
    to
    > port 47519. I have no clue what that port is or what the connect
    attempts
    > are looking for. Is this possibly a file sharing program that one of
    my
    > kids may be running?
    >
    > Thanks..
    >

    AFAIK TCP port 47519 is not currently listed for being associated with
    anything malicious. So what you may be seeing is either:

    A. various external clients (from as far away as Japan) attempting to
    probe for something new that has yet to make the lists

    B. various external clients (from as far away as Japan) attempting to
    connect to something that's making itself known for being available

    Regardless I would suggest that you attempt to discover if there's
    anything listening on this port. Better yet confirm everything that is
    currently listening on your PC. To accomplish this you can acquire and
    install a third-party utility or you can perform a couple of commands
    and review the results.

    To perform the latter with Windows XP, simply do the following:

    1. Click START | RUN. On the Open line, type CMD /C NETSTAT -ANO
    >C:\NETSTAT.TXT and press Enter.

    2. Click START | RUN. On the Open line, type CMD /C TASKLIST /SVC
    >C:\TASKLIST.TXT and press Enter.

    After performing each of the above a DOS window will open and close.
    When this occurs the system is creating a TXT file reflecting the
    results of running each command. The first txt file (netstat.txt)
    provides a listing of ports currently in use. The second txt file
    (tasklist.txt) provides a listing of all the processes that are running
    and their respective PID's.

    Next open both TXT files with Notepad. In the 'netstat.txt' file focus
    on the ports that are 'listening'. At the far right is a PID number
    that indicates what process is responsible for placing that port into a
    'listening' state. Refer to the 'tasklist.txt' file to determine the
    process for the PID.


    --
    Best regards, from Don Kelloway of Commodon Communications
    Visit http://www.commodon.com to learn about the "Threats to Your
    Security on the Internet".
  2. Archived from groups: comp.security.firewalls (More info?)

    Thanks for the suggestions.

    I already have utilized netstat and a couple of other tools to discover all
    open ports and running proceeses on the various machines in my network. No
    active listeners on port 47519 - at least at the time I checked.

    I'm wondering if this has anything to do with one of my kids running a file
    share program (I know they've dabbled with Emule) on their PC. So that,
    even if it's not running now, it's still a registered "active" connection in
    the peer network via caching or something. But I could swear I thought all
    those programs used ports in like the 4,000's and such.

    I set up a syslog server so I could validate the connection attempts and not
    just rely on the SonicWall logging report, and sure enough they show up.
    Most of the connections (after I performed DNS on the IP's) seem to be
    coming from various DSL and other home broadband networks.
    My next step is to set up a sniffer and check the packets out...

    Thanks...


    "Don Kelloway" <dkelloway@commodon.com> wrote in message
    news:l48Rc.14262$Jp6.11457@newsread3.news.atl.earthlink.net...
    > "JDB" <jbelle@evitria.com> wrote in message
    > news:10h9ka91dva9793@corp.supernews.com...
    > > Recently installed a SonicWall TZ170 firewall in my home network
    > > environment. Set up the log to record everything just so I could get
    > an
    > > idea of traffic that was being dropped..
    > >
    > > I now find that 90% of my log entries are of the following type:
    > >
    > > TCP connection dropped 221.119.213.184, 63690, WAN
    > 24.155.81.xxx,
    > > 47519, WAN Type: 47519
    > >
    > > I x'd out my IP for obvious reasons.
    > >
    > > My question is, I keep getting all these hits from various source IP's
    > to
    > > port 47519. I have no clue what that port is or what the connect
    > attempts
    > > are looking for. Is this possibly a file sharing program that one of
    > my
    > > kids may be running?
    > >
    > > Thanks..
    > >
    >
    > AFAIK TCP port 47519 is not currently listed for being associated with
    > anything malicious. So what you may be seeing is either:
    >
    > A. various external clients (from as far away as Japan) attempting to
    > probe for something new that has yet to make the lists
    >
    > B. various external clients (from as far away as Japan) attempting to
    > connect to something that's making itself known for being available
    >
    > Regardless I would suggest that you attempt to discover if there's
    > anything listening on this port. Better yet confirm everything that is
    > currently listening on your PC. To accomplish this you can acquire and
    > install a third-party utility or you can perform a couple of commands
    > and review the results.
    >
    > To perform the latter with Windows XP, simply do the following:
    >
    > 1. Click START | RUN. On the Open line, type CMD /C NETSTAT -ANO
    > >C:\NETSTAT.TXT and press Enter.
    >
    > 2. Click START | RUN. On the Open line, type CMD /C TASKLIST /SVC
    > >C:\TASKLIST.TXT and press Enter.
    >
    > After performing each of the above a DOS window will open and close.
    > When this occurs the system is creating a TXT file reflecting the
    > results of running each command. The first txt file (netstat.txt)
    > provides a listing of ports currently in use. The second txt file
    > (tasklist.txt) provides a listing of all the processes that are running
    > and their respective PID's.
    >
    > Next open both TXT files with Notepad. In the 'netstat.txt' file focus
    > on the ports that are 'listening'. At the far right is a PID number
    > that indicates what process is responsible for placing that port into a
    > 'listening' state. Refer to the 'tasklist.txt' file to determine the
    > process for the PID.
    >
    >
    > --
    > Best regards, from Don Kelloway of Commodon Communications
    > Visit http://www.commodon.com to learn about the "Threats to Your
    > Security on the Internet".
    >
    >
  3. Archived from groups: comp.security.firewalls (More info?)

