Scribd Logo
Fazer o upload

Bem-vindo(a) ao Scribd!

  • Analyze Network Traffic Logs with Cyberoam

    Enviado por

    Ibrahim
    112 visualizações4 páginas
    The document describes the network traffic log capabilities of the Cyberoam appliance. It provides details on the types of logs recorded, including firewall rule logs, invalid traffic logs, and dropped packet logs. It also lists the data fields captured for each log entry and describes what is considered invalid traffic and invalid fragmented traffic. The logs are sent to a syslog server and contain details like source/destination IP, protocol, packets/bytes, and firewall rule IDs to help analyze network activity and security issues.

    Descrição original:

    Cyberoam

    Título original

    Network Traffic Log

    Direitos autorais

    © © All Rights Reserved

    Formatos disponíveis

    PDF, TXT ou leia online no Scribd

    Você considera este documento útil?

    Este conteúdo é inapropriado?

    Denunciar este documento
    The document describes the network traffic log capabilities of the Cyberoam appliance. It provides details on the types of logs recorded, including firewall rule logs, invalid traffic logs, and dropped packet logs. It also lists the data fields captured for each log entry and describes what is considered invalid traffic and invalid fragmented traffic. The logs are sent to a syslog server and contain details like source/destination IP, protocol, packets/bytes, and firewall rule IDs to help analyze network activity and security issues.

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    112 visualizações4 páginas

    Analyze Network Traffic Logs with Cyberoam

    Enviado por

    Ibrahim
    The document describes the network traffic log capabilities of the Cyberoam appliance. It provides details on the types of logs recorded, including firewall rule logs, invalid traffic logs, and dropped packet logs. It also lists the data fields captured for each log entry and describes what is considered invalid traffic and invalid fragmented traffic. The logs are sent to a syslog server and contain details like source/destination IP, protocol, packets/bytes, and firewall rule IDs to help analyze network activity and security issues.

    Direitos autorais:

    © All Rights Reserved
    Baixe no formato PDF, TXT ou leia online no Scribd
    Sinalizar o conteúdo como inadequado
    de 4

    Network Traffic Log

    Network Traffic Log


    Cyberoam provides extensive logging capabilities for traffic, system, and network protection functions. Detailed log
    information and reports provide historical as well as current analysis of network activity to help identify security
    issues and reduce network misuse and abuse.
    Cyberoam provides following logs:
    DoS Attack Log
    Invalid Traffic Log
    Firewall Rule Log
    Local ACL Log
    Dropped ICMP Redirected Packet Log
    Dropped Source Routed Packet Log
    Cyberoam sends Network traffic log to the syslog server. Check your syslog server to view logs.
    By default, only the firewall rule logging will be ON i.e. only traffic allowed/denied by the firewall will be logged.
    SR.
    No.
    1.

    DATA FIELDS

    TYPE

    DESCRIPTION

    Date

    date

    Date (yyyy-mm-dd) when the event occurred


    For the allowed traffic - the date on which connection was
    started on Cyberoam

    2.

    Time

    time

    For the dropped traffic - the date when the packet was dropped
    by Cyberoam
    Time (hh:mm:ss) when the event occurred
    For the allowed traffic - the tome when the connection was
    started on Cyberoam

    3.
    4.
    5.

    Device Name
    Device Id
    Log Id

    String
    String
    string

    For the dropped traffic - the time when the packet was dropped
    by Cyberoam
    Model Number of the Cyberoam Appliance
    Unique Identifier of the Cyberoam Appliance
    Unique 7 characters code (c1c2c3c4c5c6c7) e.g. 0101011,
    0102011
    c1c2 represents Log Type e.g. 01
    c3c4 represents Log Component e.g. Firewall, local ACL
    c5c6 represents Log Sub Type e.g. allow, violation

    4.

    Log Type

    string

    c7 represents Priority e.g. 1


    Section of the system where event occurred e.g. Traffic for
    traffic logging.
    Possible values:
    01 Traffic - Entire traffic intended for Cyberoam

    Network Traffic Log

    SR.
    No.
    5.

    DATA FIELDS

    TYPE

    DESCRIPTION

    Log Component

    string

    Component responsible for logging


    Possible values:
    01 - Firewall rule
    Event due to any traffic allowed or dropped based on the
    firewall rule created
    02 - Local ACL
    Event due to any traffic allowed or dropped based on the local
    ACL configuration or all other traffic intended for the firewall
    03 - DoS Attack
    Event due to any packets dropped based on the dos attack
    settings i.e. dopped tcp, udp and icmp packets.
    04 - Invalid traffic
    Event due to any traffic dropped which does not follow the
    protocol standards, invalid fragmented traffic and traffic whose
    packets Cyberoam is not able to relate to any connection.
    Refer to Invalid traffic list for more details.
    05 - Invalid Fragmented traffic
    Event when any invalid fragmented traffic is dropped. Refer to
    Invalid Fragmented traffic list for more details.
    06 - ICMP redirect
    Event due to any ICMP Redirected packets dropped based on
    the DoS attack setting

    07 - Source routed packet


    Event due to any source routed packets dropped based on the
    DoS attack setting

    6.

