WSM Reference Guide - WatchGuard Technologies
WSM Reference Guide - WatchGuard Technologies WSM Reference Guide - WatchGuard Technologies
Alarm Logs Denial of Servce (DoS) Alarms Default Name DOS Message Format Example Message Caused By alarm_name detected. message_string. NOTE: The content of this alarm message is based on what DOS event triggered it. See the examples below. These alarms are triggered by any DOS events. SYN- Attack alarm _ame detected. TCP SYN attack detected on interface interface_number.” SYN-Attack detected. TCP SYN attack detected on interface 1. These alarms are triggered by SYN attacks. UDP- Flood alarm _name detected. UDP Flood attack detected on interface interface_number. UDP-Flood detected. UDP Flood attack detected on interface 1. These alarms are triggered by UDP Flood attacks. ICMP- Flood alarm_name detected. ICMP Flood attack detected on interface interface_number. ICMP-Flood detected. ICMP Flood attack detected on interface 1. These alarms are triggered by ICMP Flood attacks. Ping-of- Death alarm_name detected, PING-OF- DEATH attack detected on interface interface_number. Ping-of-Death detected. PING-OF- DEATH attack detected on interface 1. These alarms are triggered by Ping-of- Death attacks. Source- Route alarm_name detected. SOURCE- ROUTE attack detected on interface interface_number. Source-Route detected. SOURCE- ROUTE attack detected on interface 1. These alarms are triggered by Source- Route attacks. IPSec- Flood alarm_name detected. IPSEC Flood attack detected on interface interface_number. IPSec-Flood detected. IPSEC Flood attack detected on interface 1. These alarms are triggered by high severity level and IPSec Flood attacks. IKE-Flood alarm_name detected. IKE Flood attack detected on interface interface_number. IKE-Flood detected. IKE Flood attack detected on interface 1. These alarms are triggered by IKE Flood attacks. DDOS- Attack-Src alarm_name detected. Denial-of- Service attacks (>threshold) from source IP address/subnet mask detected on interface interface_number. DDOS-Attack-Src detected. Denialof-Service attacks (.50) from source 192.168.226.226/255.255.255.255 detected on interface 1. These alarms are triggered by Distributed Denial of Service Source attacks. DDOS- Attack- Dest alarm_name detected. Denial-of- Service attacks (>threshold) for destination IP address/subnet mask detected on interface interface_number. DDOS-Attack-Src detected. Denialof-Service attacks (.50) for destination 192.168.226.226/ 255.255.255.255 detected on interface 1. These alarms are triggered by Distributed Denial of Service Destination attacks. 38 WatchGuard System Manager
Alarm Logs Denial of Servce (DoS) Alarms Default Name Port-Scan Message Format Example Message Caused By alarm_name detected. message_string. Port-Scan detected. Port scan threshold 300 reached, 300 ports scanned by 192.168.228.226 in 10 seconds. These alarms are triggered by Port Space Probe attacks. IP-Scan alarm_name detected. message_string. IP-Scan detected. IP scan threshold 300 reached, 300 IPs scanned by 192.168.228.226 in 10 seconds. These alarms are triggered by Address Space Probe attacks. IP- Spoofing alarm_name detected. message_string. IP-Spoofing detected. IP source spoofing detected, src_intf=30, src_ip=192.168.228.226. These alarms are triggered by IP Spoofing attacks. Tear-Drop alarm_name detected. TEAR-DROP attack detected on interface interface_number. Tear-Drop detected. TEAR-DROP attack detected on interface 1. These