Page 166 / 234 Scroll up to view Page 161 - 165
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
D-4
Firewall Log Formats
May 2004, 202-10030-02
Other Connections and Traffic to this Router
The format is:
<DATE><TIME>< PKT_TYPE ><SRC_IP><DST_IP><ACTION>
[Fri, 2003-12-05 22:31:27] - ICMP Packet[Echo Request] - Source: 192.168.0.10 -
Destination: 192.168.0.1 - [Receive]
[Wed, 2003-07-30 16:34:56] - ICMP Packet[Type: 238]
- Source:
64.3.3.201 -
Destination: 192.168.0.3 - [Drop]
[Fri, 2003-12-05 22:59:56] - ICMP Packet[Echo Request] - Source:192.168.0.10 -
Destination:192.168.0.1 - [Receive]
The format is:
<DATE><TIME><EVENT>< SRC_IP><SRC_PORT ><SRC_INF><
DST_IP><DST_PORT><DST_INF><ACTION>
[Wed, 2003-07-30 16:24:23] - UDP Packet - Source: 207.46.130.100 WAN -
Destination: 10.10.10.4,1234 LAN - [Drop]
[Wed, 2003-07-30 17:48:09] - TCP Packet[SYN] - Source: 64.3.3.201,65534 WAN -
Destination: 10.10.10.4,1765 LAN - [Receive]
[Fri, 2003-12-05 22:07:11] - IP Packet [Type Field:8], from 20.97.173.18 to
172.31.12.157 - [Drop]
Notes:
ACTION = "Drop", "Receive"
EVENT = "ICMP Packet", "UDP Packet", "TCP Packet", "IP Packet"
DoS Attack/Scan
Common attacks and scans are logged.
Page 167 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Firewall Log Formats
D-5
May 2004, 202-10030-02
The format is:
<DATE><TIME><PKT_TYPE>< SRC_IP><SRC_PORT ><SRC_INF>< DST_IP><DST_PORT
><DST_PORT><ACTION><DESCRIPTION>
<DATE> <TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>
<DESCRIPTION>
[Fri, 2003-12-05 21:22:07] - TCP Packet - Source:172.31.12.156,54611 ,WAN -
Destination:172.31.12.157,134 ,LAN [Drop] - [FIN Scan]
[Fri, 2003-12-05 21:22:38] - TCP Packet - Source:172.31.12.156,59937 ,WAN -
Destination:172.31.12.157,670 ,LAN [Drop] - [Nmap Xmas Scan]
[Fri, 2003-12-05 21:23:06] - TCP Packet - Source:172.31.12.156,39860 ,WAN -
Destination:172.31.12.157,18000 ,LAN [Drop] - [Null Scan]
[Fri, 2003-12-05 21:27:55] - TCP Packet - Source:172.31.12.156,38009 ,WAN -
Destination:172.31.12.157,15220 ,LAN [Drop] - [Full Sapu Scan]
[Fri, 2003-12-05 21:28:56] - TCP Packet - Source:172.31.12.156,35128 ,WAN -
Destination:172.31.12.157,38728 ,LAN [Drop] - [Full Xmas Scan]
[Fri, 2003-12-05 21:30:30] - IP Packet - Source:227.113.223.77,WAN -
Destination:172.31.12.157,LAN [Drop] - [Fragment Attack]
[Fri, 2003-12-05 21:30:30] - IP Packet - Source:20.97.173.18,WAN -
Destination:172.31.12.157,LAN [Drop] - [Targa3 Attack]
[Fri, 2003-12-05 21:30:30] - TCP Packet - Source:3.130.176.84,37860 ,WAN -
Destination:172.31.12.157,63881 ,LAN [Drop] - [Vecna Scan]
[Fri, 2003-12-05 21:30:31] - ICMP Packet [Type 238]
- Source:100.110.182.63,WAN
- Destination:172.31.12.157,LAN [Drop] - [ICMP Flood]
[Fri, 2003-12-05 21:33:52] - UDP Packet - Source:127.0.0.1,0 ,WAN -
Destination:172.31.12.157,0 ,LAN [Drop] - [Fragment Attack]
[Fri, 2003-12-05 19:20:00] - TCP Session - Source:54.148.179.175,58595 ,LAN -
Destination:192.168.0.1,20[FTP Data] ,WAN [Reset] - [SYN Flood]
[Fri, 2003-12-05 19:21:22] - UDP Packet - Source:172.31.12.156,7 ,LAN -
Destination:172.31.12.157,7 ,WAN [Drop] - [UDP Flood]
[Fri, 2003-12-05 20:59:08] - ICMP Echo Request packet - Source:192.168.0.5,LAN -
Destination:172.31.12.99,WAN [Drop] - [ICMP Flood]
[Fri, 2003-12-05 18:07:29] - TCP Packet - Source:192.168.0.10,1725 ,LAN -
Destination:61.177.58.50,1352 ,WAN [Drop] - [TCP incomplete sessions overflow]
[Fri, 2003-12-05 21:11:24] - TCP Packet - Source:192.168.0.10,2342 ,LAN -
Destination:61.177.58.50,1352 ,WAN [Drop] - [First TCP Packet not SYN]
Notes:
DESCRIPTION = "SYN Flood", "UDP Flood", "ICMP Flood", "IP Spoofing", "TearDrop",
"Brute Force", "Ping of Death", "Fragment Attack", "Targa3 Attack", "Big Bomb"
"SYN with Data", "Full Xmas Scan", "Full Head Scan", "Full Sapu Scan", "FIN
Scan", "SYN FIN Scan", "Null Scan", "Nmap Xmas Scan", "Vecna Scan", "Tcp SYN RES
Set", "Other Scan"
"TCP incomplete sessions overflow", "TCP preconnect traffic", "TCP invalid
traffic", "First TCP Packet not SYN", "First TCP Packet with no SYN"
<DATE><TIME><PKT_TYPE>< SRC_IP >< DST_IP><ACTION>
[Wed, 2003-07-30 17:45:17] - TCP Packet [Malformed, Length=896] - Source:
64.3.3.201 - Destination: 10.10.10.4 - [Drop]
[Wed, 2003-07-30 17:45:17] - TCP Packet [Malformed, Length=1000] - Source:
64.3.3.201- Destination:
10.10.10.4 - [Forward]
Notes:
PKT_TYPE = "TCP", "UDP", "ICMP", "Proto: Number"
Page 168 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
D-6
Firewall Log Formats
May 2004, 202-10030-02
Access Block Site
If keyword blocking is enabled and a keyword is specified, attempts to access a site whose URL
contains a specified keyword are logged.
