
Chapter 20 Logs
•flags: — TCP flags
•seq: — sequence number of the packet (TCP only)
•ack: — acknowledgement sequence number (TCP only)
•win: — size of the receive window in bytes (it is used for data flow control — TCP only)
•tcplen: — TCP payload size (i.e. size of the data part of the packet) in bytes (TCP only)
2.FTP protocol parser log records Example 1:
[17/Jul/2003 11:55:14] FTP: Bounce attack: attempt: client: 1.2.3.4, server: 5.6.7.8,
command: PORT 10,11,12,13,14,15
(attack attempt detected — a foreign IP address in the PORT command)
Example 2:
[17/Jul/2003 11:56:27] FTP: Malicious server reply: client: 1.2.3.4, server: 5.6.7.8,
response: 227 Entering Passive Mode (10,11,12,13,14,15)
(suspicious server reply with a foreign IP address)
3.Failed user authentication log records
Message format:
Authentication: <service>: Client: <IP address>: <reason>
•<service> — The WinRoute service to which the user attempted to authenticate (Admin = administration using Kerio Administration Console, WebAdmin = web administration interface, WebAdmin SSL = secure web administration interface, Proxy = proxy server user authentication)
•<IP address> — IP address of the computer from which the user attempted to authenticate
•<reason> — reason of the authentication failure (nonexistent user / wrong pass- word)
Note: For detailed information on user quotas, refer to chapters 13.1 and 8.1.
4.Information about the start and shutdown of the WinRoute Firewall Engine