2 Replies Latest reply on Sep 23, 2014 3:59 PM by securitasis

    Link Local Multicast Name Resolution v. HIPS Firewall et al

    greatscott

      Anyone seen an issue with the HIPS Firewall, and processing of LLMNR traffic?  The traffic is tripping over our CAG, which has IP based criteria. A system hits the LLMNR and for some reason starts using a 224.x.x.x local address, which is not defined in our CAG. The top bit of traffic is a block shown when the traffic hits our top CAG, where connection isolation is checked. The second piece of traffic below is an allow, when we uncheck connection isolation in our top CAG. The traffic is processed by our lower CAG, which has DNS based criteria:

       

       

          Mode = traffic

          Process id = 1632

          Event type = FW_LOG_EVENT_TYPE_TRAFFIC

          Direction = FW_DIRECTION_INBOUND

          Action = FW_ACTION_BLOCK_PACKET

          Source port = 53865

          Dest port = 5355

          Ip protocol = 17

          Ethernet type = 0x800

          Process path = C:\WINDOWS\SYSTEM32\SVCHOST.EXE

          Local ip addr = 224.0.0.252

          Remote ip addr = XXX.XXX.240.166

          Source MAC = 00-00-00-00-00-00-00-00

          Dest MAC = 00-XX-e8-XX-36-XX-00-XX

       

       

          Mode = traffic
          Process id = 1632
          Event type = FW_LOG_EVENT_TYPE_TRAFFIC
          Direction = FW_DIRECTION_INBOUND
          Action = FW_ACTION_ALLOW
          Source port = 60692
          Dest port = 5355
          Ip protocol = 17
          Ethernet type = 0x800
          Process path = C:\WINDOWS\SYSTEM32\SVCHOST.EXE
          Local ip addr = 224.0.0.252
          Remote ip addr = XXX.XXX.240.150
          Source MAC = 00-00-00-00-00-00-00-00
          Dest MAC = 00-XX-e8-XX-36-XX-00-XX

       

      Message was edited by: greatscott on 3/5/14 12:21:16 PM CST