    Log Sub Type

    string

    08 Fragmented traffic
    Event when any fragmented traffic is dropped due to Advanced
    Firewall settings. Refer to Console Guide Page no. 59 for more
    details.
    Decision taken on traffic
    Possible values:
    01 Allowed
    Traffic permitted to and through Cyberoam based on the
    firewall rule settings

    7.
    8.

    9.
    10.
    11.

    Status
    Priority

    Duration
    Firewall Rule ID
    User

    string
    string

    02 Violation
    Traffic dropped based on the firewall rule settings, local ACL
    settings, DOS settings or due to invalid traffic.
    Ultimate state of traffic (accept/deny)
    Severity level of traffic

    integer
    integer
    string

    Possible values:
    01 Notice
    Durability of traffic
    Firewall rule id of traffic
    User Id

    Network Traffic Log

    SR.
    No.
    12.
    13.
    14.

    15.

    16.
    17.
    18.
    19.
    20.
    21.
    22.
    23.
    24.
    25.
    26.
    27.

    28.

    DATA FIELDS

    TYPE

    DESCRIPTION

    User Group
    IAP
    In Interface

    string
    integer
    string

    Group Id of user
    Internet Access policy Id applied for traffic
    Interface for incoming traffic e.g. eth0

    string

    Blank for outgoing traffic


    Interface for outgoing traffic e.g. eth1

    string
    string
    integer
    integer
    integer
    integer
    integer
    integer
    integer

    Blank for incoming traffic


    Source IP address of traffic
    Destination IP address of traffic
    Protocol number of traffic
    Source Port of TCP and UDP traffic
    Destination Port of TCP and UDP traffic
    ICMP type of ICMP traffic
    ICMP code of ICMP traffic
    Total number of packets sent
    Total number of packets received

    Out Interface

    Source IP
    Destination IP
    Protocol
    Source Port
    Destination Port
    ICMP Type
    ICMP Code
    Sent Packets
    Received
    Packets
    Sent Bytes
    Received Bytes
    Translated
    Source IP

    Translated
    Source Port

    integer
    integer
    integer

    integer

    Total number of bytes sent


    Total number of bytes received
    Translated Source IP address if Cyberoam is deployed as
    Gateway
    "N/A" - if Cyberoam is deployed as Bridge
    Translated Source port if Cyberoam is deployed as Gateway

    29.

    Translated
    Destination IP

    integer

    "N/A" - if Cyberoam is deployed as Bridge


    Translated Destination IP address if Cyberoam is deployed
    as Gateway

    30.

    Translated
    Destination Port

    integer

    "N/A" - if Cyberoam is deployed as Bridge


    Translated Destination port if Cyberoam is deployed as
    Gateway
    "N/A" - if Cyberoam is deployed as Bridge

    Invalid traffic
    Cyberoam will define following traffic as Invalid traffic:
    Short IP Packet
    IP Packets with bad IP checksum
    IP Packets with invalid header and/or data length
    Truncated/malformed IP packet
    Packets of Ftp-bounce Attack
    Short ICMP packet
    ICMP packets with bad ICMP checksum
    ICMP packets with wrong ICMP type/code
    Short UDP packet
    Truncated/malformed UDP packet

    Network Traffic Log


    UDP Packets with bad UDP checksum
    Short TCP packet
    Truncated/malformed TCP packet
    TCP Packets with bad TCP checksum
    TCP Packets with invalid flag combination
    Cyberoam TCP connection subsystem not able to relate TCP Packets to any connection
    If Strict Internet Access Policy is applied then Cyberoam will define following traffic also as Invalid traffic:
    UDP Packets with Destination Port 0
    TCP Packets with Source Port and/or Destination Port 0
    Land Attack
    Winnuke Attack
    TCP Syn Packets contains Data
    IP Packet with Protocol Number 0
    IP Packet with TTL Value 0
    Invalid Fragmented traffic
    Cyberoam will define following traffic as Invalid Fragmented traffic:
    Fragment Queue out of memory while reassembling IP fragments
    Fragment Queue Timeout while reassembling IP fragments
    Fragment too far ahead while reassembling IP fragments
    Oversized IP Packet while reassembling IP fragments
    Fragmentation failure while creating fragments

    Document version: 9305-1.0-26/03/2007

    Você também pode gostar