Tải bản đầy đủ (.pdf) (39 trang)

Tài liệu A collection of various computer and security logs pdf

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (225.34 KB, 39 trang )

The meaning of various computer and security logs
Page 1 of 39
A collection of various computer
and security logs

The logs contained in this document are divided in four categories. The categories are
router, firewall, Intrusion Detection Systems (IDS) and miscellaneous. These logs are
meet to be used as reference to identify the type of software that generated a log model
and if necessary, how they can be interpreted.

Copyright  Guy Bruneau, 2000-2001. All rights reserved.

Router

• Ascend
• Cisco
• Cisco ACL

Firewall

• Gauntlet
• Raptor
• IPFilter (FreeBSD, OpenBSD)
• IPChains (Linux)
• ConSeal Firewall (Windows)
• ZoneAlarm (Windows)
• Cisco PIX
• SonicWall SOHO
• Cyberguard
• EnterNet
• Check Point FireWall-1


• 3Com OfficeConnect Internet Firewall 25 (Appliance)
• Norton Internet Security 2001 – Family Edition

Intrusion Detection Systems

• Snort
• Snortsnarf
• Shadow
• SecureNet Pro
• BlackICE Defender
• ClearICE report (BlackICE)
• PortSentry
• Rainbow Diamond
The meaning of various computer and security logs
Page 2 of 39
• Argus
• RealSecure RSLog
• Cisco Secure IDS
• Pakemon Alert
• Pakemon Dump

Miscellaneous

• ASCTcpdump
• TCPLogd
• UNIX messages
• Apache access
• Apache error
• Ethereal
• Protolog TCP

• Protolog UDP
• Protolog ICMP
• Windows NT 4 Security log
• Sniffer Pro
• Samba NMB
• Samba SMB
• Solaris snoop
• TCPDump
• TCPDump and DNS
• TCPDump ICMP and TCP stimulus response
• IP and TCP
• IP and UDP
• IP and ICMP


Revision history:

Guy Bruneau, version 0.5 – 14 February 2001



The meaning of various computer and security logs
Page 3 of 39
Router Logs

Ascend router

Oct 24 01:03:13 192.168.101.20 ASCEND: wan4 tcp 192.168.101.2;9704 <- dsl.subscr.6.105;9704 40 syn fin !pass (totcp-1)
Oct 24 01:03:13 192.168.101.20 ASCEND: wan4 tcp 255.255.255.255;9704 <- dsl.subscr.6.105;9704 40 syn fin !pass (totcp-1)
Oct 24 01:04:23 192.168.101.20 ASCEND: wan4 tcp 192.168.101.208;9704 <- dsl.subscr.6.105;9704 40 syn fin !pass (totcp-1)

Oct 24 01:04:23 192.168.101.20 ASCEND: wan4 tcp 192.168.101.20;9704 <- dsl.subscr.6.105;9704 40 syn fin !pass (totcp-1)

Ascend Pipeline 130 (v.35) Firewall Logs breakdown. Read from Left to Right.

Traffic Meaning
Aug 24 01:03:13 - Date/Time stamp
192.168.101.20 ASCEND: - Router generating log
Wan4 - Reporting Interface
Tcp - Packet Protocol
192.168.101.2;9704 - Internal Address;Port Number (note the semi-colon)
"<-" - Direction of Packet (incoming, in this case)
dsl.sbscr.6.105;9704 - External Address;Port Number (note the semi-colon, again)
40 - size of packet
syn fin - SYN Flag was set (all flags listed by three letter representation)
!pass (tcp-1) - Firewall Activation Rule (No bearing on GUI manipulation tool - packet
not passed)


See Ascend web site for more information at:


