Solved

Multiple audit failure events 5152 and 5157 recently flooding event log.

Posted on 2016-10-14
21
74 Views
Last Modified: 2016-11-22
My SBS 2008 server security event log is showing about 10 audit failure pairs per second - events 5152 and 5157. One pair of the log entries is shown at the bottom of this post. I don't see any external symptoms, but I expect that there is an undue load on the server and a possible security gap. I don't think it is a firewall problem because I don't think there should be traffic between the server and this external IP address. This is a somewhat recent phenomenon. What is happening and how do I get rid of it without turning off auditing?

Comcast is providing both ISP and VOIP services through separate channels. The Internet access comes through a router and a Dell PC2824 switch to the server and the rest of the network. The Comcast VOIP is fairly new and comes through their box and the same PC2824 switch. The PC2824 is configured to keep the data on the default VLAN 1 and the voice on VLAN 20. The VOIP phones and user computer share Ethernet cables to the switch. The VOIP phones are configured to keep to VLAN 20 while letting VLAN 1 and untagged packets pass through. The user computers and SBS2008 server do not know about the VLAN usage. The port for the SBS server is forbidden for VLAN 20 packets.

The log entries show svchost.exe as process ID 532 which relates to the following services: Windows Audio, DHCP client, Windows Event Log, and TCP/IP NETBIOS Helper.

50.143.170.64 is unknown and owned by Comcast. It is not the public IP for the network. It may be related to the VOIP service. 192.168.11.2 is the local IP address for the SBS2008 server. 192.168.11.1 is the gateway. I don't understand how a packet could have the server as a source and still be inbound.

Thanks,

Joe

================ Event Log pairs ================

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/11/2016 9:29:12 AM
Event ID:      5152
Task Category: Filtering Platform Packet Drop
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SBS2008.domain.local
Description:
The Windows Filtering Platform blocked a packet.

Application Information:
      Process ID:            532
      Application Name:      \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
      Direction:            Inbound
      Source Address:            192.168.11.2
      Source Port:            0
      Destination Address:      50.143.170.64
      Destination Port:            0
      Protocol:            47

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44

--------------------- and -------------------------

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/11/2016 9:29:12 AM
Event ID:      5157
Task Category: Filtering Platform Connection
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SBS2008.domain.local
Description:
The Windows Filtering Platform has blocked a connection.

Application Information:
      Process ID:            532
      Application Name:      \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
      Direction:            Inbound
      Source Address:            192.168.11.2
      Source Port:            0
      Destination Address:      50.143.170.64
      Destination Port:            0
      Protocol:            0

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44

and

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/11/2016 9:29:12 AM
Event ID:      5152
Task Category: Filtering Platform Packet Drop
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SBS2008.domain.local
Description:
The Windows Filtering Platform blocked a packet.

Application Information:
      Process ID:            532
      Application Name:      \device\harddiskvolume1\windows\system32\svchost.exe

Network Information:
      Direction:            Inbound
      Source Address:            192.168.11.2
      Source Port:            0
      Destination Address:      50.143.170.64
      Destination Port:            0
      Protocol:            47

Filter Information:
      Filter Run-Time ID:      0
      Layer Name:            Receive/Accept
      Layer Run-Time ID:      44

===========================================================
0
Comment
Question by:JoeM21
  • 10
  • 6
  • 4
21 Comments
 
LVL 11

Expert Comment

by:loftyworm
Comment Utility
So your server is NOT "192.168.11.2"

It appears someone has placed a rouge device on your network.
0
 

Author Comment

by:JoeM21
Comment Utility
loftyworm,

My server is at 192.168.11.2 as I stated. I don't understand your comment or why you would think it was not.

I presume the rogue device comment stems from you thinking that the server was not at 192.168.11.2.
0
 
LVL 11

Expert Comment

by:loftyworm
Comment Utility
My apologies, I did not see the last paragraph;

I agree, this is a bit confusing.  Is there server firewall On?  This may indicate that it is blocking outbound traffic.  There is a specific Firewall log as well.  You can find it here if it is on;
<sys32>\LogFiles\Firewall\pfirewall.log

This link may be helpful

http://www.howtogeek.com/220204/how-to-track-firewall-activity-with-the-windows-firewall-log/
0
 

Author Comment

by:JoeM21
Comment Utility
I have made progress, but I am still chasing things down. My first concern is what the dropped/rejected packets are and why they are coming in rather than adjusting the firewall to accommodate them.

