I keep on getting this message on my ZoAl that someone is trying to access my computer:
The firewall has blocked Internet access to your computer (HTTP) from 202.9.136.111 (TCP Port 49787) [TCP Flags: S].
To that extend that I have received the alert 10-12 times in an hour over a variety of ports. What the hell is this?

You can download a program called Zonelog Analyser that takes the Alert logs from ZA and breaks it down to tell you what it means. Get it here (http://www.zonelog.co.uk/index.html)

Hope it helps.

(It runs separately from Zonealarm)

If what you're mainly seeing is hits on HTTP on various tcp ports from various addresses..... The majority is likely to CODERED, still running rampant out there, looking for microsoft IIS servers to infect.

If you're not running IIS server, then there's not much to worry about, it's just an annoyance.

Do a search for Code red on this site and you'll have plenty to read about. ;)

TCP header structure is made of up flag components as well as other pieces. Towards the bottom of this brief description you will find the flags that ZA is referring to.

Flag S is referring to the Syn flag. This means that this tcp packet header has flag "S" set to "1" or "on". Zero mean off one means on.

There are some DOS attacks that use Syn attacks but that is a whole other topic.



Flags

U (URG) Urgent pointer field significant.
A (ACK) Acknowledgment field significant.
P (PSH) Push function.
R (RST) Reset the connection.
S (SYN) Synchronize sequence numbers.
F (FIN) No more data from sender.


For more info check out this link.
http://www.protocols.com/pbook/tcpip.htm

To that extend that I have received the alert 10-12 times in an hour over a variety of ports.

what other ports besides 80 have the scans been sourcing to?