    "JDB" <jbelle@evitria.com> wrote in message
    news:10hdc3j3fos6kf0@corp.supernews.com...
    > Thanks for the suggestions.
    >
    > I already have utilized netstat and a couple of other tools to
    discover all
    > open ports and running proceeses on the various machines in my
    network. No
    > active listeners on port 47519 - at least at the time I checked.
    >
    > I'm wondering if this has anything to do with one of my kids running a
    file
    > share program (I know they've dabbled with Emule) on their PC. So
    that,
    > even if it's not running now, it's still a registered "active"
    connection in
    > the peer network via caching or something. But I could swear I
    thought all
    > those programs used ports in like the 4,000's and such.
    >
    > I set up a syslog server so I could validate the connection attempts
    and not
    > just rely on the SonicWall logging report, and sure enough they show
    up.
    > Most of the connections (after I performed DNS on the IP's) seem to be
    > coming from various DSL and other home broadband networks.
    > My next step is to set up a sniffer and check the packets out...
    >
    > Thanks...
    >

    The use of a P2P program certainly sounds like a viable possibility.
    Personally I am not familiar with eMule, but a quick review of their
    website (http://www.emule-project.net/) reveals (as you suspected) that
    it uses TCP ports 4661, 4662, and 4711. For UDP it uses ports 4665 and
    4672. Best of luck...

    --
    Best regards, from Don Kelloway of Commodon Communications
    Visit http://www.commodon.com to learn about the "Threats to Your
    Security on the Internet".
  4. Archived from groups: comp.security.firewalls (More info?)

    Don Kelloway wrote:

    > "JDB" <jbelle@evitria.com> wrote in message
    > news:10hdc3j3fos6kf0@corp.supernews.com...
    >
    >>Thanks for the suggestions.
    >>
    >>I already have utilized netstat and a couple of other tools to
    >
    > discover all
    >
    >>open ports and running proceeses on the various machines in my
    >
    > network. No
    >
    >>active listeners on port 47519 - at least at the time I checked.
    >>
    >>I'm wondering if this has anything to do with one of my kids running a
    >
    > file
    >
    >>share program (I know they've dabbled with Emule) on their PC. So
    >
    > that,
    >
    >>even if it's not running now, it's still a registered "active"
    >
    > connection in
    >
    >>the peer network via caching or something. But I could swear I
    >
    > thought all
    >
    >>those programs used ports in like the 4,000's and such.
    >>
    >>I set up a syslog server so I could validate the connection attempts
    >
    > and not
    >
    >>just rely on the SonicWall logging report, and sure enough they show
    >
    > up.
    >
    >>Most of the connections (after I performed DNS on the IP's) seem to be
    >>coming from various DSL and other home broadband networks.
    >>My next step is to set up a sniffer and check the packets out...
    >>
    >>Thanks...
    >>
    >
    >
    > The use of a P2P program certainly sounds like a viable possibility.
    > Personally I am not familiar with eMule, but a quick review of their
    > website (http://www.emule-project.net/) reveals (as you suspected) that
    > it uses TCP ports 4661, 4662, and 4711. For UDP it uses ports 4665 and
    > 4672. Best of luck...
    >
    please install OE-quotefix. Your reply is really busted.

    --
    Franklin M. Siler UIUC: Undergraduate in Electrical Engineering
    Marching Illini Trumpets, Basketball Band Staff, ACM SigMation
    http://umgawa.bands.uiuc.edu/~fsiler/
  5. Archived from groups: comp.security.firewalls (More info?)

