NETGEAR STM150EW3-100NAS manual Using Logs to Identify Infected Clients, Log Management

Page 86

ProSecure Web/Email Security Threat Management Appliance STM150 Reference Manual

5.In Select logs to send, select the check boxes for the log types that you want the STM150 to send via email.

6.In Format, click either Plain Text or CSV. If you want the STM150 to compress the log file before sending, select the Zip the logs to save space check box.

7.In Size, select the Split log size to: box and enter a file size (in Megabytes) to split the logs into fragments of the file size entered.

8.Click Apply.

The STM150 will email the selected logs based on the schedule you specified. If you want the STM150 to email available logs immediately, click the Send Now button (located next to the Send to text box).

Using Logs to Identify Infected Clients

In addition to identifying malware that has been detected on the network, you can also use the STM150 logs to help identify potentially infected clients on the network. Clients that are sending out abnormally high volumes of HTTP traffic, for example, indicate possible spyware infection.

To identify infected clients that are sending spyware in the outbound traffic, query the STM150 malware logs and see if any of your internal IP addresses are the source of spyware detected at the Internet gateway. Clients generating abnormally high amounts of HTTP traffic may also be infected by spyware or other malware.

To query log data that will show this information.

1.On the Log Query page, select Traffic as the log type.

2.Check the HTTP check box, and then run the query.

3.On the traffic logs result page, click the Size (Byte) column heading to sort the results in a descending order.

4.Check if there are clients that are sending out suspicious volumes of data, especially to the same destination IP address, on a regular basis.

If you find a client exhibiting this behavior, you can run a query on that client’s HTTP traffic activities to get more information. Do this by running the same HTTP traffic query and entering the client IP address in the Source IP text box.

Log Management

Generated logs take up space and resources on the STM150 disk. To ensure that there is always sufficient space to save newer logs, the STM150 automatically deletes older logs whenever the total log size reaches 50% of the allocated file size for each log type.

5-10

Monitoring System Performance

v1.1, March 2009

Page 85 Page 87
Image 86
Page 85 Page 87
Contents NETGEAR, Inc EU Regulatory Compliance Statement TrademarksStatement of Conditions Bestätigung des Herstellers/ImporteursVoluntary Control Council for Interference Vcci Statement Additional CopyrightsMD5 Product and Publication Details ZlibV1.1, March Contents Chapter Performing System Management Tasks Chapter Monitoring System Performance Page About This Manual Conventions, Formats, and ScopeRevision History Manual Part Publication Version Description Number DateChapter Introduction Key Features and Capabilities About Stream ScanningWhat Can You Do with an STM150? Service Registration Card with License Keys Front Panel FeaturesRear Panel Features Default IP Address, Login Name, and Password Location Choosing a Location for the STM150Using the Rack Mounting Kit V1.1, March Provisioning Threat Management Services Choosing a Deployment ScenarioGateway Deployment Server Group Use the Installation Guide to Perform Initial Configuration Segmented LAN DeploymentLogging In to the STM150 V1.1, March Registering the STM150 Click RegisterEmail Security Use the Setup Wizard to Complete the ConfigurationSetup Wizard Options Web SecurityEmail Notification Server Verifying the STM150 InstallationUpdate Settings Web CategoriesWhat to Do Next Testing ConnectivityTesting Http Scanning Performing System Management Tasks Modifying System SettingsConfiguring Network Settings V1.1, March Enabling Session Limits and Timeouts To enter a scanning exclusion rule On the menu, click Global Settings Scanning ExclusionsScanning Exclusions To set the system time Setting the System TimeOn the menu, click Administration Time Zone Specifying the Notification Server To specify a notification serverClick Save Changes Customizing Email AlertsTo enable system administrator email alerts On the menu, click Administration Snmp Configuring Snmp SettingsTo configure the Snmp settings To define Snmp Traps Supported MIB BrowsersDefining Trusted Snmp Hosts Backing Up and Restoring Configurations Backing Up the STM150 ConfigurationTo restore the STM150 settings To Back Up the STM150 SettingsRestoring a Configuration Resetting to Factory Defaults Restarting the STM150Enabling Remote Management Administering Software Updates Configuring Scheduled UpdatesOn the menu, go to Administration Software Update To configure scheduled updatesPerforming a Manual Update Applying a Software Update that Requires a Reboot Administering Admin Login Timeouts and Passwords V1.1, March V1.1, March Default Scan Settings Chapter Customizing ScansCustomizing Email Scanning Settings Insert Warning into Email Subject Line Smtp End User Email Notification SettingsEmail Security Anti-Virus Notification Settings on the menu Replace Infected Attachment with Warning Message Send Warning Email When Malware Is FoundAppend Safe Stamp Smtp & POP3 Email Content Filtering File Extension Filter by Password-protected AttachmentsFilter by Subject Keywords Filter by File TypeSetting Up the Whitelist and Blacklist Protecting Against Email SpamTo define the sender whitelist. On the menu, go to Email Security Anti-Spam Whitelist and BlacklistConfiguring the Real-time Blacklist To define the recipient whitelist. On the menu, go toConfiguring Distributed Spam Analysis To add a new providerTo configure distributed spam analysis Customizing Web Scanning Settings Configuring Web Malware Scans Configuring Web Content Filtering V1.1, March V1.1, March Configuring Web URL Filtering White ListBlacklist Https Third Party Website Certificate Handling Https Scan SettingsHttp Tunneling Show This Message When an SSL Connection Attempt Fails STM150 CA CertificateV1.1, March Certificate Management Web Security Https Scan Certificate ManagementUntrusted Certificates To import a new certificate used for Https scansTrusted Certificate Authorities Web Security Http and Https Trusted Hosts To add hosts to the Host Access Control ListTrusted Hosts Web Security FTP Configuring FTP ScanTo delete hosts from the Host Access Control List V1.1, March Chapter Monitoring System Performance Viewing the System Status Using Statistics and Web Usage Data V1.1, March Monitoring Security Monitoring Diagnostics Running DiagnosticsUsing the Network Diagnostic Tools To collect information about your STM150 Using the Realtime Traffic Diagnostic ToolsGathering Important Log Information Working with Logs Using Reports to Optimize Protection and PerformanceGenerate Network Statistics Report Querying Logs Sending LogsUsing Logs to Identify Infected Clients Log ManagementOn the menu, click Logs & Reports Scheduled Report Working with ReportsSend Reports by Email Support Online Support Using Online SupportEnabling Remote Troubleshooting Go to Support Hot Fixes To install a hot fixWorking with Hot Fixes Sending Suspicious Files to Netgear for Analysis On the menu, go to Support Malware AnalysisAppendix a Default Settings and Technical Specifications Table A-1. STM150 Default Configuration SettingsSTM150 specifications are listed in the table below Appendix B Related Documents Document LinkV1.1, March Index N
Top Page Image Contents