The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
We'd love to hear about it! Click here to go to the product suggestion community
Hi all, could someone shed some light on this please.. I am very new to the firewall log viewer and have looked at it from the client for the first time. I am worried to see a lot of these items
Direction = IN REFUSED
Protocol = UDP
Remote Port = Loads of different ones (Small list as an example - 59199, 56452, 50062, 57205, 62745)
Remote Address = (Lots of IP addresses from within our internal network)
Hope someone can help with this please? Thanks, John
Hello John Cassell,
what's the local (i.e. destination) port? Source ports are most of the arbitrary ports.Nowadays networks are quite noisy, all kinds of discovery attempts, UPnP, Bonjour, printers, media protocols, you name it. The traffic is very likely "normal" but OTOH not essential for normal operation.
In reply to QC:
Hi Christian, thanks for the reply. Didn't realise there were some hidden columns such as local port. I've added it now and here are a few examples:
Application Direction Protocol Remote Address Remote Port - Local Port
scvhost.exe - IN REFUSED - UDP - 'An IP Address on our LAN' - 33572 - 1900
svchost.exe - IN REFUSED - UDP - 'An IP Address on our LAN' - 60574 1900
svchost.exe - IN REFUSED - UDP - 'An IP Address on our LAN' - 49397 5355
system - IN REFUSED - UDP - 'An IP Address on our LAN' - 17500 17500
Guess my next question would be harder to answer - "Why is Bobs PC trying to snoop on Daves PC?" - This local port 1900 seems to be plug n' play broadcasting to all PCs. I can't imagine why this would need to happen so perhaps the approach of 'block it and see what breaks'? (Obviously only on a very small number of PCs to begin with)
In reply to John Cassell:
as to why, ("modern") devices are looking for available services on the network, printers, media servers, and so on. This is normally not directed traffic (e.g.Bob's PC snooping Dave's PC), the source sends packets to a broadcast address and devices on the LAN reply (or don't). You can look up the port at IANA - if the Description doesn't already tell what it is (17500 - Dropbox LanSync Discovery) it shouldn't be too hard to find detailed information (e.g. look up the Description on Wikipedia).