WSM Reference Guide - WatchGuard Technologies

More documents

Recommendations

Info

Alarm LogsDenial of Servce (DoS) AlarmsDefaultNameDOSMessage Format Example Message Caused Byalarm_name detected.message_string.NOTE: The content of this alarmmessage is based on what DOSevent triggered it. See theexamples below.These alarms aretriggered by any DOSevents.SYN-Attackalarm _ame detected. TCP SYNattack detected on interfaceinterface_number.”SYN-Attack detected. TCP SYNattack detected on interface 1.These alarms aretriggered by SYN attacks.UDP-Floodalarm _name detected. UDP Floodattack detected on interfaceinterface_number.UDP-Flood detected. UDP Floodattack detected on interface 1.These alarms aretriggered by UDP Floodattacks.ICMP-Floodalarm_name detected. ICMP Floodattack detected on interfaceinterface_number.ICMP-Flood detected. ICMP Floodattack detected on interface 1.These alarms aretriggered by ICMP Floodattacks.Ping-of-Deathalarm_name detected, PING-OF-DEATH attack detected on interfaceinterface_number.Ping-of-Death detected. PING-OF-DEATH attack detected on interface1.These alarms aretriggered by Ping-of-Death attacks.Source-Routealarm_name detected. SOURCE-ROUTE attack detected oninterface interface_number.Source-Route detected. SOURCE-ROUTE attack detected oninterface 1.These alarms aretriggered by Source-Route attacks.IPSec-Floodalarm_name detected. IPSEC Floodattack detected on interfaceinterface_number.IPSec-Flood detected. IPSEC Floodattack detected on interface 1.These alarms aretriggered by high severitylevel and IPSec Floodattacks.IKE-Floodalarm_name detected. IKE Floodattack detected on interfaceinterface_number.IKE-Flood detected. IKE Floodattack detected on interface 1.These alarms aretriggered by IKE Floodattacks.DDOS-Attack-Srcalarm_name detected. Denial-of-Service attacks (>threshold) fromsource IP address/subnet maskdetected on interfaceinterface_number.DDOS-Attack-Src detected. Denialof-Serviceattacks (.50) from source192.168.226.226/255.255.255.255detected on interface 1.These alarms aretriggered by DistributedDenial of Service Sourceattacks.DDOS-Attack-Destalarm_name detected. Denial-of-Service attacks (>threshold) fordestination IP address/subnet maskdetected on interfaceinterface_number.DDOS-Attack-Src detected. Denialof-Serviceattacks (.50) fordestination 192.168.226.226/255.255.255.255 detected oninterface 1.These alarms aretriggered by DistributedDenial of ServiceDestination attacks.38 WatchGuard System Manager
Alarm LogsDenial of Servce (DoS) AlarmsDefaultNamePort-ScanMessage Format Example Message Caused Byalarm_name detected.message_string.Port-Scan detected. Port scanthreshold 300 reached, 300 portsscanned by 192.168.228.226 in 10seconds.These alarms aretriggered by Port SpaceProbe attacks.IP-Scanalarm_name detected.message_string.IP-Scan detected. IP scan threshold300 reached, 300 IPs scanned by192.168.228.226 in 10 seconds.These alarms aretriggered by AddressSpace Probe attacks.IP-Spoofingalarm_name detected.message_string.IP-Spoofing detected. IP sourcespoofing detected, src_intf=30,src_ip=192.168.228.226.These alarms aretriggered by IP Spoofingattacks.Tear-Dropalarm_name detected. TEAR-DROPattack detected on interfaceinterface_number.Tear-Drop detected. TEAR-DROPattack detected on interface 1.These alarms aretriggered by Tear-Dropattacks.Traffic AlarmsDefaultNameTrafficESP-Auth-ErrorAH-Auth-ErrorMessage Format Example Message Caused Byalarm _name detected,message_string.alarm_name detected. ESPAuthentication error,policy_id=policy_id_number,local_ip=local_IP_address,peer_ip=peer_IP_address, spi=spi,sa_id=ID_of_SA,interface=interface_number, thefirst (x) bytes are list_of_first xnumber of bytes.alarm_name detected. AHAuthentication error,policy_id=policy_id_number,local_ip=local_IP_address,peer_ip=peer_IP_address, spi=spi,sa_id=ID_of_SA,interface=interface_number, thefirst (x) bytes are list_of_first xnumber of bytes.NOTE: The content of this alarmmessage is based on what trafficevent triggered the alarm. See theexamples below.ESP-Auth-Error detected. ESPAuthentication error, policy_id=2,local_ip=10.10.10.10,peer_ip=192.168.228.226,spi=12345678, sa_id=1000,interface=1, the first 80 bytes areA0 B1 C2.........AH-Auth-Error detected. AHAuthentication error, policy_id=2,local_ip=10.10.10.10,peer_ip=192.168.228.226,spi=12345678, sa_id=1000,interface=1, the first 80 bytes areA0 B1 C2.........These alarms aretriggered by any trafficevents.These alarms aretriggered by the trafficevent “ESP-AUTH_ERR”.These alarms aretriggered by the trafficevent “AH_AUTH_ERR”.Reference Guide 39
Page 1 and 2: WatchGuard ® System ManagerReferen
Page 3 and 4: ContentsCHAPTER 1 Internet Protocol
Page 5 and 6: CHAPTER 1Internet Protocol Referenc
Page 7 and 8: Internet Protocol HeaderKeyword Num
Page 9 and 10: Transfer ProtocolsSource RoutingThe
Page 11 and 12: CHAPTER 2MIME Content TypesSoftware
Page 13 and 14: Type Subtype Reference (where avail
Page 23 and 24: CHAPTER 3Services and PortsWell-kno
Page 25 and 26: Well-Known Services ListPort(s) Pro
Page 27 and 28: Well-Known Services ListService Nam
Page 29 and 30: Well-Known Services ListService Nam
Page 31 and 32: CHAPTER 4Log MessagesUnderstanding
Page 33 and 34: Traffic LogsFWAllowEach packet filt
Page 35 and 36: Traffic Logsdst_ip="66.35.250.151"
Page 37 and 38: Traffic LogsDNS Proxy Traffic Log M
Page 39 and 40: Traffic LogsHTTP Proxy Traffic Log
Page 41: Alarm LogsPolicy AlarmsDefaultNameP
Page 45 and 46: Event LogsGateway AntiVirus Service
Page 47 and 48: Event LogsDescription of Log Module
Page 49 and 50: Event LogsEvent Log Message Catalog
Page 59 and 60: Firebox Log File XML DTD and Schema
Page 61 and 62: Firebox® X Edge Log MessagesModule
Page 73 and 74: CHAPTER 5WebBlocker ContentWatchGua
Page 75 and 76: WebBlocker CategoriesCategoryDrugs,
Page 77 and 78: WebBlocker CategoriesCategoryJob Se
Page 79 and 80: CHAPTER 6ResourcesThere are many re
Page 81 and 82: Mailing ListsMailing Listswg-users@
Page 83 and 84: White Hat Web Sitesbeginners. Cons:
Page 85 and 86: Other Web Sitesmaintains a list of
Page 87 and 88: RSS Feedswww.sophos.com/virusinfo/i
Page 89 and 90: IndexBblocked sites, searching for

WSM Reference Guide - WatchGuard Technologies

Create successful ePaper yourself

Delete template?

Save as template?