alarms are triggered by Tear-Drop attacks. Traffic Alarms Default Name Traffic ESP-Auth- Error AH-Auth- Error Message Format Example Message Caused By alarm _name detected, message_string. alarm_name detected. ESP Authentication error, policy_id=policy_id_number, local_ip=local_IP_address, peer_ip=peer_IP_address, spi=spi, sa_id=ID_of_SA, interface=interface_number, the first (x) bytes are list_of_first x number of bytes. alarm_name detected. AH Authentication error, policy_id=policy_id_number, local_ip=local_IP_address, peer_ip=peer_IP_address, spi=spi, sa_id=ID_of_SA, interface=interface_number, the first (x) bytes are list_of_first x number of bytes. NOTE: The content of this alarm message is based on what traffic event triggered the alarm. See the examples below. ESP-Auth-Error detected. ESP Authentication error, policy_id=2, local_ip=10.10.10.10, peer_ip=192.168.228.226, spi=12345678, sa_id=1000, interface=1, the first 80 bytes are A0 B1 C2......... AH-Auth-Error detected. AH Authentication error, policy_id=2, local_ip=10.10.10.10, peer_ip=192.168.228.226, spi=12345678, sa_id=1000, interface=1, the first 80 bytes are A0 B1 C2......... These alarms are triggered by any traffic events. These alarms are triggered by the traffic event “ESP-AUTH_ERR”. These alarms are triggered by the traffic event “AH_AUTH_ERR”. Reference Guide 39
- Page 1 and 2: WatchGuard ® System Manager Refere
- Page 3 and 4: Contents CHAPTER 1 Internet Protoco
- Page 5 and 6: CHAPTER 1 Internet Protocol Referen
- Page 7 and 8: Internet Protocol Header Keyword Nu
- Page 9 and 10: Transfer Protocols Source Routing T
- Page 11 and 12: CHAPTER 2 MIME Content Types Softwa
- Page 13 and 14: Type Subtype Reference (where avail
- Page 15 and 16: Type Subtype Reference (where avail
- Page 17 and 18: Type Subtype Reference (where avail
- Page 19 and 20: Type Subtype Reference (where avail
- Page 21 and 22: Type Subtype Reference (where avail
- Page 23 and 24: CHAPTER 3 Services and Ports Well-k
- Page 25 and 26: Well-Known Services List Port(s) Pr
- Page 27 and 28: Well-Known Services List Service Na
- Page 29 and 30: Well-Known Services List Service Na
- Page 31 and 32: CHAPTER 4 Log Messages Understandin
- Page 33 and 34: Traffic Logs FWAllow Each packet fi
- Page 35 and 36: Traffic Logs dst_ip="66.35.250.151"
- Page 37 and 38: Traffic Logs DNS Proxy Traffic Log
- Page 39 and 40: Traffic Logs HTTP Proxy Traffic Log
- Page 41: Alarm Logs Policy Alarms Default Na
- Page 45 and 46: Event Logs Gateway AntiVirus Servic
- Page 47 and 48: Event Logs Description of Log Modul
- Page 49 and 50: Event Logs Event Log Message Catalo
- Page 51 and 52: Event Logs Event Log Message Catalo
- Page 53 and 54: Event Logs Event Log Message Catalo
- Page 55 and 56: Event Logs Event Log Message Catalo
- Page 57 and 58: Event Logs Event Log Message Catalo
- Page 59 and 60: Firebox Log File XML DTD and Schema
- Page 61 and 62: Firebox® X Edge Log Messages Modul
- Page 63 and 64: Firebox® X Edge Log Messages Modul
- Page 65 and 66: Firebox® X Edge Log Messages Modul
- Page 67 and 68: Firebox® X Edge Log Messages Modul
- Page 69 and 70: Firebox® X Edge Log Messages Modul
- Page 71 and 72: Firebox® X Edge Log Messages Modul
- Page 73 and 74: CHAPTER 5 Using the Firebox LCD Use
- Page 75 and 76: Firebox Boot Countdown Firebox Boot
- Page 77 and 78: Using the LCD Interface in Firebox
- Page 79 and 80: CHAPTER 6 WebBlocker Content WatchG
- Page 81 and 82: WebBlocker Categories Category Drug
