Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual
Firewall Log Formats
B-5
December 2003, M-10041-01
The format is:
<DATE><TIME><PKT_TYPE>< SRC_IP><SRC_PORT ><SRC_INF>< DST_IP><DST_PORT
><DST_PORT><ACTION><DESCRIPTION>
<DATE> <TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>
<DESCRIPTION>
[Fri, 2003-12-05 21:22:07] - TCP Packet - Source:172.31.12.156,54611 ,WAN -
Destination:172.31.12.157,134 ,LAN [Drop] - [FIN Scan]
[Fri, 2003-12-05 21:22:38] - TCP Packet - Source:172.31.12.156,59937 ,WAN -
Destination:172.31.12.157,670 ,LAN [Drop] - [Nmap Xmas Scan]
[Fri, 2003-12-05 21:23:06] - TCP Packet - Source:172.31.12.156,39860 ,WAN -
Destination:172.31.12.157,18000 ,LAN [Drop] - [Null Scan]
[Fri, 2003-12-05 21:27:55] - TCP Packet - Source:172.31.12.156,38009 ,WAN -
Destination:172.31.12.157,15220 ,LAN [Drop] - [Full Sapu Scan]
[Fri, 2003-12-05 21:28:56] - TCP Packet - Source:172.31.12.156,35128 ,WAN -
Destination:172.31.12.157,38728 ,LAN [Drop] - [Full Xmas Scan]
[Fri, 2003-12-05 21:30:30] - IP Packet - Source:227.113.223.77,WAN -
Destination:172.31.12.157,LAN [Drop] - [Fragment Attack]
[Fri, 2003-12-05 21:30:30] - IP Packet - Source:20.97.173.18,WAN -
Destination:172.31.12.157,LAN [Drop] - [Targa3 Attack]
[Fri, 2003-12-05 21:30:30] - TCP Packet - Source:3.130.176.84,37860 ,WAN -
Destination:172.31.12.157,63881 ,LAN [Drop] - [Vecna Scan]
[Fri, 2003-12-05 21:30:31] - ICMP Packet [Type 238]
- Source:100.110.182.63,WAN
- Destination:172.31.12.157,LAN [Drop] - [ICMP Flood]
[Fri, 2003-12-05 21:33:52] - UDP Packet - Source:127.0.0.1,0 ,WAN -
Destination:172.31.12.157,0 ,LAN [Drop] - [Fragment Attack]
[Fri, 2003-12-05 19:20:00] - TCP Session - Source:54.148.179.175,58595 ,LAN -
Destination:192.168.0.1,20[FTP Data] ,WAN [Reset] - [SYN Flood]
[Fri, 2003-12-05 19:21:22] - UDP Packet - Source:172.31.12.156,7 ,LAN -
Destination:172.31.12.157,7 ,WAN [Drop] - [UDP Flood]
[Fri, 2003-12-05 20:59:08] - ICMP Echo Request packet - Source:192.168.0.5,LAN -
Destination:172.31.12.99,WAN [Drop] - [ICMP Flood]
[Fri, 2003-12-05 18:07:29] - TCP Packet - Source:192.168.0.10,1725 ,LAN -
Destination:61.177.58.50,1352 ,WAN [Drop] - [TCP incomplete sessions overflow]
[Fri, 2003-12-05 21:11:24] - TCP Packet - Source:192.168.0.10,2342 ,LAN -
Destination:61.177.58.50,1352 ,WAN [Drop] - [First TCP Packet not SYN]
Notes:
DESCRIPTION = "SYN Flood", "UDP Flood", "ICMP Flood", "IP Spoofing", "TearDrop",
"Brute Force", "Ping of Death", "Fragment Attack", "Targa3 Attack", "Big Bomb"
"SYN with Data", "Full Xmas Scan", "Full Head Scan", "Full Sapu Scan", "FIN
Scan", "SYN FIN Scan", "Null Scan", "Nmap Xmas Scan", "Vecna Scan", "Tcp SYN RES
Set", "Other Scan"
"TCP incomplete sessions overflow", "TCP preconnect traffic", "TCP invalid
traffic", "First TCP Packet not SYN", "First TCP Packet with no SYN"
<DATE><TIME><PKT_TYPE>< SRC_IP >< DST_IP><ACTION>
[Wed, 2003-07-30 17:45:17] - TCP Packet [Malformed, Length=896] - Source:
64.3.3.201 - Destination: 10.10.10.4 - [Drop]
[Wed, 2003-07-30 17:45:17] - TCP Packet [Malformed, Length=1000] - Source:
64.3.3.201- Destination:
10.10.10.4 - [Forward]
Notes:
PKT_TYPE = "TCP", "UDP", "ICMP", "Proto: Number"