Page 131 / 224 Scroll up to view Page 126 - 130
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Firewall Log Formats
B-3
December 2003, M-10041-01
The format is:
<DATE><TIME><PKT_TYPE>< SRC_IP><SRC_PORT ><SRC_INF>< DST_IP><DST_PORT
><DST_PORT><ACTION><DESCRIPTION>
<DATE><TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>
<DESCRIPTION>
[Wed, 2003-07-30 17:43:28] - IPSEC Packet - Source: 64.3.3.201, 37180 WAN -
Destination: 10.10.10.4,80[HTTP] LAN - [Drop] [VPN Packet]
[Wed, 2003-07-30 18:44:50] - IP Packet [Type Field: 321] - Source 18.7.21.69
192.168.0.3 - [Drop]
Notes:
DESCRIPTION = "VPN Packet"
PKT_TYPE = "GRE", "AH", "ESP", "IP packet [Type Field: Num]", "IPSEC"
ACTION = "Forward", "Drop"
Router Operation
Operations that the router initiates are logged.
The format is:
<DATE><TIME><EVENT>
[Wed, 2003-07-30 16:30:59] - Log emailed
[Wed, 2003-07-30 13:38:31] - NETGEAR activated
[Wed, 2003-07-30 13:42:01] - NTP Reply Invalid
The format is:
<DATE><TIME><EVENT><DST_IP>
<DATE><TIME><EVENT><SRC_IP>
[Wed, 2003-07-30 16:32:33] - Send out NTP Request to 207.46.130.100
[Wed, 2003-07-30 16:35:27] - Receive NTP Reply from 207.46.130.100
Page 132 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
B-4
Firewall Log Formats
December 2003, M-10041-01
Other Connections and Traffic to this Router
The format is:
<DATE><TIME>< PKT_TYPE ><SRC_IP><DST_IP><ACTION>
[Fri, 2003-12-05 22:31:27] - ICMP Packet[Echo Request] - Source: 192.168.0.10 -
Destination: 192.168.0.1 - [Receive]
[Wed, 2003-07-30 16:34:56] - ICMP Packet[Type: 238]
- Source:
64.3.3.201 -
Destination: 192.168.0.3 - [Drop]
[Fri, 2003-12-05 22:59:56] - ICMP Packet[Echo Request] - Source:192.168.0.10 -
Destination:192.168.0.1 - [Receive]
The format is:
<DATE><TIME><EVENT>< SRC_IP><SRC_PORT ><SRC_INF><
DST_IP><DST_PORT><DST_INF><ACTION>
[Wed, 2003-07-30 16:24:23] - UDP Packet - Source: 207.46.130.100 WAN -
Destination: 10.10.10.4,1234 LAN - [Drop]
[Wed, 2003-07-30 17:48:09] - TCP Packet[SYN] - Source: 64.3.3.201,65534 WAN -
Destination: 10.10.10.4,1765 LAN - [Receive]
[Fri, 2003-12-05 22:07:11] - IP Packet [Type Field:8], from 20.97.173.18 to
172.31.12.157 - [Drop]
Notes:
ACTION = "Drop", "Receive"
EVENT = "ICMP Packet", "UDP Packet", "TCP Packet", "IP Packet"
DoS Attack/Scan
Common attacks and scans are logged.
