help with analyzing blocked intrusion attempts

hello, maybe somebody has the same problem already solved once or knows the source:
i am running comodo firewall and defence on 2 identical pc systems with win xp sp3 - speed touch adsl modem and zyxel prestige router

although the config of my os should be the same (cloned harddisk) since some months only 1 system shows every 30 seconds a blocked intrusion attempt with folowing information inn the log:

Application Action Protocol Source IP Source Port Destination IP Destination Port
Windows Operating System Blocked UDP 192.168.1.1 520 192.168.1.255 520

how can i investigate from which application this is comming and how to evaluate if this is harmful or not? (system scan with several tools did not show any malware)

thanks for all help!

This is your Zyxel router broadcasting its route table the local LAN. Standard RIPv1 protocol is broadcast the table to the LAN on UDP port 520 every 30 seconds, which is exactly what you’re describing.

The solution is to log in to your router, and turn off RIP broadcasts. There are two versions, RIPv1 and RIPv2. You don’t need either one enabled. Router table broadcasts make sense only if there are multiple routers on the LAN, and you want things to mostly self configure.

thank you for the solution - after turning off router’s LAN RIP the alerts have stopped!
but what i still don’t understand: there are 2 identical systems connected to the same router and only 1 showed the blocked traffic and the other system not - is there any logical explanation for that?
thanks again, it would just improve my pc knowlegde …

Then the two systems aren’t quite identical. They differ either in their logging, or in their firewall rules. You could run the Config Report Script (one forum level up) to get all the details, and do a side-by-side comparison to find out what the actual difference is.