Zone Alarm Log for One Week
- Intrusions attempts (48) from 2001-11-22 thru 2001-11-28
Zone Alarm Log for One Month - Intrusions attempts (1076) from 2001-10-01 thru 2001-10-31 [311kb]
Rob's Year 2001 2nd Qtr Log - Intrusions attempts Year 2001, Second Quarter (Zone Alarm) [177kb]
Rob's Year 2001 1st Qtr Log - Intrusions attempts Year 2001, First Quarter (Zone Alarm) [110kb]
Rob's Year 2000 Log - Intrusions attempts Year 2000 (BlackICE) [189kb]
Rob's Year 1999 Log - Intrusions attempts (partial) Year 1999 (BlackICE) [19kb]
Robin Keir's Log - Author of ICE Watch Program
The year 2001 saw an increase in the number of intrusion attempts against my computer so
I started generating my webpages on a quarterly basis. Then around the first of August
2001 the volume of intrusion attempts increased dramatically.
|Time Period||Intrusion Attempts||Average Per Day|
|2001 1st Qtr||392||5.3|
|2001 2nd Qtr||647||7.1|
|2001 3rd Qtr||5960||64.7|
I can pinpoint the time somewhat by examining the the Zone Alarm Log. The last 3 days
of July 2001 my log averaged 5 hits a day. The first 3 days of August 2001 my log
averaged 35 hits a day! The last 3 days of October 2001 my log averaged 107 hits per day!!
What's going I am not sure.
When logging the alerts, the log is stored as ZALog.txt in the ZoneAlarm default location, in a folder called Internet Logs in your Windows directory. On my machine this is: C:\WINDOWS\Internet Logs\ZALog.txt. The size of the log is displayed next to the location, and the log can be deleted when you feel it is appropriate, so it does not get too big.
Log entries look like this:
"FWIN,2000/03/07,14:44:58,-8:00 GMT, Src=192.168.168.116:0, Dest=192.168.168.113:0,
FWIN indicates that the firewall blocked an incoming request to connect to your computer. The entry also includes the following information:
"FWOUT,2000/03/07,14:47:02,-8:00 GMT,QuickTime Player
Application tried to access the Internet. Remote host: 206:80:6:45:53"
FWOUT indicates that the firewall blocked an outbound
request from your computer. The entry also includes the following information:
"PE,2000/03/22,17:17:11 -8:00 GMT,Netscape Navigator application file,18.104.22.168:53"
The "PE" entry informs you that an application on your computer attempted to access the Internet. The entry also includes the following information:
|ACCESS||an application was blocked because it did not have access permission.|
|FWIN||indicates that the firewall blocked an inbound packet of data coming to your computer. Some, but not all, of these packets are connection attempts.|
|FWLOOP||the firewall blocked a packet addressed to the loopback adapter (127.0.0.1).|
|FWOUT||indicates that the firewall blocked an outbound packet of data from leaving your computer.|
|FWROUTE||the firewall blocked a packet that was not addressed to or from your computer, but was routed through it.|
|LOCK||the firewall blocked a packet due to a lock violation.|
|MS||MailSafe quarantined a file attachment.|
|PE||indicates that you said "yes," when you were prompted to allow an application on your computer to access the Internet.|
What are these TCP Flags (ZA Pro users)
The TCP flags are:
4 (low-order unused bit)
8 (high-order unused bit)
The SYN-flag is only set in the first packet initiating a TCP connection. It represents an attempt to make a connection rather than a response to an existing connection.
The FIN-flag represents an attempt to terminate a connection.
0 - Echo Reply
3 - Destination Unreachable
4 - Source Quench
5 - Redirect
8 - Echo Request
9 - Router Advertisement
10 - Router Solicitation
11 - Time Exceeded
12 - Parameter Problem
13 - Timestamp Request
14 - Timestamp Reply
15 - Information Request
16 - Information Reply
17 - Address Mask Request
18 - Address Mask Reply