Page 133 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Firewall Log Formats
B-5
December 2003, M-10041-01
The format is:
<DATE><TIME><PKT_TYPE>< SRC_IP><SRC_PORT ><SRC_INF>< DST_IP><DST_PORT
><DST_PORT><ACTION><DESCRIPTION>
<DATE> <TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>
<DESCRIPTION>
[Fri, 2003-12-05 21:22:07] - TCP Packet - Source:172.31.12.156,54611 ,WAN -
Destination:172.31.12.157,134 ,LAN [Drop] - [FIN Scan]
[Fri, 2003-12-05 21:22:38] - TCP Packet - Source:172.31.12.156,59937 ,WAN -
Destination:172.31.12.157,670 ,LAN [Drop] - [Nmap Xmas Scan]
[Fri, 2003-12-05 21:23:06] - TCP Packet - Source:172.31.12.156,39860 ,WAN -
Destination:172.31.12.157,18000 ,LAN [Drop] - [Null Scan]
[Fri, 2003-12-05 21:27:55] - TCP Packet - Source:172.31.12.156,38009 ,WAN -
Destination:172.31.12.157,15220 ,LAN [Drop] - [Full Sapu Scan]
[Fri, 2003-12-05 21:28:56] - TCP Packet - Source:172.31.12.156,35128 ,WAN -
Destination:172.31.12.157,38728 ,LAN [Drop] - [Full Xmas Scan]
[Fri, 2003-12-05 21:30:30] - IP Packet - Source:227.113.223.77,WAN -
Destination:172.31.12.157,LAN [Drop] - [Fragment Attack]
[Fri, 2003-12-05 21:30:30] - IP Packet - Source:20.97.173.18,WAN -
Destination:172.31.12.157,LAN [Drop] - [Targa3 Attack]
[Fri, 2003-12-05 21:30:30] - TCP Packet - Source:3.130.176.84,37860 ,WAN -
Destination:172.31.12.157,63881 ,LAN [Drop] - [Vecna Scan]
[Fri, 2003-12-05 21:30:31] - ICMP Packet [Type 238]
- Source:100.110.182.63,WAN
- Destination:172.31.12.157,LAN [Drop] - [ICMP Flood]
[Fri, 2003-12-05 21:33:52] - UDP Packet - Source:127.0.0.1,0 ,WAN -
Destination:172.31.12.157,0 ,LAN [Drop] - [Fragment Attack]
[Fri, 2003-12-05 19:20:00] - TCP Session - Source:54.148.179.175,58595 ,LAN -
Destination:192.168.0.1,20[FTP Data] ,WAN [Reset] - [SYN Flood]
[Fri, 2003-12-05 19:21:22] - UDP Packet - Source:172.31.12.156,7 ,LAN -
Destination:172.31.12.157,7 ,WAN [Drop] - [UDP Flood]
[Fri, 2003-12-05 20:59:08] - ICMP Echo Request packet - Source:192.168.0.5,LAN -
Destination:172.31.12.99,WAN [Drop] - [ICMP Flood]
[Fri, 2003-12-05 18:07:29] - TCP Packet - Source:192.168.0.10,1725 ,LAN -
Destination:61.177.58.50,1352 ,WAN [Drop] - [TCP incomplete sessions overflow]
[Fri, 2003-12-05 21:11:24] - TCP Packet - Source:192.168.0.10,2342 ,LAN -
Destination:61.177.58.50,1352 ,WAN [Drop] - [First TCP Packet not SYN]
Notes:
DESCRIPTION = "SYN Flood", "UDP Flood", "ICMP Flood", "IP Spoofing", "TearDrop",
"Brute Force", "Ping of Death", "Fragment Attack", "Targa3 Attack", "Big Bomb"
"SYN with Data", "Full Xmas Scan", "Full Head Scan", "Full Sapu Scan", "FIN
Scan", "SYN FIN Scan", "Null Scan", "Nmap Xmas Scan", "Vecna Scan", "Tcp SYN RES
Set", "Other Scan"
"TCP incomplete sessions overflow", "TCP preconnect traffic", "TCP invalid
traffic", "First TCP Packet not SYN", "First TCP Packet with no SYN"
<DATE><TIME><PKT_TYPE>< SRC_IP >< DST_IP><ACTION>
[Wed, 2003-07-30 17:45:17] - TCP Packet [Malformed, Length=896] - Source:
64.3.3.201 - Destination: 10.10.10.4 - [Drop]
[Wed, 2003-07-30 17:45:17] - TCP Packet [Malformed, Length=1000] - Source:
64.3.3.201- Destination:
10.10.10.4 - [Forward]
Notes:
PKT_TYPE = "TCP", "UDP", "ICMP", "Proto: Number"
Page 134 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
B-6
Firewall Log Formats
December 2003, M-10041-01
Access Block Site
If keyword blocking is enabled and a keyword is specified, attempts to access a site whose URL
contains a specified keyword are logged.
