Good day Community,

 

Had several attacks from this IP address...wondering if anyone else getting hits. 

 

http://www.ip-adress.com/whois/122.227.164.96

 

 

Regards

bjm_

Hello, bjm_,

 

Where are you Located?

 

And what is the Intrusion Prevention Attack Signature that is Blocking it?  Are you on any particular Web Site when this happens?

 

And what Norton Product and Version are you using? 

 

Thanks!

 

Good day Floating_Red

 

Located in USA

Signature blocking attack is in NIS09

 

Attack occured once July 31 and once today Aug 1.  

 

Yesterday,  I was posting to this Forum when I was notified Attack blocked.  

Today,  if I recall corrrectly I was also posting to a Forum.

That's curious.....

Been quiet since the one attack today.  Maybe it's some automated attack engine that tries once and moves on.  

 

Regards

bjm_

 

Source address:  122.227.164.96

Traffic description:  TCP, Port 12200

No Action Required

Medium Severity

 

Floating_Red

 

follow up to my Attacking Computer query.   I had an attack attempt from the same IP at the same time for 5 days.  7/30-8/3.  Medium Severity.  I am wondering why the computer address never populated into Computers currently blocked by AutoAttack address window. 

 

 

 

Thanks for your time and interest in my issue

bjm_

Hi, bjm_,

 

Sorry for not getting back to you sooner.

 

Can you Click on More Details in the Security History so that we know what Intrusion Detection Signature Norton is Blocking.

 

Your computer is Secure because Norton Internet Security 2009 is Blocking this Attempt Intrusions.

 

Your AutoBlock is Set to Block the computer via the Smart Firewall from Accessing - or Attempting to access - your computer, which is why you keep getting these Intrusion Prevention Blocks.

 

Does this Intrusion Attempts happen when you visit a Web Site, or what?

 

Thank-you for taking the time to Reply.

 

Hi Floating Red

as per your request More Details ...sorry I don't see a Signature?

Since you are asking for associated Signature.  There must be way to determine associated Signature.

Where else to look.  History More Details links to same info.  Firewall Activity No Entry

 

Still wondering why attack IP address did not populate into Intrusion Auto Attack wiindow "Computers Currently Blocked by Auto Block - Addresses  (see above post)

 

Reverse IP lookup

Regards

bjm_

Hi,

 

Are you familiar with Blocking Ports using Norton Products?

 

Good day Floating_Red

 

In one word NO 

 

I searched through Help...and all I came up with was that my Stealth Blocked Ports is ON.

 

Unable to locate why attacking IP did not populate into AutoBlock list....which appears to offer options for an address on the list

 

Regards

bjm_

Hi,

 

Good day/night to you too!

 

Okay; I'll guide you through the process to Block the Port Number this Threat is using.  Please follow these instructions exactly.  If you have any questions, please ask them before you attempt this.

 

 

01.  Locate "Advanced Settings" via the Smart Firewall.

 

02. On the "General Rules", click "Configure".

 

03. Click "Add".

 

04. Click on "Block".

 

05. "Connections from other computers".

 

06.  Click on "Only computers and sites listed below".  Type in:

 

a) 122.227.164.96

 

07. a) "The protocol you want to block" is T.C.P..

      b)  Under the "What types of communication, or ports, do you want to block?", select: "Only communications that match all types and ports listed below"; then click on "Add".

 

08. a) "Filter by: Individually specified ports".  Enter: 12200.

      b) Under "Locality", select "Local".

 

09. Please check the "Create an event log entry".

 

10. Please Name the Firewall Rule "Firewall Rule U.D.P. Port 12200".

 

11. Click on "Finish".

 

12. You have Successfully Created a Firewall Rule!

 

 

 

Please let us know if you still get the Intrusion Prevention Detected once you have Created the above Firewall Rule.

 

 

 

 

Hi

 

I hear and I obey.  This will be my first time creating a Firewall Rule.  So, be gentle with me.

 

I understand instructions and need to follow exactly and will follow up as requested.

 

Still, wish I understood why attacking IP did not populate into AutoBlock list... then I could have opted for "restrict" and permanently block all traffic between it and my computer.   Which sounds like a Rule.  

 

Thanks for your interest and help

Just noticed there are 12 instructions.  Just like a 12 step program.

 

Respectfully submitted

bjm_

L.o.l.!  I will be gentle.

 

This is the Manual way of doing what would have been done had you got to the AutoBlock in time.

 

If you have any problems or questions, just let me know and I'll be happy to answer them.

 

And you're most welcome!  :)

 

 

---

bjm_ wrote:

Just noticed there are 12 instructions.  Just like a 12 step program.

---

L.o.l.!

 

---

bjm_ wrote:

Good day Floating_Red

 

In one word NO 

 

I searched through Help...and all I came up with was that my Stealth Blocked Ports is ON.

 

Unable to locate why attacking IP did not populate into AutoBlock list....which appears to offer options for an address on the list

 

Regards

bjm_

---

 

It did not populate the AutoBlock list because there was not an attack.  You had one portscan probe on one port which is not enough of an attack to trigger the AutoBlock.  The rule that Floating_Red had you make will only block the IP address listed.  You are protected by NIS2009 automatically (as indicated in the history logs) so you should not anything to worry about.  You can not stop the outside source from scanning your system; the rule will stop the logging if that is what was bothering you.  All portscan probes were blocked.  You are secure.

Hi dbrisendine,

 

So, a portscan probe on one port does not qualify as an "attack".   What had me associating the activity with an "attack" were the details which listed the IP as Attacking Computer and the verbiage - Network traffic from IP matches the signature of a known attack.  

So, outside sources scanning my system is portscan activity fully protected by NIS09 .  This activity which occurred at the same time for 6 days was different from any previous logged activity.   Previous Intrusion Prevention History has been all Info except for one event with Severity High that I was readily able to associate with a specific known site I had visited.  This activity because it occurred at the same time for 6 days and I was unable to associate it with a specific familiar site and the reverse IP lookup was China seemed like something I should try to investigate.

I was never bothered by the logging.  I'm grateful NIS provides the logging.  I just needed to better understand the details.  

Thanks to Floating_Red and dbrisendine....

___________________________________________________

 

* So, even if I had gotten to Auto Block in time as Floating_Red suggested......

 The portscan IP did not populate into Auto Block because a portscan is not an "attack" and therefore does not trigger Auto Block *    Correct or Not?

 

 Regards

bjm_

 

The “attack” matched the Portscan signature thus was reported as such.  You only had one port scanned and the process was blocked from entering your system.  A true portscan attack would involve a range of ports (say 100) and that amount of traffic would have triggered AutoBlock.  Basically, there was not enough of an attack to trigger the AutoBlock feature.  A single port being scanned once will just be blocked by the regular IPS feature and would not have moved to the next level of defense.

Hi dbrisendine,

 

Boggles the mind to think there are threats capable of meeting the threshold to trigger AutoBlock.

 My assumptions about AutoBlock and that the attacking IP would populate into AutoBlock are based on the Help text...

When an attack is detected, the connection is automatically blocked to ensure that your computer is safe. If a computer continues to attack your computer, Intrusion Prevention can activate AutoBlock. AutoBlock blocks all incoming traffic from the attacking computer for a limited time, even if the incoming traffic is not a recognized attack method. You can view a list of the computers that AutoBlock has blocked.

 

and your explanation expanded on the Help text . 

 

Thanks  

bjm_