Cisco Router

Oct 15 22:21:45 [192.168.50.32] 508470: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2590) -> 192.168.1.1(101), 1 packet
Oct 15 22:21:47 [192.168.50.32] 508472: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2570) -> 192.168.1.1(3), 1 packet
Oct 15 22:21:51 [192.168.50.32] 508474: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2603) -> 192.168.1.1(111), 1 packet
Oct 15 22:21:53 [192.168.50.32] 508475: %SEC-6-IPACCESSLOGP: list 102

denied tcp 10.90.24.12(2533) -> 192.168.1.1(16), 1 packet
Oct 15 22:21:54 [192.168.50.32] 508476: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2590) -> 192.168.1.1(101), 1 packet
Oct 15 22:21:57 [192.168.50.32] 508477: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2603) -> 192.168.1.1(111), 1 packet
Oct 15 22:22:05 [192.168.50.32] 508481: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2533) -> 192.168.1.1(16), 1 packet
Oct 15 22:22:06 [192.168.50.32] 508482: %SEC-6-IPACCESSLOGP: list 102
denied tcp 10.90.24.12(2590) -> 192.168.1.1(101), 1 packet


More information available at:
The meaning of various computer and security logs
Page 4 of 39
Cisco ACL

access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 21
access-list 101 deny tcp 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 eq 20
access-list 101 deny tcp 172.16.4.0 0.0.0.255 any eq 23
access-list 101 permit ip any any
(implicit deny all)

interface ethernet 0
ip access-group 101 out

Access-list Command Description
101 Access list number, indicates extended IP access list
deny Traffic that matches selected parameters will not be
forwarded
tcp Transport-layer protocol

172.16.4.0 0.0.0.255 Source IP address and mask; the first three octets must
match but do not care about the last octet
any Match any destination IP address
eq 23 Specifies well-known port number for Telnet
permit Traffic that matches selected parameters will be
forwarded
ip Any IP protocol
any Keyword matching traffic from any source
any Keyword matching traffic to any destination

ip access-group 101
Command
Description
out Links access list 101 to interface E0 as an output filter

Access control lists (ACL) offer another powerful tool for network control. These lists
add the flexibility to filter the packet flow in or out router interfaces. Such control can
help limit network traffic and restrict network use by certain users or devices.

For TCP/IP packet filtering, Cisco IOS has two types of access list, standard and
extended. Here is a brief description of what they are used for:

• Standard access list (1 to 99) check source IP address.

• Extended access list (100 to 199) check source and destination IP, and specific
protocols, TCP and UDP port numbers.





The meaning of various computer and security logs
Page 5 of 39
Access List Type Number Range/Identifier
IP Standard
Extended
Named
1 - 99
100 - 199
Name (Cisco IOS 11.2 and later)
IPX Standard
Extended
SAP filters
Named
800 - 899
900 - 999
1000 - 1099
Name (Cisco IOS 11.2.F and later)


More information available at:



Firewall Logs


Gauntlet Firewall

Oct 24 08:47:16 server kernel: securityalert: tcp if=ef0 from 10.60.255.46:1720 to
10.4.12.99 on unserved port 27374

Oct 24 11:45:05 server kernel: securityalert: tcp if=ef0 from 192.168.146.16:3626 to
10.4.12.99 on unserved port 20139
Oct 24 11:48:53 server kernel: securityalert: udp if=ef0 from 10.9.6.53:61036 to
10.4.12.99 on unserved port 137
Oct 24 17:40:49 server kernel: securityalert: tcp if=ef0 from 10.7.28.13:9704 to
10.4.12.99 on unserved port 9704

More information available at:


