Firewall Intrusion Attempts?

hi,i set my firewall(CIS) +Defence++ in Safe mode;now i’ve too many Intrusion Attempts,namely Windows Operating System;i put it as Trusted Aplication,but nothing happend.please help me!i mention that i’ve no problemm with internet or pc.i thank you in advantage

I split your topic. Can you show us your firewall logs?

hi MR.EricJH.i thank you for your care,but i’m newly in pc and i don’t know what should i do to show you the “logs”.maybe try telling me how to configure my CIS.if you like and have time to spend with me i’m telling my Y!id:baptistul. my CIS is in Safe mode,firewall & Defence+.have a nice day

The Firewall logs can be found under Firewall (at the top) → Common Tasks (on the left) → View Firewall Events.

To take a screenshot push alt+print screen. Now the active windows gets copied to the clipboard. Now open Paint or any other program capable of handling images. Paste the screenshot on the canvas of the program. Then save as .jpg or .png image,

Now in the topic choose reply and write what you want to write. Under the text box you will see Additional options. Click on it and push the Choose button. Now navigate to the file and upload it.

if you go to global rules you’ll find a rule block ip in from ip any to ip any where protocol is any double click on it and uncheck logging , you probably have stealth your pc from the port stealth wizard. hope that helps.

i think i did that well,mr.EricJH. i saw my firewall don’t alert me about Intrusion Atempts,since i put Windows Operating System as Trusted Aplication.is it that good what i did? again,thanks a lot for your time spendig with me.i thank you to “2good” too.have a nice day.

[attachment deleted by admin]

I would not make Windows Operating System blindly trusted. On what type of connection are you? Dial up, cable or DSL? Is there a router in your network?

Can you show me a screenshot of your logs with the timestamps visible?

From what I see you most likely on a direct connection to the web without a router. That would be typically a cable internet connection or may be dial up? We may just be seeing the firewall doing its work. But I can only tell if I see your firewall log as described.

hi mr.EricJH;you’re right,Ive cable connection,no ideea if the internet provider has.i’d posted this.please take a look.now i set my CIS to Proactive.

[attachment deleted by admin]

Can you please maximize the log screen and post a screenshot of that? This way I can see at what time the entries were made. Thanks in advance.

okay,i’ll do that.thanks again.

[attachment deleted by admin]

Most of the traffic I see is NETBIOS traffic (UDP ports 137-138) from other users of your ISP. Not sure how to advice here. I will ask the other mods to take a look.

hi mr. EricJH. now, are you telling me someone is trying to connect my pc? i set my firewall Stealth with everyone and imediatly i saw the number of Intrusions Atempts increasing faster.i have no printer,i’d connected once a nokia phone via cable.lots of thanks.

Hello All,

This happens because all those pc’s are on the same LAN you are probably using a Cable internet connection.
Your connected to a switch somewhere down the road, and all other pc’s connected to that switch and in the same “network/subnet” are seen as “local” to your pc.

It is safe to create an extra global block rule to drop this “noise” that windows creates, it’s basically trying to create a list of your “network neighborhood” so you can see pc’s in there.

Go to Firewall, Advanced, chose the Global Rules tab and create a block rule, but don’t log this.

Block, UDP, source any, source port any, destination any, destination port range 137 - 138.

Make sure this rule is above the block IP any any that should cool down your logging a bit.

The other entries in your logfile show that you have a direct connection to the internet, there is nothing firewalled at the ISP level here, those ports scans and probes are also seen on other internet facing systems, so you can create an extra block rule for it and not set logging on it, or you can leave it like it is…

hi mr. Ronny,i did what you told me;don’t work,maybe it is a bug of this version.take a look,please.anyway thanks a lot.

[attachment deleted by admin]

Hello baptistul,

The rule looks good, you could change the In/Out to In and then make sure the rule on Global rules is the first rule that’s in there, this way we know that it’s the first rule that will match.

sir,i’d performed what you told me,didn’t work.i’ll post from Defense+Event,maybe it will help you,and you 'll help me.thanks in advantage.

[attachment deleted by admin]

Hi baptistul,

This is something else, what i suggested was to remove the firewall logging blocked traffic to UDP ports 137 & 138. Does that traffic still appear in the firewall logging ?

Like you posted here

Let’s take this one step at a time…

thanks for your care about me;nothing work,the web it’s fine,i feel nothing about thats Intrusion Attempts,they do not affect my internet speed;if you don’t like to speak viaY!Mess,i will conntact Chat support,but i thank you for your time spendig with me.i know just a little english.have a nice day

Hi Baptistul,

No problem, I only know Dutch, German and English…
Chat support should be able to help you further.

Regards,
Ronny

Ronny means the new rule should be at the top. The firewall reads the Global Rules top down.

Any allow rule should be somewhere above the basic block rule(s) (which have red icon(s)). The basic block rules are at the bottom.