Logs keep information records of selected events occurred in or detected by Kerio Control. Each log is displayed in a window in the Logs section. For this particular content, we will focus on security logs in Kerio Control. Records of the following types may appear in the log:
Intrusion Prevention System Logs
Records of detected intrusions or traffic from IP addresses that are included in web databases of known intruders (blacklists).
|
[02/Mar/2013 08:54:38] IPS: Packet drop, severity: High, Rule ID: 1:2010575 ET TROJAN ASProtect/ASPack Packed Binaryproto:TCP, ip/port:95.211.98.71:80(hosted-by.example.com) > 192.168.48.131:49960(wsmith-pc.company.com,user:wsmith) |
|
| Message component | Description |
| IPS: Packet drop |
The particular intrusion had the action set for Log and drop (in case of the Log action, IPS: Alert). |
| severity: High |
Severity level. |
| Rule ID: 1:2010575 |
Number identifier of the intrusion (this number can be used for the definition of exceptions from the intrusion detection system, i.e. in the system's advanced settings). |
| ET TROJAN ASProtect/ASPack Packed Binary |
Intrusion name and description (only available for some intrusions). |
| proto:TCP |
Traffic protocol. |
| ip/port:95.211.98.71:80(hosted-by.example.com) |
Source IP address and port of the detected packet; the brackets provide information of the DNS name of the particular computer, in case that it is identifiable. |
| > 192.168.48.131:49960(wsmith-pc.company.com,user:wsmith) |
Destination IP address and port in the detected packet; the brackets provide the DNS name of the particular host (if identifiable) or the name of the user connected to the firewall from the particular local host. |
Anti-spoofing Log Records
Messages about packets that were captured by the Anti-spoofing module (packets with invalid source IP address).
|
[17/Jul/2013 11:46:38] Anti-Spoofing: Packet from LAN, proto:TCP, len:48, ip/port:61.173.81.166:1864 > 195.39.55.10:445, flags: SYN, seq:3819654104 ack:0, win:16384, tcplen:0 |
|
| Message component | Description |
| packet from |
Packet direction (eitherfrom, i.e. sent via the interface, or to, i.e. received via the interface). |
| LAN |
Name of the interface on which the traffic was detected. |
| proto: |
Transport protocol (TCP, UDP, etc.). |
| len: |
Packet size in bytes (including the headers) in bytes. |
| ip/port: |
Source IP address, source port, destination IP address and destination port. |
| flags: |
TCP flags. |
| seq: |
The sequence number of the packet (TCP only). |
| ack: |
Acknowledgment sequence number (TCP only). |
| win: |
Size of the receive window in bytes (it is used for data flow control TCP only). |
| tcplen: |
TCP payload size (i.e. size of the data part of the packet) in bytes (TCP only). |
FTP protocol parser log records
|
Attack attempt detected — a foreign IP address in the PORT command |
|
| [17/Jul/2013 11:55:14] FTP: Bounce attack attempt: client: 1.2.3.4, server: 5.6.7.8, command: PORT 10,11,12,13,14,15 |
|
Suspicious server reply with a foreign IP address |
|
| [17/Jul/2013 11:56:27] FTP: Malicious server reply: client: 1.2.3.4, server: 5.6.7.8, response: 227 Entering Passive Mode (10,11,12,13,14,15) |
Failed User Authentication Log Records
|
Authentication: Service: Client: IP address: reason |
|
| Message component | Description |
| service |
The Kerio Control service to which the client connects. |
| WebAdmin |
Refers to "web administration interface". |
| WebInterface |
Refers to "client interface". |
| HTTP Proxy |
Refers to user authentication on the proxy server. |
| VPN Client |
Encapsulates both Kerio VPN and IPsec VPN. |
| Admin |
Refers to messages from the Console. |
| IP address |
IP address of the computer from which the user attempted to authenticate. |
| reason |
Reason of the authentication failure (nonexistent user/ wrong password). |
Information Kerio Control Engine Start/Shutdown and other Kerio Control Components
|
Start and shutdown of the Kerio Control Engine: |
|
| [17/Jun/2013 12:11:33] Engine: Startup [17/Jun/2013 12:22:43] Engine: Shutdown |
|
Start and shutdown of the Intrusion Prevention Engine: |
|
| [28/Jun/2013 10:58:58] Intrusion Prevention engine: Startup [28/Jun/2013 11:18:52] Intrusion Prevention engine: Shutdown |
Updating Components
|
Kerio Control uses components (antivirus engine and signatures, Intrusion Prevention signatures and blacklists). Updates of these components are logged in the Security log. |
|
| [09/Jul/2013 17:00:58] IPS: Basic rules successfully updated to version 1.176 [10/Jul/2013 11:56:18] Antivirus update: Kerio Antivirus database has been successfully updated. Kerio Antivirus engine version/Signature count: (AVCORE v2.1 Linux/x86_64 11.0.1.12 (Sep 29, 2016)/8528221) is now active. |
Priyanka Bhotika
Comments