Raptor Firewall

Sep 2 14:50:02.282 kernel: 120 ICMP Info: Not sending ICMP Unreachable in response to non-
information ICMP (hsa1.sdg..net[192.168.5.13]->10.253.5.62: Protocol=ICMP[Unreachable (host)] {Inner:
10.253.5.62->202.158.59.65: Protocol=TCP[PUSH URG FIN RST ACK] Port 44301->12489}) received
on interface 10.253.4.1
Sep 2 15:26:07.955 kernel: 120 ICMP Info: Not sending ICMP Unreachable in response to non-
information ICMP (pb-nap.net[1.32.128.39]->10.253.2.52: Protocol=ICMP[Unreachable (host)] {Inner:
10.253.2.52->10.158.59.65: Protocol=TCP[PUSH URG FIN RST ACK] Port 1611->7024}) received on
interface 10.253.4.1
Sep 2 15:52:56.268 kernel: 120 ICMP Info: Not sending ICMP Unreachable in response to non-
information ICMP (Level.net[192.168.2.23]->10.253.5.86: Protocol=ICMP[Unreachable (host)] {Inner:
10.253.5.86->10.158.59.65: Protocol=TCP[PUSH URG FIN RST ACK] Port 48137->17684}) received on
interface 10.253.4.1
Sep 2 15:53:27.755 kernel: 120 ICMP Info: Not sending ICMP Unreachable in response to non-
information ICMP (above.sea.above.net[192.168.175.105]->10.253.5.12: Protocol=ICMP[Unreachable
The meaning of various computer and security logs
Page 6 of 39
(host)] {Inner: 10.253.5.12->10.158.59.65: Protocol=TCP[PUSH URG FIN RST ACK] Port 39965-
>6563}) received on interface 10.253.4.1



Field Meaning of field
Sep 2 15:53:27.755

Timestamp
Kernel Device name
120 ICMP Service error
Info: Not sending ICMP Unreachable in response to non-
information ICMP
Informational field
Above.sea.above.net[192.168.175.105] Source name, IP address
10.253.5.12 Destination IP address
Protocol=ICMP Protocol

More information available at:
/>029


IPfilter firewall

This firewall is used with OpenBSD and FreeBSD Unix systems.

Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129790 rl0 @0:1 p 10.245.45.90 -> my-fw PR
icmp len 20 29 icmp 13/0 IN
Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129826 rl0 @0:1 p 10.46.101.79 -> my-fw PR
icmp len 20 29 icmp 14/0 IN
Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129861 rl0 @0:1 p 10.208.1.4 -> my-fw PR
icmp len 20 29 icmp 15/0 IN
Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129897 rl0 @0:1 p 10.129.70.57 -> my-fw PR

icmp len 20 29 icmp 16/0 IN
Aug 15 10:11:49 quasi-evil ipmon[28775]: 10:11:49.129933 rl0 @0:1 p 10.0.231.109 -> my-fw PR
icmp len 20 29 icmp 17/0 IN

Meaning of field field
Date/Time group Aug 15 10:11:49
Host name quasi-evil
Firewall type/process ID ipmon[28775]
Timestamp 10:11:49.129790
Interface rl0
Rule designator that “fired” @0:1
Permit/block rule p
Source IP 10.245.45.90
Destination IP my-fw
Protocol identifier PR (PSH & RST)
Protocol specific info icmp len 20 29 icmp 13/0
Traffic flow IN
The meaning of various computer and security logs
Page 7 of 39

More information available at:
IPChains Firewall

Jun 1 11:11:49 mail kernel: Packet log: input REJECT eth0 PROTO=17
10.100.1.228:57048 192.168.1.211:137 L=78 S=0x00 I=53412 F=0x0000 T=108 (#3)

Field Example Description
Date & Time Jun 1 11:11:49 Date and time that the packet was logged.
Hostname Mail The hostname of the computer.
Syslog

