WSM Reference Guide - WatchGuard Technologies

20.02.2014 Views
Alarm Logs Denial of Servce (DoS) Alarms Default Name DOS Message Format Example Message Caused By alarm_name detected. message_string. NOTE: The content of this alarm message is based on what DOS event triggered it. See the examples below. These alarms are triggered by any DOS events. SYN- Attack alarm _ame detected. TCP SYN attack detected on interface interface_number.” SYN-Attack detected. TCP SYN attack detected on interface 1. These alarms are triggered by SYN attacks. UDP- Flood alarm _name detected. UDP Flood attack detected on interface interface_number. UDP-Flood detected. UDP Flood attack detected on interface 1. These alarms are triggered by UDP Flood attacks. ICMP- Flood alarm_name detected. ICMP Flood attack detected on interface interface_number. ICMP-Flood detected. ICMP Flood attack detected on interface 1. These alarms are triggered by ICMP Flood attacks. Ping-of- Death alarm_name detected, PING-OF- DEATH attack detected on interface interface_number. Ping-of-Death detected. PING-OF- DEATH attack detected on interface 1. These alarms are triggered by Ping-of- Death attacks. Source- Route alarm_name detected. SOURCE- ROUTE attack detected on interface interface_number. Source-Route detected. SOURCE- ROUTE attack detected on interface 1. These alarms are triggered by Source- Route attacks. IPSec- Flood alarm_name detected. IPSEC Flood attack detected on interface interface_number. IPSec-Flood detected. IPSEC Flood attack detected on interface 1. These alarms are triggered by high severity level and IPSec Flood attacks. IKE-Flood alarm_name detected. IKE Flood attack detected on interface interface_number. IKE-Flood detected. IKE Flood attack detected on interface 1. These alarms are triggered by IKE Flood attacks. DDOS- Attack-Src alarm_name detected. Denial-of- Service attacks (>threshold) from source IP address/subnet mask detected on interface interface_number. DDOS-Attack-Src detected. Denialof-Service attacks (.50) from source 192.168.226.226/255.255.255.255 detected on interface 1. These alarms are triggered by Distributed Denial of Service Source attacks. DDOS- Attack- Dest alarm_name detected. Denial-of- Service attacks (>threshold) for destination IP address/subnet mask detected on interface interface_number. DDOS-Attack-Src detected. Denialof-Service attacks (.50) for destination 192.168.226.226/ 255.255.255.255 detected on interface 1. These alarms are triggered by Distributed Denial of Service Destination attacks. 38 WatchGuard System Manager

Alarm Logs Denial of Servce (DoS) Alarms Default Name Port-Scan Message Format Example Message Caused By alarm_name detected. message_string. Port-Scan detected. Port scan threshold 300 reached, 300 ports scanned by 192.168.228.226 in 10 seconds. These alarms are triggered by Port Space Probe attacks. IP-Scan alarm_name detected. message_string. IP-Scan detected. IP scan threshold 300 reached, 300 IPs scanned by 192.168.228.226 in 10 seconds. These alarms are triggered by Address Space Probe attacks. IP- Spoofing alarm_name detected. message_string. IP-Spoofing detected. IP source spoofing detected, src_intf=30, src_ip=192.168.228.226. These alarms are triggered by IP Spoofing attacks. Tear-Drop alarm_name detected. TEAR-DROP attack detected on interface interface_number. Tear-Drop detected. TEAR-DROP attack detected on interface 1. These alarms are triggered by Tear-Drop attacks. Traffic Alarms Default Name Traffic ESP-Auth- Error AH-Auth- Error Message Format Example Message Caused By alarm _name detected, message_string. alarm_name detected. ESP Authentication error, policy_id=policy_id_number, local_ip=local_IP_address, peer_ip=peer_IP_address, spi=spi, sa_id=ID_of_SA, interface=interface_number, the first (x) bytes are list_of_first x number of bytes. alarm_name detected. AH Authentication error, policy_id=policy_id_number, local_ip=local_IP_address, peer_ip=peer_IP_address, spi=spi, sa_id=ID_of_SA, interface=interface_number, the first (x) bytes are list_of_first x number of bytes. NOTE: The content of this alarm message is based on what traffic event triggered the alarm. See the examples below. ESP-Auth-Error detected. ESP Authentication error, policy_id=2, local_ip=10.10.10.10, peer_ip=192.168.228.226, spi=12345678, sa_id=1000, interface=1, the first 80 bytes are A0 B1 C2......... AH-Auth-Error detected. AH Authentication error, policy_id=2, local_ip=10.10.10.10, peer_ip=192.168.228.226, spi=12345678, sa_id=1000, interface=1, the first 80 bytes are A0 B1 C2......... These alarms are triggered by any traffic events. These alarms are triggered by the traffic event “ESP-AUTH_ERR”. These alarms are triggered by the traffic event “AH_AUTH_ERR”. Reference Guide 39

Page 1 and 2: WatchGuard ® System Manager Refere

Page 3 and 4: Contents CHAPTER 1 Internet Protoco

Page 5 and 6: CHAPTER 1 Internet Protocol Referen

Page 7 and 8: Internet Protocol Header Keyword Nu

Page 9 and 10: Transfer Protocols Source Routing T

Page 11 and 12: CHAPTER 2 MIME Content Types Softwa

Page 13 and 14: Type Subtype Reference (where avail





Page 23 and 24: CHAPTER 3 Services and Ports Well-k

Page 25 and 26: Well-Known Services List Port(s) Pr

Page 27 and 28: Well-Known Services List Service Na

Page 29 and 30: Well-Known Services List Service Na

Page 31 and 32: CHAPTER 4 Log Messages Understandin

Page 33 and 34: Traffic Logs FWAllow Each packet fi

Page 35 and 36: Traffic Logs dst_ip="66.35.250.151"

Page 37 and 38: Traffic Logs DNS Proxy Traffic Log

Page 39 and 40: Traffic Logs HTTP Proxy Traffic Log

Page 41: Alarm Logs Policy Alarms Default Na

Page 45 and 46: Event Logs Gateway AntiVirus Servic

Page 47 and 48: Event Logs Description of Log Modul

Page 49 and 50: Event Logs Event Log Message Catalo





Page 59 and 60: Firebox Log File XML DTD and Schema

Page 61 and 62: Firebox® X Edge Log Messages Modul






Page 73 and 74: CHAPTER 5 Using the Firebox LCD Use

Page 75 and 76: Firebox Boot Countdown Firebox Boot

Page 77 and 78: Using the LCD Interface in Firebox

Page 79 and 80: CHAPTER 6 WebBlocker Content WatchG

Page 81 and 82: WebBlocker Categories Category Drug

Page 83 and 84: WebBlocker Categories Category Job

Page 85 and 86: CHAPTER 7 Resources There are many

Page 87 and 88: Mailing Lists Mailing Lists wg-user

Page 89 and 90: White Hat Web Sites beginners. Cons

Page 91 and 92: Other Web Sites maintains a list of

Page 93 and 94: RSS Feeds www.sophos.com/virusinfo/

Page 95 and 96: Index B blocked sites, searching fo

firebox

protocol

server

dhcp

watchguard

http

unable

packet

smtp

header

reference

technologies

www.watchguard.com

WSM Reference Guide - WatchGuard Technologies

WSM Reference Guide - WatchGuard Technologies ... View more WSM Reference Guide - WatchGuard Technologies

Delete template?

Save as template ?

WSM Reference Guide - WatchGuard Technologies WSM Reference Guide - WatchGuard Technologies