Security Logs/Network Rules Qs [Resolved]

Hello,

I’ve used CFP for a couple of weeks now, but I’ve recently noticed that the security log is always filled with (!)Medium alerts, and I was wondering why that is, and what is the connection in question supposed to do?

9 first messages in the log are as follows:

Message No. 1:

Date/Time :2007-09-16 17:44:02 Severity :Medium Reporter :Network Monitor Description:Inbound Policy Violation (Access Denied, ICMP = ECHO REQUEST) Protocol:ICMP Incoming Source: 192.168.0.254 Destination: 192.168.0.100 Message: ECHO REQUEST Reason: Network Control Rule ID = 5

Message No. 2:

Date/Time :2007-09-16 17:44:02 Severity :Medium Reporter :Network Monitor Description: Inbound Policy Violation (Access Denied, Protocol = IGMP) Protocol:IGMP Incoming Source: 192.168.0.254 Destination: 224.0.0.1 Reason: Network Control Rule ID = 5

Message No. 3:

Date/Time :2007-09-16 17:44:02 Severity :Medium Reporter :Network Monitor Description: Outbound Policy Violation (Access Denied, Protocol = IGMP) Protocol:IGMP Outgoing Source: 192.168.0.100 Destination: 224.0.0.22 Reason: Network Control Rule ID = 5

Message No. 4:

Date/Time :2007-09-16 17:44:17 Severity :Medium Reporter :Network Monitor Description:Inbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE) Protocol:ICMP Incoming Source: 192.168.0.254 Destination: 192.168.0.100 Message: PORT UNREACHABLE Reason: Network Control Rule ID = 5

Message No. 5:

Date/Time :2007-09-16 17:44:17 Severity :Medium Reporter :Network Monitor Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE) Protocol:ICMP Outgoing Source: 192.168.0.100 Destination: 207.46.26.254 Message: PORT UNREACHABLE Reason: Network Control Rule ID = 5

Message No. 6:

Date/Time :2007-09-16 17:44:17 Severity :Medium Reporter :Network Monitor Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE) Protocol:ICMP Outgoing Source: 192.168.0.100 Destination: 207.46.26.254 Message: PORT UNREACHABLE Reason: Network Control Rule ID = 5

Message No. 7:

Date/Time :2007-09-16 17:45:57 Severity :Medium Reporter :Network Monitor Description: Inbound Policy Violation (Access Denied, Protocol = IGMP) Protocol:IGMP Incoming Source: 192.168.0.254 Destination: 224.0.0.1 Reason: Network Control Rule ID = 5

Message No. 8:

Date/Time :2007-09-16 17:46:27 Severity :Medium Reporter :Network Monitor Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE) Protocol:ICMP Outgoing Source: 192.168.0.100 Destination: 192.168.0.254 Message: PORT UNREACHABLE Reason: Network Control Rule ID = 5

Message No. 9:

Date/Time :2007-09-16 17:48:02 Severity :Medium Reporter :Network Monitor Description: Inbound Policy Violation (Access Denied, Protocol = IGMP) Protocol:IGMP Incoming Source: 192.168.0.254 Destination: 224.0.0.1 Reason: Network Control Rule ID = 5

After message 9, all other messages become duplicates of it. Any solution to this?
The sources in above messages are always inside my own IP range.

My other question is about the MMORPG World of Warcraft, how do I set rules in CFP to allow it and its downloader? I was unable to find a solution to this using the search function here.

For games, I’ve found one solution (granted I’ve only tried this three times which include NWN, WC3, and DoW) is that on a game launch or attempt at multiplayer, preferably the former, a pop-up usually springs up from comodo (this causes the game to freeze up for a bit whenever it tries to connect to the internet in my experience), anyways when you have control, just minimize the game and allow the pop-up before its limiter expires and comodo auto denies.

Alternatively, and probably the better route, you can go to comodo’s application monitor (security>application monitor) and manually add all the programs that run (the game and it’s updater).

edit: ■■■■, I forgot to mention. You need the connection set for ICP/UDP in/out or the program might freeze (just remembered after reworking DoW). Pop-ups usually only set one direction.

Alright, thanks for the tip on WoW. I’ve set the WoW launcher, game client and downloader to allow ICP/UDP in/out. Some other applications also had only “out” tag even though allowed, apparently the pop-up sets only one direction in about 90% of the cases.

Anyone with some sort of explanation on my 1st question next then?

Edit: Btw, the messages keep piling up constantly, all copies of message no. 9. I even got one posting this message. It’s really bugging me.

Most of those log entries are related to your intranet traffic; most likely between your computer and router. Entries # 5 & 6 are outbound ICMP attempts (failed) to Microsoft servers.

ICMP is commonly used by a router to establish that your computer is still there and active. IGMP is also frequently used for network broadcast traffic; basically a “shout out” to all computers on the network to see if any respond. If your internet connection is functioning as needed without problem (with those blocked), IMO there is no reason to un-block them.

If the log entries are bugging you, you can create some Network Monitor rules to block without logging. To do this, go to the very bottom “Block & Log All” rule, right-click and select “Add/Add Before.” You will do that three times, in all; Build the rules like this:

Action: Block (don’t check the box to create an alert - that way it won’t log the activity)
Protocol: ICMP
Direction: In
Source IP: Any
Destination IP: Any
ICMP Details: Echo Request

Action: Block
Protocol: IP
Direction: In/Out
Source IP: Any
Destination IP: Any
IP Details: IGMP

Action: Block
Protocol: ICMP
Direction: In/Out
Source IP: Any
Destination IP: Any
ICMP Details: Port Unreachable

To make sure the temporary memory gets cleared and rules reset properly, simply reboot your computer; after that your logs should not be filled with those entries.

LM

Thanks for the advise! I’ve added those rules now, and it’s far easier to check the log for real alerts now, without having to go through all of those alerts from blocked connections.

And yes, my internet connection is working very well as it is, so I agree with you that there seemingly is no reason to un-block the connections that were generating the alerts.

Great, I’m glad that helped. That also gives you the template for creating custom rules as needed, and gets you started in that direction.

I’ll close the thread now; if you need it reopened, simply PM a Moderator (please include a link back here) and we’ll be glad to do so.

LM