Facility
kernel: Packet log: The syslog level at which the syslog event occurred. Should
always be ‘kernel’. ‘Packet log:’ is appended for clarity’s sake
and can be used in searching the logs.
Chain Name Input The chain to which the rule is attached to. Possible values are:
input, output and forward.
Action Taken REJECT How the packet was handled. Possible values are: ACCEPT,
REJECT, DENY, MASQ, REDIRECT and RETURN.
Interface eth0 The network interface on which the packet was detected.
Protocol # PROTO=17 The protocol of the packet. Common values are: 1 (ICMP), 6
(TCP), and 17 (UDP). ICMP traffic is also displayed with the
ICMP code.
Source 10.100.1.228:57048 The source IP address and port number of the packet.
Destination 192.168.1.211:137 The destination IP address and port number of the packet.
Length L=78 The total length of the packet.
TOS S=0x00 The ‘Type of Service’ values from the packet.
ID I=53412 Either the Packet ID or the segment that the TCP fragment
belongs to.
Fragment
Offset
F=0x0000 If the packet is part of a fragment, this field contains the
fragment offset.
TTL T=108 The time-to-live values from the packet.
Rule # (#3) The rule number that logged this entry.


More information is available at:


ConSeal firewall


2000/01/03 6:14:20 PM GMT -0500: AcerLAN ALN-325 1..[0000][Ref# 3] Blocking
outgoing ICMP: src=10.12.63.10, dst=192.168.15.113, type 3.
2000/01/04 4:58:21 AM GMT -0500: AcerLAN ALN-325 1..[0000][No matching rule]
Blocking incoming UDP: src=192.168.240.143, dst=10.12.63.10, sport=31790,
dport=31789.
2000/01/04 5:32:54 PM GMT -0500: AcerLAN ALN-325 1..[0000][Ref# 3] Blocking
incoming ICMP: src=10.112.60.254, dst=10.12.63.10, type 8.
2000/01/04 6:30:01 PM GMT -0500: AcerLAN ALN-325 1..[0000][No matching rule]
Blocking incoming UDP: src=192.168.240.143, dst=10.12.63.10, sport=31790,
dport=31789.
The meaning of various computer and security logs
Page 8 of 39
2000/01/04 9:48:24 PM GMT -0500: AcerLAN ALN-325 1..[0000][No matching rule]
Blocking incoming ICMP: src=10.112.86.167, dst=10.112.87.255, type 11.

More information available at:


ZoneAlarm (Windows 9x/NT
)

ZoneAlarm Basic Logging Client v2.1.3
Windows NT-4.0.1381-Service Pack 5-SP
type date time source destination transport

FWIN 2000/04/28 09:48:24 -5:00 GMT 192.168.120.24:1364 192.168.209.246:161 UDP
FWIN 2000/04/28 10:02:34 -5:00 GMT 192.168.120.24:0 192.168.209.246:0 ICMP
FWIN 2000/04/28 10:33:44 -5:00 GMT 192.168.1.150:0 192.168.209.246:0 ICMP
PE 2000/04/28 11:03:35 -5:00 GMT Telnet Program 10.0.0.120:10023

PE 2000/04/28 11:04:58 -5:00 GMT Telnet Program 10.0.0.120:10023
FWIN 2000/04/28 11:05:24 -5:00 GMT 192.168.120.24:0 192.168.209.246:0 ICMP
PE 2000/04/28 11:05:29 -5:00 GMT Telnet Program 10.0.0.120:10023
PE 2000/04/28 11:06:23 -5:00 GMT Telnet Program 10.0.0.120:10023
FWIN 2000/04/28 11:12:32 -5:00 GMT 192.168.1.151:0 192.168.209.246:0 ICMP
FWIN 2000/04/28 11:37:50 -5:00 GMT 192.168.1.150:0 192.168.209.246:0 ICMP

Meaning Firewall information
Type (Firewall Input)
FWIN
Date (yyyy/mm/dd)
2000/04/28
Time (GMT-00:00)
09:48:24 -5:00 GMT
Source IP
192.168.120.24
Source Port
1364
Destination IP
192.168.209.246
Destination Port
161
Transport Protocol (ICMP/TCP/UDP/IGMP)
UDP


More information available at:


Cisco PIX Firewall


Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-2-106001: Inbound TCP connection
denied from 12.20.64.120/10101 to cidr.addr.pool.98/111 flags SYN on interface outside
Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-7-106011: Deny inbound (No xlate)
tcp src outside:12.20.64.120/10101 dst outside:cidr.addr.pool.101/111
Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-7-106011: Deny inbound (No xlate)
tcp src outside:12.20.64.120/10101 dst outside:cidr.addr.pool.102/111
Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-7-106011: Deny inbound (No xlate)
tcp src outside:12.20.64.120/10101 dst outside:cidr.addr.pool.103/111
Oct 18 21:51:36 [internal.firewall.ip.addr] %PIX-7-106011: Deny inbound (No xlate)
tcp src outside:12.20.64.120/10101 dst outside:cidr.addr.pool.108/111
The meaning of various computer and security logs
Page 9 of 39

More information available at:

SonicWall SOHO

11/01/2000 23:56:30.208 - Sub Seven Attack Dropped -
Source:10.21.187.87, 4426, WAN - Destination:10.110.193.10, 1243, LAN -
11/01/2000 23:56:30.768 - Sub Seven Attack Dropped -
Source:10.21.187.87, 4426, WAN - Destination:10.110.193.10, 1243, LAN -
11/02/2000 00:09:34.592 - Sub Seven Attack Dropped -
Source:10.21.187.87, 2012, WAN - Destination:10.110.193.10, 1243, LAN -
11/02/2000 00:09:35.144 - Sub Seven Attack Dropped -
Source:10.21.187.87, 2012, WAN - Destination:10.110.193.10, 1243, LAN -

More information available at:



Cyberguard

2000/07/06 00:14:55: http: 10.250.1.30 --- 192.168.1.138 :14055: connection established
2000/07/06 00:14:55: http: 10.125.10.100 --> 192.168.78.173 :14080: GET / HTTP/1.0
2000/07/06 00:14:55: http: 10.125.10.100 --- 192.168.78.173 :14080: access to web site 192.168.78.173
denied
2000/07/06 00:14:56: http: 10.125.10.100 <-- 192.168.1.138 :14055: Content-type: text/html, Content-
length:
2000/07/06 00:14:56: http: 10.125.10.100 --- 192.168.1.138 :14055: connection closed
2000/07/06 00:14:57: http: 10.125.10.100 --> 192.168.1.57 :14075: GET
/image.ng/Params.richmedia=yes&uniqueID=unique_id&size=468x60&site=cbcca&zone=news§or=1&pa
geloc=1 HTTP/1.0
2000/07/06 00:14:57: http: 10.125.10.100 --- 192.168.1.57 :14075: connection established
2000/07/06 00:14:57: http: 10.125.10.100 <-- 192.168.1.57 :14075: Content-type: text/html, Content-
length: 305
2000/07/06 00:14:57: http: 10.125.10.100 --- 192.168.1.57 :14075: connection closed
2000/07/06 00:14:57: http: 10.125.10.100 --> 192.168.1.57 :14077: GET
/image.ng/Params.richmedia=yes&uniqueID=unique_id&size=468x60&site=cbcca&zone=news§or=1&pa
geloc=1 HTTP/1.0
2000/07/06 00:14:58: http: 10.125.10.100 --- 192.168.1.57 :14077: connection established
2000/07/06 00:14:58: http: 10.125.10.100 <-- 192.168.1.57 :14077: Content-type: text/html, Content-
length: 305
2000/07/06 00:14:58: http: 10.125.10.100 --- 192.168.1.57 :14077: connection closed


Meaning Firewall information
Date/Time 2000/07/06 00:14:55:
Destination Port http:
Firewall Address 10.250.1.30
Direction of the connection (Initial or closure) -- (out) --> or <-- (in)

Address firewall is connecting to 192.168.1.138
Source port 14055:
The meaning of various computer and security logs
Page 10 of 39
Firewall comments connection established

