Administrator's Guide - Kerio Software Archive
Administrator's Guide - Kerio Software Archive Administrator's Guide - Kerio Software Archive
Logs Example: [02/Mar/2010 08:54:38] IPS: Packet drop, severity: High, Rule ID: 1:2008575 ET TROJAN ASProtect/ASPack Packed Binary proto:TCP, ip/port:95.211.98.71:80(hosted-by.example.com) -> 192.168.48.131:49960(wsmith-pc.company.com,user:smith) • IPS: Packet drop — the particular intrusion had the action set for Log and drop (in case of the Log action, IPS: Alert is displayed in the log) • severity: High — severity level • Rule ID: 1:2008575 — number identifier of the intrusion (this number can be used for definition of exceptions from the intrusion detection system, i.e. in the system’s advanced settings) • ET TROJAN ASProtect/ASPack... — intrusion name and description (only available for some intrusions) • proto:TCP — traffic protocol used • ip/port:95.211.98.71:80(hosted-by.example.com) — source IP address and port of the detected packet; the brackets provide information of the DNS name of the particular computer, in case that it is identifiable • -> 192.168.48.131:49960(wsmith-pc.company.com,user:wsmith) — source IP address and port in the detected packet; the brackets provide DNS name of the particular host (if identifiable) or name of the user connected from the particular local host 2. Anti-spoofing log records Messages about packets that where captured by the Anti-spoofing module (packets with invalid source IP address) — see section 8.3 for details. 302
22.11 Security Log Example: [17/Jul/2008 11:46:38] Anti-Spoofing: Packet from LAN, proto:TCP, len:48, ip/port:61.173.81.166:1864 -> 195.39.55.10:445, flags: SYN, seq:3819654104 ack:0, win:16384, tcplen:0 • packet from — packet direction (either from, i.e. sent via the interface, or to, i.e. received via the interface) • LAN — interface name (see chapter 5 for details) • proto: — transport protocol (TCP, UDP, etc.) • len: — packet size in bytes (including the headers) in bytes • ip/port: — source IP address, source port, destination IP address and destination port • flags: — TCP flags • seq: — sequence number of the packet (TCP only) • ack: — acknowledgement sequence number (TCP only) • win: — size of the receive window in bytes (it is used for data flow control — TCP only) • tcplen: — TCP payload size (i.e. size of the data part of the packet) in bytes (TCP only) 3. FTP protocol parser log records Example 1: [17/Jul/2008 11:55:14] FTP: Bounce attack attempt: client: 1.2.3.4, server: 5.6.7.8, command: PORT 10,11,12,13,14,15 (attack attempt detected — a foreign IP address in the PORT command) Example 2: [17/Jul/2008 11:56:27] FTP: Malicious server reply: client: 1.2.3.4, server: 5.6.7.8, response: 227 Entering Passive Mode (10,11,12,13,14,15) (suspicious server reply with a foreign IP address) 303
- Page 251 and 252: Chapter 19 Status Information Kerio
- Page 253 and 254: 19.1 Active hosts and connected use
- Page 255 and 256: 19.1 Active hosts and connected use
- Page 257 and 258: 19.1 Active hosts and connected use
- Page 259 and 260: 19.2 Network connections overview
- Page 261 and 262: 19.2 Network connections overview F
- Page 263 and 264: 19.4 Alerts • Session duration.
