Zone Alarm Q

Jim · Post by **Jim** » Tue Mar 20, 2001 3:51 am

When Zone Alarm says something like "it has blocked acces to your computer from xxx.xxx.xxx.xxx, what exactly does this mean? A WHOIS check usually reveals that its someone on a RoadRunner connection. What exactly does this mean though? Someone with RoadRunner as their ISP was trying to get in? Scanning my ports? ?

Roody · Post by **Roody** » Tue Mar 20, 2001 6:42 am

Originally posted by BIGJIMSLATE:
When Zone Alarm says something like "it has blocked acces to your computer from xxx.xxx.xxx.xxx, what exactly does this mean? A WHOIS check usually reveals that its someone on a RoadRunner connection. What exactly does this mean though? Someone with RoadRunner as their ISP was trying to get in? Scanning my ports? ?

well its possible that if RR is your provider that they may be pinging you as routine. i would monitor the ip and see how much it happens. if you are worried about it you can always go ahead and call RR and ask them if that pinging is coming from them. Sorry i wasnt more helpful.

Jim · Post by **Jim** » Tue Mar 20, 2001 6:59 am

No, I'm on Adelphia's cable networks. And its not ALWAYS Road Runner, but I'd say about half of the ip's go back there.

It doesn't happen TOO often, but at least once a week where Zone Alarm will say it blocked access.

Silver · Post by **Silver** » Tue Mar 20, 2001 10:23 am

Wouldn't worrie too much jim. Alot of that are just random scans I believe. Normally what to look for are mass attacks, such as 5-more warnings from the same ip on different ports, that would basically be someone scanning you. As far as warnings, I get about 10-15 a day. Just random stuff though. I pay attention to the ones that hit me hard. Like on irc one day, there was a guy in one of the channels that i goto that had a script that upon joining the channel would hit you 18 times. He didnt even know it wasd doing it. Freaked me out though. hehe, so random scans i wouldnt worrie about. When ever you pull up Zone and you have like 32 alerts, from the same ip, thats when i would worrie.

Scoot · Post by **Scoot** » Tue Mar 20, 2001 10:55 am

You can learn what those alerts are telling you by reading Robert Graham's :
FAQ: Firewall Forensics (What am I seeing?)

lewis · Post by **lewis** » Tue Mar 20, 2001 1:18 pm

A really sweet program that breaks down and explains what the ZA alerts means is called Zonelog. It is a separate program than ZA. Get it here

You just import the ZA logs into it and it'll tell you pretty much everything.

(originally posted by 'Norm' @ Speedcorp)

[ 03-20-2001: Message edited by: lewis ]

quiet sound · Post by **quiet sound** » Tue Mar 20, 2001 6:14 pm

Not too long ago ZA (not Pro version) stopped writing to the log file. It's there, the name is correct and the box in ZA is checked for sending the alerts to the log, it just doesnt do it anymore. Any ideas?