Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Traffic - Suspicious activity blocked by firewall.

Status
Not open for further replies.

kzn

MIS
Jan 28, 2005
209
GB
Hi

I have been looking through the firewall logs and my pc seems to be creating alot of traffic. My pc is DELL1, the port number appears directly after. Should I be concerned? I have run mcafee and it has not picked up anything. Is this normal .... just that I dont see any other machines doing the same thing. These entries are marked in red - Suspicious activity blocked by firewall.

Any help appreciated, thank you

Below is the log from the firewall

10211 05Mar2010 12:44:34 TCP 10.16.0.102 (DELL1) 3277 10.0.0.3 139 (NetBIOS)
10210 05Mar2010 12:44:33 TCP 10.16.0.102 (DELL1) 3276 10.0.0.3 445 (NetBIOS)
10208 05Mar2010 12:44:28 TCP 10.16.0.102 (DELL1) 3274 10.0.0.3 139 (NetBIOS)
10207 05Mar2010 12:44:27 TCP 10.16.0.102 (DELL1) 3273 10.0.0.3 445 (NetBIOS)
10206 05Mar2010 12:43:35 UDP 10.16.0.102 (DELL1) 137 10.0.0.3 137 (NetBIOS)
10205 05Mar2010 12:43:34 TCP 10.16.0.102 (DELL1) 3269 10.0.0.3 139 (NetBIOS)
10204 05Mar2010 12:43:33 TCP 10.16.0.102 (DELL1) 3268 10.0.0.3 445 (NetBIOS)
10203 05Mar2010 12:43:28 TCP 10.16.0.102 (DELL1) 3266 10.0.0.3 139 (NetBIOS)
10202 05Mar2010 12:43:27 TCP 10.16.0.102 (DELL1) 3265 10.0.0.3 445 (NetBIOS)
10201 05Mar2010 12:42:34 TCP 10.16.0.102 (DELL1) 3260 10.0.0.3 139 (NetBIOS)
10200 05Mar2010 12:42:33 TCP 10.16.0.102 (DELL1) 3259 10.0.0.3 445 (NetBIOS)
10199 05Mar2010 12:42:28 TCP 10.16.0.102 (DELL1) 3257 10.0.0.3 139 (NetBIOS)
10198 05Mar2010 12:42:27 TCP 10.16.0.102 (DELL1) 3256 10.0.0.3 445 (NetBIOS)
 
if you have an always on connection, such as cable or dsl you will see continuous traffic as normal part of being on the internet.

when in doubt trace the ip address and see where it comes from.

as always keep your firewall and virus software up to date and your OS patched.
 
Eyec

Thanks for the reply

The orginators ip is: 10.16.0.102 (My machines IP)
Target IP is: 10.16.0.3 (Our file server ip)
 
Hi

Does anyone else have any view on my question.

Thanks
 
Aren't ports 139 and 445 typically used by Windows for file sharing? Are you sure that DELL1 isn't just attempting to access file resources on the file server? Have you tried running a packet sniffer, like WireShark, on DELL1 in an attempt to determine what data it's sending?
 
wireshark it!
destination is 10.0.0.3, do you recongnise this as part of your LAN? looks like a gateway IP if you ask me
 
10.0.0.3 is a private address space (just like an unknown or non-specified apartment number) and cannot directly interact with the Internet (regardless if you have the street address - your external IP) except through NAT ('network address translation' as applicable inside a router):


Vince
ASAP Member (VopThis) - Alliance of Security Analysis Professionals
_____________________________________________________________
[*** If everyone is thinking alike, then somebody isn't thinking. ***]
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top