    "Franklin M. Siler" <fsiler@NOSPAMuiuc.edu> wrote in message
    news:cf6nqs$c8e$1@news.ks.uiuc.edu...
    > Don Kelloway wrote:
    >
    > > "JDB" <jbelle@evitria.com> wrote in message
    > > news:10hdc3j3fos6kf0@corp.supernews.com...
    > >
    > >>Thanks for the suggestions.
    > >>
    > >>I already have utilized netstat and a couple of other tools to
    > >
    > > discover all
    > >
    > >>open ports and running proceeses on the various machines in my
    > >
    > > network. No
    > >
    > >>active listeners on port 47519 - at least at the time I checked.
    > >>
    > >>I'm wondering if this has anything to do with one of my kids running
    a
    > >
    > > file
    > >
    > >>share program (I know they've dabbled with Emule) on their PC. So
    > >
    > > that,
    > >
    > >>even if it's not running now, it's still a registered "active"
    > >
    > > connection in
    > >
    > >>the peer network via caching or something. But I could swear I
    > >
    > > thought all
    > >
    > >>those programs used ports in like the 4,000's and such.
    > >>
    > >>I set up a syslog server so I could validate the connection attempts
    > >
    > > and not
    > >
    > >>just rely on the SonicWall logging report, and sure enough they show
    > >
    > > up.
    > >
    > >>Most of the connections (after I performed DNS on the IP's) seem to
    be
    > >>coming from various DSL and other home broadband networks.
    > >>My next step is to set up a sniffer and check the packets out...
    > >>
    > >>Thanks...
    > >>
    > >
    > >
    > > The use of a P2P program certainly sounds like a viable possibility.
    > > Personally I am not familiar with eMule, but a quick review of their
    > > website (http://www.emule-project.net/) reveals (as you suspected)
    that
    > > it uses TCP ports 4661, 4662, and 4711. For UDP it uses ports 4665
    and
    > > 4672. Best of luck...
    > >
    > please install OE-quotefix. Your reply is really busted.
    >
    > --
    > Franklin M. Siler UIUC: Undergraduate in Electrical Engineering
    > Marching Illini Trumpets, Basketball Band Staff, ACM SigMation
    > http://umgawa.bands.uiuc.edu/~fsiler/

    Franklin,

    To whom are you referring? The reply I offered (as reflected above)
    looks to be formatted without issue.


    --
    Best regards, from Don Kelloway of Commodon Communications
    Visit http://www.commodon.com to learn about the "Threats to Your
    Security on the Internet".
  6. Archived from groups: comp.security.firewalls (More info?)

    Don Kelloway wrote:
    [snip]
    >
    > Franklin,
    >
    > To whom are you referring? The reply I offered (as reflected above)
    > looks to be formatted without issue.
    >
    >
    Your newsreader is not properly terminating lines and does not remove
    sigs as it should. If you don't want to fix OE please use Thunderbird.

    --
    Franklin M. Siler UIUC: Undergraduate in Electrical Engineering
    Marching Illini Trumpets, Basketball Band Staff, ACM SigMation
    http://umgawa.bands.uiuc.edu/~fsiler/
  7. Archived from groups: comp.security.firewalls (More info?)

    Just as a FYI followup:

    I sniffed the connection attempts coming in. They're all 70 bytes in size
    and are real similiar in packet construction to the ones coming in for the
    connect attempts for port 4662, etc (the designated eMule ports). Just
    can't figure out why port 47519. My next step is to fire up eMule on my
    kids computer and see what ports are listening and then sniff the
    connections again.

    Thanks -

    JDB


    "Don Kelloway" <dkelloway@commodon.com> wrote in message
    news:W7BRc.8236$nx2.5997@newsread2.news.atl.earthlink.net...
    > "JDB" <jbelle@evitria.com> wrote in message
    > news:10hdc3j3fos6kf0@corp.supernews.com...
    > > Thanks for the suggestions.
    > >
    > > I already have utilized netstat and a couple of other tools to
    > discover all
    > > open ports and running proceeses on the various machines in my
    > network. No
    > > active listeners on port 47519 - at least at the time I checked.
    > >
    > > I'm wondering if this has anything to do with one of my kids running a
    > file
    > > share program (I know they've dabbled with Emule) on their PC. So
    > that,
    > > even if it's not running now, it's still a registered "active"
    > connection in
    > > the peer network via caching or something. But I could swear I
    > thought all
    > > those programs used ports in like the 4,000's and such.
    > >
    > > I set up a syslog server so I could validate the connection attempts
    > and not
    > > just rely on the SonicWall logging report, and sure enough they show
    > up.
    > > Most of the connections (after I performed DNS on the IP's) seem to be
    > > coming from various DSL and other home broadband networks.
    > > My next step is to set up a sniffer and check the packets out...
    > >
    > > Thanks...
    > >
    >
    > The use of a P2P program certainly sounds like a viable possibility.
    > Personally I am not familiar with eMule, but a quick review of their
    > website (http://www.emule-project.net/) reveals (as you suspected) that
    > it uses TCP ports 4661, 4662, and 4711. For UDP it uses ports 4665 and
    > 4672. Best of luck...
    >
    > --
    > Best regards, from Don Kelloway of Commodon Communications
    > Visit http://www.commodon.com to learn about the "Threats to Your
    > Security on the Internet".
    >
    >
Ask a new question

Read More

Firewalls Security Connection Networking