ROB'S ZONE ALARM PAGE
information about the Zone Alarm and it's Log file and its contents...

Intrusion Logs:

These logs are no longer be generated daily as my network is now behind a broadband router/switch/firewall which filters out most of this type of traffic. I am leaving these logs on the Net to provide a reminder of just how much unsolicated internet traffic there is and how often people try to intrude upon others machines.

Zone Alarm Log for One Week - Intrusions attempts (48) from 2001-11-22 thru 2001-11-28 [16kb]
Zone Alarm Log for One Month - Intrusions attempts (1076) from 2001-10-01 thru 2001-10-31 [311kb]
Rob's Year 2001 2nd Qtr Log - Intrusions attempts Year 2001, Second Quarter (Zone Alarm) [177kb]
Rob's Year 2001 1st Qtr Log - Intrusions attempts Year 2001, First Quarter (Zone Alarm) [110kb]
Rob's Year 2000 Log - Intrusions attempts Year 2000 (BlackICE) [189kb]
Rob's Year 1999 Log - Intrusions attempts (partial) Year 1999 (BlackICE) [19kb]
Robin Keir's Log - Author of ICE Watch Program

The year 2001 saw an increase in the number of intrusion attempts against my computer so I started generating my webpages on a quarterly basis. Then around the first of August 2001 the volume of intrusion attempts increased dramatically.

Time Period Intrusion Attempts Average Per Day
2001 1st Qtr 392 5.3
2001 2nd Qtr 647 7.1
2001 3rd Qtr 5960 64.7

I can pinpoint the time somewhat by examining the the Zone Alarm Log. The last 3 days of July 2001 my log averaged 5 hits a day. The first 3 days of August 2001 my log averaged 35 hits a day! The last 3 days of October 2001 my log averaged 107 hits per day!! What's going I am not sure.

Zone Alarm Log Info:

When logging the alerts, the log is stored as ZALog.txt in the ZoneAlarm default location, in a folder called Internet Logs in your Windows directory. On my machine this is: C:\WINDOWS\Internet Logs\ZALog.txt. The size of the log is displayed next to the location, and the log can be deleted when you feel it is appropriate, so it does not get too big.

Log entries look like this:

"FWIN,2000/03/07,14:44:58,-8:00 GMT, Src=192.168.168.116:0, Dest=192.168.168.113:0, Incoming, ICMP"

FWIN indicates that the firewall blocked an incoming request to connect to your computer. The entry also includes the following information:


"FWOUT,2000/03/07,14:47:02,-8:00 GMT,QuickTime Player Application tried to access the Internet. Remote host: 206:80:6:45:53"


FWOUT indicates that the firewall blocked an outbound request from your computer. The entry also includes the following information:

"PE,2000/03/22,17:17:11 -8:00 GMT,Netscape Navigator application file,206.80.6.45:53"

The "PE" entry informs you that an application on your computer attempted to access the Internet. The entry also includes the following information:

Key Description
ACCESS an application was blocked because it did not have access permission.
FWIN indicates that the firewall blocked an inbound packet of data coming to your computer. Some, but not all, of these packets are connection attempts.
FWLOOP the firewall blocked a packet addressed to the loopback adapter (127.0.0.1).
FWOUT indicates that the firewall blocked an outbound packet of data from leaving your computer.
FWROUTE the firewall blocked a packet that was not addressed to or from your computer, but was routed through it.
LOCK the firewall blocked a packet due to a lock violation.
MS MailSafe quarantined a file attachment.
PE indicates that you said "yes," when you were prompted to allow an application on your computer to access the Internet.


What are these TCP Flags (ZA Pro users)

The TCP flags are:
S (SYN)
F (FIN)
R (RESET)
P (PUSH)
A (ACK)
U (URGENT)
4 (low-order unused bit)
8 (high-order unused bit)

The SYN-flag is only set in the first packet initiating a TCP connection. It represents an attempt to make a connection rather than a response to an existing connection.

The FIN-flag represents an attempt to terminate a connection.

ICMP types:
0 - Echo Reply
3 - Destination Unreachable
4 - Source Quench
5 - Redirect
8 - Echo Request
9 - Router Advertisement
10 - Router Solicitation
11 - Time Exceeded
12 - Parameter Problem
13 - Timestamp Request
14 - Timestamp Reply
15 - Information Request
16 - Information Reply
17 - Address Mask Request
18 - Address Mask Reply


back to the Top of this page
back to the Security Page
return to the Main Page (Index)


Email the Webserf
Contact the
Copyright © 1996-2003 Robert P. Anderson