The format is
<DATE> <TIME> <EVENT> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>
[Fri, 2003-12-05 23:01:47] - Attempt to access blocked sites -
Source:192.168.0.10,LAN - Destination:www.google.com/,WAN - [Drop]
Notes:
EVENT = Attempt to access blocked sites
SRC_INF = LAN
DST_INF = WAN
All Web Sites and News Groups Visited
All Web sites and News groups that you visit are logged.
The format is
<DATE> <TIME> <EVENT> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>
[Fri, 2003-12-05 23:03:49] - Access site - Source:192.168.0.10,LAN -
Destination:euro.allyes.com,WAN - [Forward]
Notes:
EVENT = Attempt to access blocked sites
SRC_INF = LAN or WAN
DST_INF = WAN or LAN
System Admin Sessions
Administrator session logins and failed attempts are logged, as well as manual or idle-time
logouts.
Page 169 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
Firewall Log Formats
D-7
May 2004, 202-10030-02
The format is:
<DATE><TIME><EVENT ><SRC_IP>
<DATE><TIME><EVENT ><SRC_IP><SRC_PORT><DST_IP><DST_PORT><ACTION>
[Fri, 2003-12-05 21:07:43] - Administrator login successful - IP:192.168.0.10
[Fri, 2003-12-05 21:09:16] - Administrator logout - IP:192.168.0.10
[Fri, 2003-12-05 21:09:31] - Administrator login fail, Username error -
IP:192.168.0.10
[Fri, 2003-12-05 21:09:25] - Administrator login fail, Password error -
IP:192.168.0.10
[Fri, 2003-12-05 21:16:15] - Login screen timed out - IP:192.168.0.10
[Fri, 2003-12-05 21:07:43] - Administrator Interface Connecting[TCP] - Source
192.168.0.10,2440 - Destination 192.168.0.1,80 - [Receive]
Notes:
ACTION: Receive or Drop
Policy Administration LOG
<DATE> <TIME> <EVENT> <DIRECTION> <SERVICE>< DESCRIPTION >
[Fri, 2003-12-05 21:48:41] - Administrator Action - Inbound Policy to Service
[BGP] is Added
[Fri, 2003-12-05 21:49:41] - Administrator Action - Outbound Policy to Service
[BGP] is Added
[Fri, 2003-12-05 21:50:14] - Administrator Action - Inbound Policy to Service
[BGP] is Modified
[Fri, 2003-12-05 21:50:57] - Administrator Action - Outbound Policy to Service
[BGP] is Modified
[Fri, 2003-12-05 21:51:14] - Administrator Action - Inbound Policy to Service
[BGP] is Deleted
[Fri, 2003-12-05 21:52:12] - Administrator Action - Inbound Policy to Service
[BGP] is Moved to Index [0]
[Fri, 2003-12-05 21:54:41] - Administrator Action - Outbound Policy to Service
[FTP] is Moved to Index [1]
[Fri, 2003-12-05 22:01:47] - Administrator Action - Inbound Policy to Service
[BGP] is changed to Disable
[Fri, 2003-12-05 22:02:14] - Administrator Action - Inbound Policy to Service
[BGP] is changed to Enable
[Fri, 2003-12-05 22:02:35] - Administrator Action - Outbound Policy to Service
[NFS] is changed to Disable
[Fri, 2003-12-05 22:02:52] - Administrator Action - Outbound Policy to Service
[NFS] is changed to Enable
Notes:
DIRECTION: Inbound or Outbound
SERVICE: Supported service name
Page 170 / 234
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2
D-8
Firewall Log Formats
May 2004, 202-10030-02

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top