Kerio Tech KERIO WINROUTE FIREWALL 6 User Manual
Page 279
22.11 Security Log
279
Example
[17/Jul/2008 11:46:38] Anti-Spoofing:
Packet from LAN, proto:TCP, len:48,
ip/port:61.173.81.166:1864 -> 195.39.55.10:445,
flags:
SYN, seq:3819654104 ack:0, win:16384, tcplen:0
•
packet from
— packet direction (either from, i.e. sent via the interface, or to, i.e.
received via the interface)
•
LAN
— interface name (see chapter
for details)
•
proto:
— transport protocol (TCP, UDP, etc.)
•
len:
— packet size in bytes (including the headers) in bytes
•
ip/port:
— source IP address, source port, destination IP address and destina-
tion port
•
flags:
— TCP flags
•
seq:
— sequence number of the packet (TCP only)
•
ack:
— acknowledgement sequence number (TCP only)
•
win:
— size of the receive window in bytes (it is used for data flow control — TCP
only)
•
tcplen:
— TCP payload size (i.e. size of the data part of the packet) in bytes (TCP
only)
2.
FTP protocol parser log records
Example 1
[17/Jul/2008 11:55:14] FTP: Bounce attack attempt:
client:
1.2.3.4, server:
5.6.7.8,
command:
PORT 10,11,12,13,14,15
(attack attempt detected — a foreign IP address in the PORT command)
Example 2
[17/Jul/2008 11:56:27] FTP: Malicious server reply:
client:
1.2.3.4, server:
5.6.7.8,
response:
227 Entering Passive Mode (10,11,12,13,14,15)
(suspicious server reply with a foreign IP address)
3.
Failed user authentication log records
Message format:
Authentication:
<service>:
Client:
<IP address>:
<reason>
•
<service>
— The WinRoute service to which the user attempted to authenti-
cate (Admin = administration using Kerio Administration Console, WebAdmin = web