- Page 83 and 84: WebBlocker Categories Category Job
- Page 85 and 86: CHAPTER 7 Resources There are many
- Page 87 and 88: Mailing Lists Mailing Lists wg-user
- Page 89 and 90: White Hat Web Sites beginners. Cons
- Page 91 and 92: Other Web Sites maintains a list of
Alarm Logs<br />
Denial of Servce (DoS) Alarms<br />
Default<br />
Name<br />
DOS<br />
Message Format Example Message Caused By<br />
alarm_name detected.<br />
message_string.<br />
NOTE: The content of this alarm<br />
message is based on what DOS<br />
event triggered it. See the<br />
examples below.<br />
These alarms are<br />
triggered by any DOS<br />
events.<br />
SYN-<br />
Attack<br />
alarm _ame detected. TCP SYN<br />
attack detected on interface<br />
interface_number.”<br />
SYN-Attack detected. TCP SYN<br />
attack detected on interface 1.<br />
These alarms are<br />
triggered by SYN attacks.<br />
UDP-<br />
Flood<br />
alarm _name detected. UDP Flood<br />
attack detected on interface<br />
interface_number.<br />
UDP-Flood detected. UDP Flood<br />
attack detected on interface 1.<br />
These alarms are<br />
triggered by UDP Flood<br />
attacks.<br />
ICMP-<br />
Flood<br />
alarm_name detected. ICMP Flood<br />
attack detected on interface<br />
interface_number.<br />
ICMP-Flood detected. ICMP Flood<br />
attack detected on interface 1.<br />
These alarms are<br />
triggered by ICMP Flood<br />
attacks.<br />
Ping-of-<br />
Death<br />
alarm_name detected, PING-OF-<br />
DEATH attack detected on interface<br />
interface_number.<br />
Ping-of-Death detected. PING-OF-<br />
DEATH attack detected on interface<br />
1.<br />
These alarms are<br />
triggered by Ping-of-<br />
Death attacks.<br />
Source-<br />
Route<br />
alarm_name detected. SOURCE-<br />
ROUTE attack detected on<br />
interface interface_number.<br />
Source-Route detected. SOURCE-<br />
ROUTE attack detected on<br />
interface 1.<br />
These alarms are<br />
triggered by Source-<br />
Route attacks.<br />
IPSec-<br />
Flood<br />
alarm_name detected. IPSEC Flood<br />
attack detected on interface<br />
interface_number.<br />
IPSec-Flood detected. IPSEC Flood<br />
attack detected on interface 1.<br />
These alarms are<br />
triggered by high severity<br />
level and IPSec Flood<br />
attacks.<br />
IKE-Flood<br />
alarm_name detected. IKE Flood<br />
attack detected on interface<br />
interface_number.<br />
IKE-Flood detected. IKE Flood<br />
attack detected on interface 1.<br />
These alarms are<br />
triggered by IKE Flood<br />
attacks.<br />
DDOS-<br />
Attack-Src<br />
alarm_name detected. Denial-of-<br />
Service attacks (>threshold) from<br />
source IP address/subnet mask<br />
detected on interface<br />
interface_number.<br />
DDOS-Attack-Src detected. Denialof-Service<br />
attacks (.50) from source<br />
192.168.226.226/255.255.255.255<br />
detected on interface 1.<br />
These alarms are<br />
triggered by Distributed<br />
Denial of Service Source<br />
attacks.<br />
DDOS-<br />
Attack-<br />
Dest<br />
alarm_name detected. Denial-of-<br />
Service attacks (>threshold) for<br />
destination IP address/subnet mask<br />
detected on interface<br />
interface_number.<br />
DDOS-Attack-Src detected. Denialof-Service<br />
attacks (.50) for<br />
destination 192.168.226.226/<br />
255.255.255.255 detected on<br />
interface 1.<br />
These alarms are<br />
triggered by Distributed<br />
Denial of Service<br />
Destination attacks.<br />
38 <strong>WatchGuard</strong> System Manager