Sign in with
Sign up | Sign in
Your question

SonicWall Firewall Log Messages

Last response: in Networking
Share
Anonymous
a b 8 Security
August 7, 2004 11:58:19 AM

Archived from groups: comp.security.firewalls (More info?)

Recently installed a SonicWall TZ170 firewall in my home network
environment. Set up the log to record everything just so I could get an
idea of traffic that was being dropped..

I now find that 90% of my log entries are of the following type:

TCP connection dropped 221.119.213.184, 63690, WAN 24.155.81.xxx,
47519, WAN Type: 47519



I x'd out my IP for obvious reasons.

My question is, I keep getting all these hits from various source IP's to
port 47519. I have no clue what that port is or what the connect attempts
are looking for. Is this possibly a file sharing program that one of my
kids may be running?

Thanks..
Anonymous
a b 8 Security
August 7, 2004 9:12:49 PM

Archived from groups: comp.security.firewalls (More info?)

"JDB" <jbelle@evitria.com> wrote in message
news:10h9ka91dva9793@corp.supernews.com...
> Recently installed a SonicWall TZ170 firewall in my home network
> environment. Set up the log to record everything just so I could get
an
> idea of traffic that was being dropped..
>
> I now find that 90% of my log entries are of the following type:
>
> TCP connection dropped 221.119.213.184, 63690, WAN
24.155.81.xxx,
> 47519, WAN Type: 47519
>
> I x'd out my IP for obvious reasons.
>
> My question is, I keep getting all these hits from various source IP's
to
> port 47519. I have no clue what that port is or what the connect
attempts
> are looking for. Is this possibly a file sharing program that one of
my
> kids may be running?
>
> Thanks..
>

AFAIK TCP port 47519 is not currently listed for being associated with
anything malicious. So what you may be seeing is either:

A. various external clients (from as far away as Japan) attempting to
probe for something new that has yet to make the lists

B. various external clients (from as far away as Japan) attempting to
connect to something that's making itself known for being available

Regardless I would suggest that you attempt to discover if there's
anything listening on this port. Better yet confirm everything that is
currently listening on your PC. To accomplish this you can acquire and
install a third-party utility or you can perform a couple of commands
and review the results.

To perform the latter with Windows XP, simply do the following:

1. Click START | RUN. On the Open line, type CMD /C NETSTAT -ANO
>C:\NETSTAT.TXT and press Enter.

2. Click START | RUN. On the Open line, type CMD /C TASKLIST /SVC
>C:\TASKLIST.TXT and press Enter.

After performing each of the above a DOS window will open and close.
When this occurs the system is creating a TXT file reflecting the
results of running each command. The first txt file (netstat.txt)
provides a listing of ports currently in use. The second txt file
(tasklist.txt) provides a listing of all the processes that are running
and their respective PID's.

Next open both TXT files with Notepad. In the 'netstat.txt' file focus
on the ports that are 'listening'. At the far right is a PID number
that indicates what process is responsible for placing that port into a
'listening' state. Refer to the 'tasklist.txt' file to determine the
process for the PID.


--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".
Anonymous
a b 8 Security
August 8, 2004 10:02:48 PM

Archived from groups: comp.security.firewalls (More info?)

Thanks for the suggestions.

I already have utilized netstat and a couple of other tools to discover all
open ports and running proceeses on the various machines in my network. No
active listeners on port 47519 - at least at the time I checked.

I'm wondering if this has anything to do with one of my kids running a file
share program (I know they've dabbled with Emule) on their PC. So that,
even if it's not running now, it's still a registered "active" connection in
the peer network via caching or something. But I could swear I thought all
those programs used ports in like the 4,000's and such.

I set up a syslog server so I could validate the connection attempts and not
just rely on the SonicWall logging report, and sure enough they show up.
Most of the connections (after I performed DNS on the IP's) seem to be
coming from various DSL and other home broadband networks.
My next step is to set up a sniffer and check the packets out...

Thanks...