The format is
<DATE> <TIME> <EVENT> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>
[Fri, 2003-12-05 23:01:47] - Attempt to access blocked sites -
Source:192.168.0.10,LAN - Destination:www.google.com/,WAN - [Drop]
Notes:
EVENT = Attempt to access blocked sites
SRC_INF = LAN
DST_INF = WAN
All Web Sites and News Groups Visited
All Web sites and News groups that you visit are logged.
The format is
<DATE> <TIME> <EVENT> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>
[Fri, 2003-12-05 23:03:49] - Access site - Source:192.168.0.10,LAN -
Destination:euro.allyes.com,WAN - [Forward]
Notes:
EVENT = Attempt to access blocked sites
SRC_INF = LAN or WAN
DST_INF = WAN or LAN
System Admin Sessions
Administrator session logins and failed attempts are logged, as well as manual or idle-time
logouts.
Page 135 / 224
Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Firewall Log Formats
B-7
December 2003, M-10041-01
The format is:
<DATE><TIME><EVENT ><SRC_IP>
<DATE><TIME><EVENT ><SRC_IP><SRC_PORT><DST_IP><DST_PORT><ACTION>
[Fri, 2003-12-05 21:07:43] - Administrator login successful - IP:192.168.0.10
[Fri, 2003-12-05 21:09:16] - Administrator logout - IP:192.168.0.10
[Fri, 2003-12-05 21:09:31] - Administrator login fail, Username error -
IP:192.168.0.10
[Fri, 2003-12-05 21:09:25] - Administrator login fail, Password error -
IP:192.168.0.10
[Fri, 2003-12-05 21:16:15] - Login screen timed out - IP:192.168.0.10
[Fri, 2003-12-05 21:07:43] - Administrator Interface Connecting[TCP] - Source
192.168.0.10,2440 - Destination 192.168.0.1,80 - [Receive]
Notes:
ACTION: Receive or Drop
Policy Administration LOG
<DATE> <TIME> <EVENT> <DIRECTION> <SERVICE>< DESCRIPTION >
[Fri, 2003-12-05 21:48:41] - Administrator Action - Inbound Policy to Service
[BGP] is Added
[Fri, 2003-12-05 21:49:41] - Administrator Action - Outbound Policy to Service
[BGP] is Added
[Fri, 2003-12-05 21:50:14] - Administrator Action - Inbound Policy to Service
[BGP] is Modified
[Fri, 2003-12-05 21:50:57] - Administrator Action - Outbound Policy to Service
[BGP] is Modified
[Fri, 2003-12-05 21:51:14] - Administrator Action - Inbound Policy to Service
[BGP] is Deleted
[Fri, 2003-12-05 21:52:12] - Administrator Action - Inbound Policy to Service
[BGP] is Moved to Index [0]
[Fri, 2003-12-05 21:54:41] - Administrator Action - Outbound Policy to Service
[FTP] is Moved to Index [1]
[Fri, 2003-12-05 22:01:47] - Administrator Action - Inbound Policy to Service
[BGP] is changed to Disable
[Fri, 2003-12-05 22:02:14] - Administrator Action - Inbound Policy to Service
[BGP] is changed to Enable
[Fri, 2003-12-05 22:02:35] - Administrator Action - Outbound Policy to Service
[NFS] is changed to Disable
[Fri, 2003-12-05 22:02:52] - Administrator Action - Outbound Policy to Service
[NFS] is changed to Enable
Notes:
DIRECTION: Inbound or Outbound
SERVICE: Supported service name

Rate

3.5 / 5 based on 2 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top