Avatar of JoeM21
JoeM21
Flag for United States of America asked on

Multiple audit failure events 5152 and 5157 recently flooding event log.

My SBS 2008 server security event log is showing about 10 audit failure pairs per second - events 5152 and 5157. One pair of the log entries is shown at the bottom of this post. I don't see any external symptoms, but I expect that there is an undue load on the server and a possible security gap. I don't think it is a firewall problem because I don't think there should be traffic between the server and this external IP address. This is a somewhat recent phenomenon. What is happening and how do I get rid of it without turning off auditing?

Comcast is providing both ISP and VOIP services through separate channels. The Internet access comes through a router and a Dell PC2824 switch to the server and the rest of the network. The Comcast VOIP is fairly new and comes through their box and the same PC2824 switch. The PC2824 is configured to keep the data on the default VLAN 1 and the voice on VLAN 20. The VOIP phones and user computer share Ethernet cables to the switch. The VOIP phones are configured to keep to VLAN 20 while letting VLAN 1 and untagged packets pass through. The user computers and SBS2008 server do not know about the VLAN usage. The port for the SBS server is forbidden for VLAN 20 packets.

The log entries show svchost.exe as process ID 532 which relates to the following services: Windows Audio, DHCP client, Windows Event Log, and TCP/IP NETBIOS Helper.

50.143.170.64 is unknown and owned by Comcast. It is not the public IP for the network. It may be related to the VOIP service. 192.168.11.2 is the local IP address for the SBS2008 server. 192.168.11.1 is the gateway. I don't understand how a packet could have the server as a source and still be inbound.

Thanks,

Joe

================ Event Log pairs ================

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/11/2016 9:29:12 AM
Event ID:      5152
Task Category: Filtering Platform Packet Drop
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SBS2008.domain.local
Description:
The Windows Filtering Platform blocked a packet.

Application Information:
      Process ID:            532
      Application Name:      \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
      Direction:            Inbound
      Source Address:            192.168.11.2
      Source Port:            0
      Destination Address:      50.143.170.64
      Destination Port:            0
      Protocol:            47

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44

--------------------- and -------------------------

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/11/2016 9:29:12 AM
Event ID:      5157
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SBS2008.domain.local
Description:
The Windows Filtering Platform has blocked a connection.

Application Information:
      Process ID:            532
      Application Name:      \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
      Direction:            Inbound
      Source Address:            192.168.11.2
      Source Port:            0
      Destination Address:      50.143.170.64
      Destination Port:            0
      Protocol:            0

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44

and

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/11/2016 9:29:12 AM
Event ID:      5152
Task Category: Filtering Platform Packet Drop
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SBS2008.domain.local
Description:
The Windows Filtering Platform blocked a packet.

Application Information:
      Process ID:            532
      Application Name:      \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
      Direction:            Inbound
      Source Address:            192.168.11.2
      Source Port:            0
      Destination Address:      50.143.170.64
      Destination Port:            0
      Protocol:            47

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44

===========================================================
SBSWindows Server 2008NetworkingVoice Over IPDell

Avatar of undefined
Last Comment
JoeM21

8/22/2022 - Mon
Lofty Worm

So your server is NOT "192.168.11.2"

It appears someone has placed a rouge device on your network.
JoeM21

ASKER
loftyworm,

My server is at 192.168.11.2 as I stated. I don't understand your comment or why you would think it was not.

I presume the rogue device comment stems from you thinking that the server was not at 192.168.11.2.
Lofty Worm

My apologies, I did not see the last paragraph;

I agree, this is a bit confusing.  Is there server firewall On?  This may indicate that it is blocking outbound traffic.  There is a specific Firewall log as well.  You can find it here if it is on;
<sys32>\LogFiles\Firewall\pfirewall.log

This link may be helpful

http://www.howtogeek.com/220204/how-to-track-firewall-activity-with-the-windows-firewall-log/
Your help has saved me hundreds of hours of internet surfing.
fblack61
JoeM21

ASKER
I have made progress, but I am still chasing things down. My first concern is what the dropped/rejected packets are and why they are coming in rather than adjusting the firewall to accommodate them.

The entries in the event log appear to be poorly worded. According to pfirewall.log all of the dropped packets are RECEIVE with the destination IP being 192.168.11.2. The term "Inbound" in the event log entries agrees, but the event log entry seems to use "source address" when it means "local address" and "destination address" when it means "remote address". If I make that translation the event log agrees with pfirewall.log.

The timing also seems to coincide with VPN connections to the LAN. Protocol 47 is GRE which relates to packet encapsulation for a VPN, but I can't understand why the packets would be dropped with no noticeable effect on the VPN.
Lofty Worm

Can you post some of the pfirewall log?  Any other logs you are looking at.

Is the firewall on the server blocking outbound traffic at all?  or is it permit all?
JoeM21

ASKER
I have not seen any outbound packets blocked in the log. The Windows firewall on the server is set to pass packets that do not match a rule and there are no outbound rules defined.

