Filter
Top Products
Chapter 20 Logs
294
• flags: — TCP flags
• seq: — sequence number of the packet (TCP only)
• ack: — acknowledgement sequence number (TCP only)
• win: — size of the receive window in bytes (it is used for data flow control —
TCP only)
• tcplen: — TCP payload size (i.e. size of the data part of the packet) in bytes
(TCP only)
2. FTP protocol parser log records
Example 1:
[17/Jul/2003 11:55:14] FTP: Bounce attack: attempt:
client: 1.2.3.4, server: 5.6.7.8,
command: PORT 10,11,12,13,14,15
(attack attempt detected — a foreign IP address in the PORT command)
Example 2:
[17/Jul/2003 11:56:27] FTP: Malicious server reply:
client: 1.2.3.4, server: 5.6.7.8,
response: 227 Entering Passive Mode (10,11,12,13,14,15)
(suspicious server reply with a foreign IP address)
3. Failed user authentication log records
Message format:
Authentication: <service>: Client: <IP address>: <reason>
• <service> — The WinRoute service to which the user attempted to authenticate
(Admin = administration using Kerio Administration Console, WebAdmin = web
administration interface, WebAdmin SSL = secure web administration interface,
Proxy = proxy server user authentication)
• <IP address> — IP address of the computer from which the user attempted to
authenticate
• <reason> — reason of the authentication failure (nonexistent user / wrong pass-
word)
Note: For detailed information on user quotas, refer to chapters 13.1 and 8.1.
4. Information about the start and shutdown of the WinRoute Firewall Engine