D-Link Forums

The Graveyard - Products No Longer Supported => D-Link NetDefend Firewalls => Topic started by: rod.fuller on February 02, 2010, 09:03:00 AM

Title: Messages in log
Post by: rod.fuller on February 02, 2010, 09:03:00 AM

We recently started having our firewalls sending log information to a Syslog server. I've noticed many of these types of IDS entries

02-02-2010   11:33:44   Local0.Warning   ###.###.##.###   EFW: IDS: prio=3 rule=SBS reason=intrusion_detected description="WEB-MISC WebDAV search access. Impact: Information disclosure" signature="7176:WEB-MISC WebDAV search access" idrule="SBS" srcip=67.223.67.86

02-02-2010   11:39:45   Local0.Warning   ##.###.###.###   EFW: IDS: prio=3 rule=Winserver reason=intrusion_detected description="Samba-Linux Trans2open request. Impact: Arbitrary code execution" signature="7783:Samba-Linux trans2open call" idrule="Winserver" srcip=66.231.204.155

Am I correct in assuming that these have been blocked? :o

Title: Re: Messages in log
Post by: chechito on February 03, 2010, 04:29:17 AM

i think its not blocking, in  my logs about IDP i can se the "action=close" string.

Its a good practice test IDP rules in Audit mode to verify if the IDP rule was triggered by a false positive or a true attack, an then change the mode to Protect to block connections matching IDP rule

Title: Re: Messages in log
Post by: rod.fuller on February 03, 2010, 11:18:21 AM

Any idea where I can find a list of message types and what they mean?

Title: Re: Messages in log
Post by: Fatman on February 03, 2010, 12:40:47 PM

The log manual on security.dlink.com.tw is your one stop shop for the oracle of log messages.