The only relevant log I have checked is the pfirewall.log (see snippet at end of this post). All dropped packets are RECEIVE. The VPN is from a laptop to the server. The source IP in the log snippet lines is the public IP of my laptop at one end of the VPN -- Laptop <-> VPN (private IP) <-> router <-> Internet (public IP 50.143.170.64) <-> router at server <-> VPN (private IP 192.168.11.2) <-> Server.

------------------------------ pfirewall.log snippet -----------------------------

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 77 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 77 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 77 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 269 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 77 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 77 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE

------------------------------------------------------------------------------------------------------------------------
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Lofty Worm

I am not sure, you have exhausted my brain.  I suggest requesting attention, a link at the top

Sorry I could not be more helpful :(
Davis McCarn

It appears to be a bug in the Filtering System.
Here is a Microsoft Hotfix for it: https://support.microsoft.com/en-us/kb/2654852
Here is an alternate method: http://nmsiam.blogspot.com/2013/02/resolve-issue-with-multiple-event-id.html
As a technical note, while I did not research that part of the issue, the loopback ip should always be 127.0.0.1 so traffic from 192.168.11.2 is foreign (inbound).
JoeM21

ASKER
I don't think that the hotfix applies. The KB 2654852 (12/23/2011) hotfix is for Windows Server 2008 R2. SBS 2008 is based on Windows Server 2008 SP2, not the later R2. The hotfix shows the file versions of 6.1.760x.xxxxx. The existing version of tcpip.sys is 6.0.6002.19080 (KB 2957189, 6/10/2014).

I don't understand your comment about the loopback IP. This is probably my lack of knowledge. Do you think the dropped packets really originate from 192.168.11.2? I know the event log entries say that is the source, but the pfirewall log entries show it as the destination IP.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Davis McCarn

The article I linked to says to disable the auditing using an elevated CMD window:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

TCP/IP traffic which is internal to a PC (antivirus email scanning, for example) uses the 127.0.0.1 address to route that traffic to internal handlers so any valid traffic would be using that ip address, not the external 192.168.11.2.
JoeM21

ASKER
Thanks for your help. I may just be obtuse, but there are three things that I still do not understand:

1) Why do you talk about IP 120.0.0.1? Is there any loopback traffic involved here?

2) Why do you talk about traffic FROM IP 192.168.11.2? Is it based on the event log entry? The verbiage in the event log entries makes no sense to me. The computer at 192.168.11.2 says there is inbound traffic sourced from 192.168.11.2 (itself) and destined to a foreign address 50.143.170.64. How can this be inbound? Wouldn't "inbound" imply that the entry has the two addresses transposed?The firewall log just shows "RECEIVE" traffic to 192.168.11.2. As far as I can tell the two logs are contradictory, the event log makes no sense to me, and neither is talking about traffic internal to a PC. Does the event log entry make sense to you? Is the firewall log wrong? What am I missing?

3) I understand what the auditpol commands do, but I do not understand why it is a safe solution. It  sounds similar to disabling a CO detector because the alarms are bothersome.  Are these alarms (log entries) known to be meaningless or false for a windows server firewall at default settings?

Thanks for your patience.
ASKER CERTIFIED SOLUTION
Davis McCarn

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
JoeM21

ASKER
Davis,

Thank you for your help. I have disabled the auditing and marked this at the solution.

I still do not understand the inclusion of the 127.0.0.1 loopback mechanism. Why do you think that there is anything here originating from 192.168.11.2? Why do you think that "192.168.11.2 request(s) traffic from 192.168.11.2"? Is there some inference of other traffic from what is shown in the logs?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Davis McCarn

If, for example, you install Norton antivirus with email scanning, it will change all of the ip's used by Outlook to 127.0.0.1 and move the real send/receive details to its own handler which runs as the localhost.  Afterwards, every Outlook account setup on that PC will use the localhost handler to actually send and receive email.
Numerous other software packages use the same mechanism to route various types of network traffic to their handler for the data they handle.
JoeM21

ASKER
I think I understand the use of 127.0.0.1. I have no clue why it might relate to my problem.

What does that have to do with the 5152 and 5157 events posted in the original question? What does that have to do with the pfirewall entries I posted? Am I missing something?

Thanks again.
Davis McCarn

In TCP/IP networking, there should be no traffic from the NIC's ip address to the same ip.  Its against the rules.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
JoeM21

ASKER
True. Bit relevant?

I don't see any "traffic from the NIC's ip address to the same ip". Where do you see it?
JoeM21

ASKER
Bit relevant?  ->  But Relevant?
Davis McCarn

192.168.11.2 is the NIC
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
JoeM21

ASKER
I must be really dense. I understand that 192.168.11.2 is the NIC. You seem to be talking about traffic from 192.168.11.2 to 192.168.11.2. I don't see any evidence of it. Would you please point it out in this thread. The only traffic I see is between 47 50.143.170.64 and 192.168.11.2.

If traffic from 192.168.11.2 to 192.168.11.2 is not explicitly shown, but can be inferred from what is shown, could you help me make the jump from the shown traffic from 47 50.143.170.64 to 192.168.11.2 to the traffic of which you speak.

This is getting "above and beyond" so please feel free to drop out with my thanks for the auditpol workaround.

Thanks