The entries in the event log appear to be poorly worded. According to pfirewall.log all of the dropped packets are RECEIVE with the destination IP being 192.168.11.2. The term "Inbound" in the event log entries agrees, but the event log entry seems to use "source address" when it means "local address" and "destination address" when it means "remote address". If I make that translation the event log agrees with pfirewall.log.

The timing also seems to coincide with VPN connections to the LAN. Protocol 47 is GRE which relates to packet encapsulation for a VPN, but I can't understand why the packets would be dropped with no noticeable effect on the VPN.
0
 
LVL 11

Expert Comment

by:loftyworm
Comment Utility
Can you post some of the pfirewall log?  Any other logs you are looking at.

Is the firewall on the server blocking outbound traffic at all?  or is it permit all?
0
 

Author Comment

by:JoeM21
Comment Utility
I have not seen any outbound packets blocked in the log. The Windows firewall on the server is set to pass packets that do not match a rule and there are no outbound rules defined.

The only relevant log I have checked is the pfirewall.log (see snippet at end of this post). All dropped packets are RECEIVE. The VPN is from a laptop to the server. The source IP in the log snippet lines is the public IP of my laptop at one end of the VPN -- Laptop <-> VPN (private IP) <-> router <-> Internet (public IP 50.143.170.64) <-> router at server <-> VPN (private IP 192.168.11.2) <-> Server.

------------------------------ pfirewall.log snippet -----------------------------

#Version: 1.5
#Software: Microsoft Windows Firewall
#Time Format: Local
#Fields: date time action protocol src-ip dst-ip src-port dst-port size tcpflags tcpsyn tcpack tcpwin icmptype icmpcode info path

2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 77 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 77 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 77 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 269 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 77 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 77 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE
2016-10-17 14:37:50 DROP 47 50.143.170.64 192.168.11.2 - - 81 - - - - - - - RECEIVE

------------------------------------------------------------------------------------------------------------------------
0
 
LVL 11

Expert Comment

by:loftyworm
Comment Utility
I am not sure, you have exhausted my brain.  I suggest requesting attention, a link at the top

Sorry I could not be more helpful :(
0
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
It appears to be a bug in the Filtering System.
Here is a Microsoft Hotfix for it: https://support.microsoft.com/en-us/kb/2654852
Here is an alternate method: http://nmsiam.blogspot.com/2013/02/resolve-issue-with-multiple-event-id.html
As a technical note, while I did not research that part of the issue, the loopback ip should always be 127.0.0.1 so traffic from 192.168.11.2 is foreign (inbound).
0
 

Author Comment

by:JoeM21
Comment Utility
I don't think that the hotfix applies. The KB 2654852 (12/23/2011) hotfix is for Windows Server 2008 R2. SBS 2008 is based on Windows Server 2008 SP2, not the later R2. The hotfix shows the file versions of 6.1.760x.xxxxx. The existing version of tcpip.sys is 6.0.6002.19080 (KB 2957189, 6/10/2014).

I don't understand your comment about the loopback IP. This is probably my lack of knowledge. Do you think the dropped packets really originate from 192.168.11.2? I know the event log entries say that is the source, but the pfirewall log entries show it as the destination IP.
0
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
The article I linked to says to disable the auditing using an elevated CMD window:
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

TCP/IP traffic which is internal to a PC (antivirus email scanning, for example) uses the 127.0.0.1 address to route that traffic to internal handlers so any valid traffic would be using that ip address, not the external 192.168.11.2.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:JoeM21
Comment Utility
Thanks for your help. I may just be obtuse, but there are three things that I still do not understand:

1) Why do you talk about IP 120.0.0.1? Is there any loopback traffic involved here?