More information available at:
EnterNet

1999-12-14 18:15:30 ---- 192.168.1.1 ---- Category: DROP
Access Rule 6: Disallowed source IP address
ENet 0040:95a0:9d21 -> 0010:4b99:0487, type 0x0800, len 93
IP 90.0.0.1->10.0.0.2 IHL:20 DataLen:59 Proto:UDP
UDP netbios-ns->domain DataLen:51
DNS Query : SeqNo=030c OpCode:0(STD_QRY)

More information available at:


Check Point FireWall-1


Time Origin Action Dst Port Src IP Dst IP Protocol Src Port
11:11:11 Firewall-1 reject 80 192.168.59.9 172.15.100.5 Tcp 1111
11:11:12 Firewall-1 reject 23 192.168.59.9 172.15.100.5 Tcp 1111
11:11:12 Firewall-1 reject 8001 192.168.59.9 172.15.100.5 Tcp 1111
11:11:12 Firewall-1 reject 8080 192.168.59.9 172.15.100.5 Tcp 1111
11:11:18 Firewall-1 reject 755 192.168.59.9 172.15.100.5 Tcp 1111
11:11:19 Firewall-1 reject 1409 192.168.59.9 172.15.100.5 Tcp 1111
11:11:21 Firewall-1 reject 1604 192.168.59.9 172.15.100.5 Tcp 1111

11:11:22 Firewall-1 reject 9200 192.168.59.9 172.15.100.5 Tcp 1111

More information available at:


3Com OfficeConnect Internet Firewall 25

Note: due to NAT on Internet side of firewall, attacked host IP is shown as
192.168.99.12. Times are shown as UTC. Numbers following source and destination IP
are the port numbers.

UTC 11/22/2000 04:04:13.128 - TCP connection dropped - Source:192.168.143.189,
2980, WAN - Destination:192.168.99.12, 27374, LAN - - Rule 7
UTC 11/22/2000 04:04:14.000 - TCP connection dropped - Source:192.168.143.189,
2980, WAN - Destination:192.168.99.12, 27374, LAN - - Rule 7

Times are shown as local. The above events get reported in syslog by the firewall in the
following format:

The meaning of various computer and security logs
Page 11 of 39
11-21-2000 23:04:13 Local0.Notice wall.blilly.com id=firewall sn=00D096BF23C5
time="2000-11-22 04:04:13 UTC" fw=192.168.99.12 pri=5 c=64 m=36 msg="TCP
connection dropped" src=192.168.143.189:2980:WAN dst=192.168.99.12:27374: LAN
rule=7
11-21-2000 23:04:14 Local0.Notice wall.blilly.com id=firewall sn=00D096BF23C5
time="2000-11-22 04:04:14 UTC" fw=192.168.99.12 pri=5 c=64 m=36 msg="TCP
connection dropped" src=192.168.143.189:2980:WAN dst=192.168.99.12:27374: LAN
rule=7


More information available at:
/>US&SM=SML_BUS


Norton Internet Security 2001 – Family Edition

Connections Event Log

05/01/2001 15:05:31 Connection: www.sans.org: http from jocker-i1: 1292, 468 bytes
sent, 28774 bytes received, 19.532 elapsed time
05/01/2001 15:05:05 Connection: www.sans.org: http from jocker-i1: 1291, 2025 bytes
sent, 23660 bytes received, 37.124 elapsed time
05/01/2001 15:01:08 Connection: www.sans.org: http from jocker-i1: 1289, 1909 bytes
sent, 10407 bytes received, 23.642 elapsed time

Firewall Event Log

05/01/2001 15:19:52 Blocked inbound IP fragment. Details:
Protocol "Unknown"
Remote address (10.8.24.112)=20
Local address (192.168.24.112)
05/01/2001 15:19:49 Unused port blocking has blocked communications. Details:
Inbound TCP connection=20
Remote address,local service is (172.16.7.196,smtp)