"Don Kelloway" <dkelloway@commodon.com> wrote in message
news:l48Rc.14262$Jp6.11457@newsread3.news.atl.earthlink.net...
> "JDB" <jbelle@evitria.com> wrote in message
> news:10h9ka91dva9793@corp.supernews.com...
> > Recently installed a SonicWall TZ170 firewall in my home network
> > environment. Set up the log to record everything just so I could get
> an
> > idea of traffic that was being dropped..
> >
> > I now find that 90% of my log entries are of the following type:
> >
> > TCP connection dropped 221.119.213.184, 63690, WAN
> 24.155.81.xxx,
> > 47519, WAN Type: 47519
> >
> > I x'd out my IP for obvious reasons.
> >
> > My question is, I keep getting all these hits from various source IP's
> to
> > port 47519. I have no clue what that port is or what the connect
> attempts
> > are looking for. Is this possibly a file sharing program that one of
> my
> > kids may be running?
> >
> > Thanks..
> >
>
> AFAIK TCP port 47519 is not currently listed for being associated with
> anything malicious. So what you may be seeing is either:
>
> A. various external clients (from as far away as Japan) attempting to
> probe for something new that has yet to make the lists
>
> B. various external clients (from as far away as Japan) attempting to
> connect to something that's making itself known for being available
>
> Regardless I would suggest that you attempt to discover if there's
> anything listening on this port. Better yet confirm everything that is
> currently listening on your PC. To accomplish this you can acquire and
> install a third-party utility or you can perform a couple of commands
> and review the results.
>
> To perform the latter with Windows XP, simply do the following:
>
> 1. Click START | RUN. On the Open line, type CMD /C NETSTAT -ANO
> >C:\NETSTAT.TXT and press Enter.
>
> 2. Click START | RUN. On the Open line, type CMD /C TASKLIST /SVC
> >C:\TASKLIST.TXT and press Enter.
>
> After performing each of the above a DOS window will open and close.
> When this occurs the system is creating a TXT file reflecting the
> results of running each command. The first txt file (netstat.txt)
> provides a listing of ports currently in use. The second txt file
> (tasklist.txt) provides a listing of all the processes that are running
> and their respective PID's.
>
> Next open both TXT files with Notepad. In the 'netstat.txt' file focus
> on the ports that are 'listening'. At the far right is a PID number
> that indicates what process is responsible for placing that port into a
> 'listening' state. Refer to the 'tasklist.txt' file to determine the
> process for the PID.
>
>
> --
> Best regards, from Don Kelloway of Commodon Communications
> Visit http://www.commodon.com to learn about the "Threats to Your
> Security on the Internet".
>
>
Related resources
Anonymous
a b 8 Security
August 9, 2004 6:16:22 AM

Archived from groups: comp.security.firewalls (More info?)

"JDB" <jbelle@evitria.com> wrote in message
news:10hdc3j3fos6kf0@corp.supernews.com...
> Thanks for the suggestions.
>
> I already have utilized netstat and a couple of other tools to
discover all
> open ports and running proceeses on the various machines in my
network. No
> active listeners on port 47519 - at least at the time I checked.
>
> I'm wondering if this has anything to do with one of my kids running a
file
> share program (I know they've dabbled with Emule) on their PC. So
that,
> even if it's not running now, it's still a registered "active"
connection in
> the peer network via caching or something. But I could swear I
thought all
> those programs used ports in like the 4,000's and such.
>
> I set up a syslog server so I could validate the connection attempts
and not
> just rely on the SonicWall logging report, and sure enough they show
up.
> Most of the connections (after I performed DNS on the IP's) seem to be
> coming from various DSL and other home broadband networks.
> My next step is to set up a sniffer and check the packets out...
>
> Thanks...
>

The use of a P2P program certainly sounds like a viable possibility.
Personally I am not familiar with eMule, but a quick review of their
website (http://www.emule-project.net/) reveals (as you suspected) that
it uses TCP ports 4661, 4662, and 4711. For UDP it uses ports 4665 and
4672. Best of luck...

--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".
Anonymous
a b 8 Security
August 9, 2004 6:16:23 AM

Archived from groups: comp.security.firewalls (More info?)

Don Kelloway wrote:

> "JDB" <jbelle@evitria.com> wrote in message
> news:10hdc3j3fos6kf0@corp.supernews.com...
>
>>Thanks for the suggestions.
>>
>>I already have utilized netstat and a couple of other tools to
>
> discover all
>
>>open ports and running proceeses on the various machines in my
>
> network. No
>
>>active listeners on port 47519 - at least at the time I checked.
>>
>>I'm wondering if this has anything to do with one of my kids running a
>
> file
>
>>share program (I know they've dabbled with Emule) on their PC. So
>
> that,
>
>>even if it's not running now, it's still a registered "active"
>
> connection in
>
>>the peer network via caching or something. But I could swear I
>
> thought all
>
>>those programs used ports in like the 4,000's and such.
>>
>>I set up a syslog server so I could validate the connection attempts
>
> and not
>
>>just rely on the SonicWall logging report, and sure enough they show
>
> up.
>
>>Most of the connections (after I performed DNS on the IP's) seem to be
>>coming from various DSL and other home broadband networks.
>>My next step is to set up a sniffer and check the packets out...
>>
>>Thanks...
>>
>
>
> The use of a P2P program certainly sounds like a viable possibility.
> Personally I am not familiar with eMule, but a quick review of their
> website (http://www.emule-project.net/) reveals (as you suspected) that
> it uses TCP ports 4661, 4662, and 4711. For UDP it uses ports 4665 and
> 4672. Best of luck...
>
please install OE-quotefix. Your reply is really busted.

--
Franklin M. Siler UIUC: Undergraduate in Electrical Engineering
Marching Illini Trumpets, Basketball Band Staff, ACM SigMation
http://umgawa.bands.uiuc.edu/~fsiler/
Anonymous
a b 8 Security
August 9, 2004 8:59:05 AM

Archived from groups: comp.security.firewalls (More info?)