2) Why do you talk about traffic FROM IP 192.168.11.2? Is it based on the event log entry? The verbiage in the event log entries makes no sense to me. The computer at 192.168.11.2 says there is inbound traffic sourced from 192.168.11.2 (itself) and destined to a foreign address 50.143.170.64. How can this be inbound? Wouldn't "inbound" imply that the entry has the two addresses transposed?The firewall log just shows "RECEIVE" traffic to 192.168.11.2. As far as I can tell the two logs are contradictory, the event log makes no sense to me, and neither is talking about traffic internal to a PC. Does the event log entry make sense to you? Is the firewall log wrong? What am I missing?

3) I understand what the auditpol commands do, but I do not understand why it is a safe solution. It  sounds similar to disabling a CO detector because the alarms are bothersome.  Are these alarms (log entries) known to be meaningless or false for a windows server firewall at default settings?

Thanks for your patience.
0
 
LVL 42

Accepted Solution

by:
Davis McCarn earned 500 total points
Comment Utility
Read this: http://www.tech-faq.com/127-0-0-1.html

If you are using IIS or just about anybody's "internet security suite" ( Norton, McAfee, CA, etc. ), they create a "handler" (software routine) which uses the loopback adapter on localhost (127.0.0.1) to processes requests made from the server back to the server.  As such, any properly installed software making requests to that handler then requests the traffic be from "localhost" or 127.0.0.1.  The usage is up to the software specifics and they are interchangeable.  The mechanism also works on workstations and is part of the TCP/IP protocol standards.

Using those same standards, having 192.168.11.2 request traffic from 192.168.11.2 is an illegal request as there is no defined mechanism for the network adapter to make requests from itself.

Your problem is not so much a problem; but, rather a bug in server 2008 (and R2) which is causing the events.  As such, you can safely ignore them because they are a bug rather than a real problem.

Having done my own homework on the same issue, I would probably ignore the events as being due to a software bug and I, too, have concerns about globally disabling the auditing.
0
 

Author Comment

by:JoeM21
Comment Utility
Davis,

Thank you for your help. I have disabled the auditing and marked this at the solution.

I still do not understand the inclusion of the 127.0.0.1 loopback mechanism. Why do you think that there is anything here originating from 192.168.11.2? Why do you think that "192.168.11.2 request(s) traffic from 192.168.11.2"? Is there some inference of other traffic from what is shown in the logs?
0
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
If, for example, you install Norton antivirus with email scanning, it will change all of the ip's used by Outlook to 127.0.0.1 and move the real send/receive details to its own handler which runs as the localhost.  Afterwards, every Outlook account setup on that PC will use the localhost handler to actually send and receive email.
Numerous other software packages use the same mechanism to route various types of network traffic to their handler for the data they handle.
0
 

Author Comment

by:JoeM21
Comment Utility
I think I understand the use of 127.0.0.1. I have no clue why it might relate to my problem.

What does that have to do with the 5152 and 5157 events posted in the original question? What does that have to do with the pfirewall entries I posted? Am I missing something?

Thanks again.
0
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
In TCP/IP networking, there should be no traffic from the NIC's ip address to the same ip.  Its against the rules.
0
 

Author Comment

by:JoeM21
Comment Utility
True. Bit relevant?

I don't see any "traffic from the NIC's ip address to the same ip". Where do you see it?
0
 

Author Comment

by:JoeM21
Comment Utility
Bit relevant?  ->  But Relevant?
0
 
LVL 42

Expert Comment

by:Davis McCarn
Comment Utility
192.168.11.2 is the NIC
0
 

Author Comment

by:JoeM21
Comment Utility
I must be really dense. I understand that 192.168.11.2 is the NIC. You seem to be talking about traffic from 192.168.11.2 to 192.168.11.2. I don't see any evidence of it. Would you please point it out in this thread. The only traffic I see is between 47 50.143.170.64 and 192.168.11.2.

If traffic from 192.168.11.2 to 192.168.11.2 is not explicitly shown, but can be inferred from what is shown, could you help me make the jump from the shown traffic from 47 50.143.170.64 to 192.168.11.2 to the traffic of which you speak.

This is getting "above and beyond" so please feel free to drop out with my thanks for the auditpol workaround.

Thanks
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now