22.11 Security Log
279
Example
[17/Jul/2008 11:46:38] Anti-Spoofing:
Packet from LAN, proto:TCP, len:48,
ip/port:61.173.81.166:1864 -> 195.39.55.10:445,
flags: SYN, seq:3819654104 ack:0, win:16384, tcplen:0
•packet from — packet direction (either from, i.e. sent via the interface, or to, i.e.
received via the interface)
•LAN — interface name (see chapter 5for details)
•proto: — transport protocol (TCP, UDP, etc.)
•len: — packet size in bytes (including the headers) in bytes
•ip/port: — source IP address, source port, destination IP address and destina-
tion port
•flags: — TCP flags
•seq: — sequence number of the packet (TCP only)
•ack: — acknowledgement sequence number (TCP only)
•win: — size of the receive window in bytes (it is used for data flow control — TCP
only)
•tcplen: — TCP payload size (i.e. size of the data part of the packet) in bytes (TCP
only)
2. FTP protocol parser log records
Example 1
[17/Jul/2008 11:55:14] FTP: Bounce attack attempt:
client: 1.2.3.4, server: 5.6.7.8,
command: PORT 10,11,12,13,14,15
(attack attempt detected — a foreign IP address in the PORT command)
Example 2
[17/Jul/2008 11:56:27] FTP: Malicious server reply:
client: 1.2.3.4, server: 5.6.7.8,
response: 227 Entering Passive Mode (10,11,12,13,14,15)
(suspicious server reply with a foreign IP address)
3. Failed user authentication log records
Message format:
Authentication: <service>: Client: <IP address>: <reason>
•<service> — The WinRoute service to which the user attempted to authenti-
cate (Admin = administration using Kerio Administration Console,WebAdmin = web