ProSecure Unified Threat Management (UTM) Appliance Reference Manual

Example: Using Logs to Identify Infected Clients

You can use the UTM logs to help identify potentially infected clients on the network. For example, clients that are generating abnormally high volumes of HTTP traffic might be infected with spyware or other malware threats.

To identify infected clients that are sending spyware in outbound traffic, query the UTM malware logs and see if any of your internal IP addresses are the source of spyware:

1.On the Log Query screen (see Figure 11-23 on page 11-34), select Traffic as the log type.

2.Select the start date and time from the pull-down menus.

3.Select the end date and time from the pull-down menus.

4.Next to Protocols, select the HTTP checkbox.

5.Click Search. After a few minutes, the log appears on screen.

6.Check if there are clients that are sending out suspicious volumes of data, especially to the same destination IP address, on a regular basis.

If you find a client exhibiting this behavior, you can run a query on that client’s HTTP traffic activities to get more information. Do so by running the same HTTP traffic query and entering the client IP address in the Client IP field.

Log Management

Generated logs take up space and resources on the UTM internal disk. To ensure that there is always sufficient space to save newer logs, the UTM automatically deletes older logs whenever the total log size reaches 50% of the allocated file size for each log type.

Automated log purging means that you do not need to constantly manage the size of the UTM logs and ensures that the latest malware threats and traffic activities are always recorded.

Note: After the UTM reboots, traffic logs are lost. Therefore, NETGEAR recommends that you connect the UTM to a syslog server to save the traffic logs externally. Other logs (that is, non-traffic logs) are automatically backed up on the UTM every 15 minutes. However, if a power failure affects the UTM, logs that where created within this 15-minute period are lost.

To manually purge selected logs, see “Configuring and Activating System, E-mail, and Syslog Logs” on page 11-6.

11-38

Monitoring System Access and Performance

v1.0, January 2010

Page 400
Image 400
NETGEAR UTM50-100NAS, UTM5-100NAS manual Example Using Logs to Identify Infected Clients, Log Management