- Page 265 and 266: 19.4 Alerts • Connection failover
- Page 267 and 268: 19.4 Alerts Click an event to view
- Page 269 and 270: 20.1 Volume of transferred data and
- Page 271 and 272: 20.2 Interface statistics Figure 20
- Page 273 and 274: 20.2 Interface statistics Figure 20
- Page 275 and 276: 21.1 Monitoring and storage of stat
- Page 277 and 278: 21.2 Settings for statistics and qu
- Page 279 and 280: 21.3 Connection to StaR and viewing
- Page 281 and 282: 21.3 Connection to StaR and viewing
- Page 283 and 284: 22.1 Log settings Figure 22.1 Log s
- Page 285 and 286: 22.1 Log settings Figure 22.3 Syslo
- Page 287 and 288: 22.2 Logs Context Menu • Target f
- Page 289 and 290: 22.3 Alert Log Figure 22.7 Highligh
- Page 291 and 292: 22.5 Connection Log A typical examp
- Page 293 and 294: 22.6 Debug Log The expression must
- Page 295 and 296: 22.7 Dial Log 3. Disconnection caus
- Page 297 and 298: 22.9 Filter Log • 8000-8099 — H
- Page 299 and 300: 22.10 Http log Packet log example:
- Page 301: 22.11 Security Log An example of Ht
- Page 305 and 306: 22.13 Warning Log Events causing di
- Page 307 and 308: Chapter 23 Kerio VPN Kerio Control
- Page 309 and 310: 23.1 VPN Server Configuration Figur
- Page 311 and 312: 23.1 VPN Server Configuration the V
- Page 313 and 314: 23.1 VPN Server Configuration Kerio
- Page 315 and 316: 23.3 Interconnection of two private
- Page 317 and 318: 23.3 Interconnection of two private
- Page 319 and 320: 23.3 Interconnection of two private
- Page 321 and 322: 23.4 Exchange of routing informatio
- Page 323 and 324: 23.5 Example of Kerio VPN configura
- Page 325 and 326: 23.5 Example of Kerio VPN configura
- Page 327 and 328: 23.5 Example of Kerio VPN configura
- Page 329 and 330: 23.5 Example of Kerio VPN configura
- Page 331 and 332: 23.5 Example of Kerio VPN configura
- Page 333 and 334: 23.5 Example of Kerio VPN configura
- Page 335 and 336: 23.6 Example of a more complex Keri
- Page 337 and 338: 23.6 Example of a more complex Keri
- Page 339 and 340: 23.6 Example of a more complex Keri
- Page 341 and 342: 23.6 Example of a more complex Keri
- Page 343 and 344: 23.6 Example of a more complex Keri
- Page 345 and 346: 23.6 Example of a more complex Keri
- Page 347 and 348: 23.6 Example of a more complex Keri
- Page 349 and 350: 23.6 Example of a more complex Keri
- Page 351 and 352: 23.6 Example of a more complex Keri
Logs<br />
Example:<br />
[02/Mar/2010 08:54:38] IPS: Packet drop, severity: High,<br />
Rule ID: 1:2008575 ET TROJAN ASProtect/ASPack Packed Binary<br />
proto:TCP, ip/port:95.211.98.71:80(hosted-by.example.com)<br />
-> 192.168.48.131:49960(wsmith-pc.company.com,user:smith)<br />
• IPS: Packet drop — the particular intrusion had the action set for Log<br />
and drop (in case of the Log action, IPS: Alert is displayed in the log)<br />
• severity: High — severity level<br />
• Rule ID: 1:2008575 — number identifier of the intrusion (this number<br />
can be used for definition of exceptions from the intrusion detection<br />
system, i.e. in the system’s advanced settings)<br />
• ET TROJAN ASProtect/ASPack... — intrusion name and description<br />
(only available for some intrusions)<br />
• proto:TCP — traffic protocol used<br />
• ip/port:95.211.98.71:80(hosted-by.example.com) — source IP<br />
address and port of the detected packet; the brackets provide information<br />
of the DNS name of the particular computer, in case that it is identifiable<br />
• -> 192.168.48.131:49960(wsmith-pc.company.com,user:wsmith)<br />
— source IP address and port in the detected packet; the brackets provide<br />
DNS name of the particular host (if identifiable) or name of the user<br />
connected from the particular local host<br />
2. Anti-spoofing log records<br />
Messages about packets that where captured by the Anti-spoofing module (packets with<br />
invalid source IP address) — see section 8.3 for details.<br />
302