Privacy Event Log

05/01/2001 15:52:36 Allowed User-Agent: Mozilla/4.0 (compatible; MSIE 5.=
5; Windows 98; Win 9x 4.90) sent to
ad.html?group=3Dbasics&count=3D2

05/01/2001 15:51:10 Allowed User-Agent: Mozilla/4.0 (compatible; MSIE 5.=
5; Windows 98; Win 9x 4.90) sent to
ad.html?group=3Dbasics&count=3D1

System Event Log

The meaning of various computer and security logs
Page 12 of 39
Info 04/01/2001 21:23:31 NAM Service NISServ started as Windows Service.
Info 04/01/2001 21:15:16 NAM Service NISServ stopped as Windows Service.
Info 04/01/2001 21:15:15 NAM Service NISServ stopped as Windows Service.
Info 04/01/2001 17:22:01 NAM Service NISServ started as Windows Service.

Web History Event Log

05/01/2001 15:46:06 />auth.pl?file=3D/48/55.html&lm=3D978455234
05/01/2001 15:42:41 />auth.pl?file=3D/48/53.html&lm=3D978717822
05/01/2001 15:17:33 />auth.pl?file=3D/48/55.htl&lm=3D978455234

This firewall provides Internet protection for the family with a complete, integrated
security and privacy suite.

More information available at:


The meaning of various computer and security logs
Page 13 of 39
Intrusion Detection Systems Logs



SNORT IDS

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
[**] SCAN-SYN FIN [**]
10/25-20:33:38.568567 63.78.46.199:21 -> my.net.109:21
TCP TTL:26 TOS:0x0 ID:39426
**SF**** Seq: 0x76F7894 Ack: 0x59E55EAE Win: 0x404
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=
[**] SCAN-SYN FIN [**]
10/25-20:33:38.736918 63.78.46.199:21 -> my.net.118:21
TCP TTL:26 TOS:0x0 ID:39426
**SF**** Seq: 0x76F7894 Ack: 0x59E55EAE Win: 0x404
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

Meaning Snort information
Snort signature
[**] SCAN-SYN FIN [**]

Date/Time group
10/25-20:33:38.568567

Source Address and port (21)
63.78.46.199:21

Direction operator ->
Destination address and port (21)
my.net.109:21

Protocol and Time to Live (TTL)
TCP TTL:26


Type of Service (TOS)
TOS:0x0

Packet ID in binary
ID:39426

TCP flags set
**SF****

Sequence # in Hex
Seq: 0x76F7894

Acknowledgement # in Hex
Ack: 0x59E55EAE

Windows size in Hex
Win: 0x404


Syslog format


Sep 23 08:00:37 seeker snort[18701]: IDS212 - MISC - DNS Zone Transfer: 192.168.30.1:4175 ->
10.207.90.9:53
Sep 23 08:01:44 seeker snort[18701]: IDS277 - NAMED Iquery Probe: 192.168.30.1:53 -> 10.2.0.27:53
Sep 23 08:01:51 seeker snort[18701]: PING-ICMP Destination Unreachable: 10.32.29.18 -> 192.168.30.1

Snort Portscan file


Jul 13 20:16:36 192.168.3.30:57251 -> 192.168.30.10:21 NULL ********
Jul 13 20:16:36 192.168.3.30:57252 -> 192.168.30.10:21 NMAPID **S*FP*U
Jul 13 20:16:36 192.168.3.30:57254 -> 192.168.30.10:1 SYN **S*****
Jul 13 20:16:36 192.168.3.30:57256 -> 192.168.30.10:1 XMAS ****FP*U
Jul 13 20:16:36 192.168.3.30:57243 -> 192.168.30.10:1 UDP

Available at

The meaning of various computer and security logs
Page 14 of 39
Snortsnarf



This package is available at:

The meaning of various computer and security logs
Page 15 of 39
Shadow log




More information is available at: and


×