"Franklin M. Siler" <fsiler@NOSPAMuiuc.edu> wrote in message
news:cf6nqs$c8e$1@news.ks.uiuc.edu...
> Don Kelloway wrote:
>
> > "JDB" <jbelle@evitria.com> wrote in message
> > news:10hdc3j3fos6kf0@corp.supernews.com...
> >
> >>Thanks for the suggestions.
> >>
> >>I already have utilized netstat and a couple of other tools to
> >
> > discover all
> >
> >>open ports and running proceeses on the various machines in my
> >
> > network. No
> >
> >>active listeners on port 47519 - at least at the time I checked.
> >>
> >>I'm wondering if this has anything to do with one of my kids running
a
> >
> > file
> >
> >>share program (I know they've dabbled with Emule) on their PC. So
> >
> > that,
> >
> >>even if it's not running now, it's still a registered "active"
> >
> > connection in
> >
> >>the peer network via caching or something. But I could swear I
> >
> > thought all
> >
> >>those programs used ports in like the 4,000's and such.
> >>
> >>I set up a syslog server so I could validate the connection attempts
> >
> > and not
> >
> >>just rely on the SonicWall logging report, and sure enough they show
> >
> > up.
> >
> >>Most of the connections (after I performed DNS on the IP's) seem to
be
> >>coming from various DSL and other home broadband networks.
> >>My next step is to set up a sniffer and check the packets out...
> >>
> >>Thanks...
> >>
> >
> >
> > The use of a P2P program certainly sounds like a viable possibility.
> > Personally I am not familiar with eMule, but a quick review of their
> > website (http://www.emule-project.net/) reveals (as you suspected)
that
> > it uses TCP ports 4661, 4662, and 4711. For UDP it uses ports 4665
and
> > 4672. Best of luck...
> >
> please install OE-quotefix. Your reply is really busted.
>
> --
> Franklin M. Siler UIUC: Undergraduate in Electrical Engineering
> Marching Illini Trumpets, Basketball Band Staff, ACM SigMation
> http://umgawa.bands.uiuc.edu/~fsiler/

Franklin,

To whom are you referring? The reply I offered (as reflected above)
looks to be formatted without issue.


--
Best regards, from Don Kelloway of Commodon Communications
Visit http://www.commodon.com to learn about the "Threats to Your
Security on the Internet".
Anonymous
a b 8 Security
August 9, 2004 8:59:06 AM

Archived from groups: comp.security.firewalls (More info?)

Don Kelloway wrote:
[snip]
>
> Franklin,
>
> To whom are you referring? The reply I offered (as reflected above)
> looks to be formatted without issue.
>
>
Your newsreader is not properly terminating lines and does not remove
sigs as it should. If you don't want to fix OE please use Thunderbird.

--
Franklin M. Siler UIUC: Undergraduate in Electrical Engineering
Marching Illini Trumpets, Basketball Band Staff, ACM SigMation
http://umgawa.bands.uiuc.edu/~fsiler/
Anonymous
a b 8 Security
August 9, 2004 9:24:07 PM

Archived from groups: comp.security.firewalls (More info?)

Just as a FYI followup:

I sniffed the connection attempts coming in. They're all 70 bytes in size
and are real similiar in packet construction to the ones coming in for the
connect attempts for port 4662, etc (the designated eMule ports). Just
can't figure out why port 47519. My next step is to fire up eMule on my
kids computer and see what ports are listening and then sniff the
connections again.

Thanks -

JDB


"Don Kelloway" <dkelloway@commodon.com> wrote in message
news:W7BRc.8236$nx2.5997@newsread2.news.atl.earthlink.net...
> "JDB" <jbelle@evitria.com> wrote in message
> news:10hdc3j3fos6kf0@corp.supernews.com...
> > Thanks for the suggestions.
> >
> > I already have utilized netstat and a couple of other tools to
> discover all
> > open ports and running proceeses on the various machines in my
> network. No
> > active listeners on port 47519 - at least at the time I checked.
> >
> > I'm wondering if this has anything to do with one of my kids running a
> file
> > share program (I know they've dabbled with Emule) on their PC. So
> that,
> > even if it's not running now, it's still a registered "active"
> connection in
> > the peer network via caching or something. But I could swear I
> thought all
> > those programs used ports in like the 4,000's and such.
> >
> > I set up a syslog server so I could validate the connection attempts
> and not
> > just rely on the SonicWall logging report, and sure enough they show
> up.
> > Most of the connections (after I performed DNS on the IP's) seem to be
> > coming from various DSL and other home broadband networks.
> > My next step is to set up a sniffer and check the packets out...
> >
> > Thanks...
> >
>
> The use of a P2P program certainly sounds like a viable possibility.
> Personally I am not familiar with eMule, but a quick review of their
> website (http://www.emule-project.net/) reveals (as you suspected) that
> it uses TCP ports 4661, 4662, and 4711. For UDP it uses ports 4665 and
> 4672. Best of luck...
>
> --
> Best regards, from Don Kelloway of Commodon Communications
> Visit http://www.commodon.com to learn about the "Threats to Your
> Security on the Internet".
>
>
!