Kerio Tech KERIO WINROUTE FIREWALL 6 User Manual download pdf (Page 279)

22.11 Security Log

279

Example

[17/Jul/2008 11:46:38] Anti-Spoofing:

Packet from LAN, proto:TCP, len:48,

ip/port:61.173.81.166:1864 -> 195.39.55.10:445,

flags: SYN, seq:3819654104 ack:0, win:16384, tcplen:0

• packet from — packet direction (either from, i.e. sent via the interface, or to, i.e.

received via the interface)

• LAN — interface name (see chapter 5 for details)

• proto: — transport protocol (TCP, UDP, etc.)

• len: — packet size in bytes (including the headers) in bytes

• ip/port: — source IP address, source port, destination IP address and destina-

tion port

• flags: — TCP ﬂags

• seq: — sequence number of the packet (TCP only)

• ack: — acknowledgement sequence number (TCP only)

• win: — size of the receive window in bytes (it is used for data ﬂow control — TCP

only)

• tcplen: — TCP payload size (i.e. size of the data part of the packet) in bytes (TCP

only)

2. FTP protocol parser log records

Example 1

[17/Jul/2008 11:55:14] FTP: Bounce attack attempt:

client: 1.2.3.4, server: 5.6.7.8,

command: PORT 10,11,12,13,14,15

(attack attempt detected — a foreign IP address in the PORT command)

Example 2

[17/Jul/2008 11:56:27] FTP: Malicious server reply:

client: 1.2.3.4, server: 5.6.7.8,

response: 227 Entering Passive Mode (10,11,12,13,14,15)

(suspicious server reply with a foreign IP address)

3. Failed user authentication log records

Message format:

Authentication: <service>: Client: <IP address>: <reason>

• <service> — The WinRoute service to which the user attempted to authenti-

cate (Admin = administration using Kerio Administration Console, WebAdmin = web

1 2 ... 274 275 276 277 278 279 280 281 282 283 284 ... 367 368

No comments

Kerio Tech KERIO WINROUTE FIREWALL 6 User Manual Page 279