comp.security.firewalls archive
Re: How to tell if a firewall alert is suspicious or not
Date: Fri Sep 16 2005 - 15:50:19 CEST
On 15 Sep 2005 10:10:51 +0200, Volker Birk <bumens@dingens.org> wrote:
>Gerard Schroeder <Gshroeder22031@hotmail.com> wrote:
>> How can I tell if a Sygate firewall alert is suspicious or not?
>> For example, I received this message from Sygate just now:
>> Sygate Personal Firewall:
>> Firefox (firefox.exe) is being contacted from a remote machine
>> [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
>> Do you want to allow this program to access the network?
>> How can I tell if this is suspicious or not?
>
>You can't. This is, why such messages are nonsense. BTW, they're useless,
>too, because also Sygate cannot prevent "phoning home" from malicious
>programs anyway, as my simple POC here shows:
>
>http://www.dingens.org/breakout.c
Volker, what do you recommend for finding malicious outbound? Is there
some freeware packet logging sw that can be set to be smart enough to
alert users? Payware? If so, what would something like that cost?
Art
http://home.epix.net/~artnpeg
Received on Thu Sep 29 20:08:31 2005