Topic: Messages in log (Read 4464 times)

rod.fuller · « **on:** February 02, 2010, 09:03:00 AM »

We recently started having our firewalls sending log information to a Syslog server. I've noticed many of these types of IDS entries

02-02-2010 11:33:44 Local0.Warning ###.###.##.### EFW: IDS: prio=3 rule=SBS reason=intrusion_detected description="WEB-MISC WebDAV search access. Impact: Information disclosure" signature="7176:WEB-MISC WebDAV search access" idrule="SBS" srcip=67.223.67.86

02-02-2010 11:39:45 Local0.Warning ##.###.###.### EFW: IDS: prio=3 rule=Winserver reason=intrusion_detected description="Samba-Linux Trans2open request. Impact: Arbitrary code execution" signature="7783:Samba-Linux trans2open call" idrule="Winserver" srcip=66.231.204.155

Am I correct in assuming that these have been blocked?

chechito · « **Reply #1 on:** February 03, 2010, 04:29:17 AM »

i think its not blocking, in my logs about IDP i can se the "action=close" string.

Its a good practice test IDP rules in Audit mode to verify if the IDP rule was triggered by a false positive or a true attack, an then change the mode to Protect to block connections matching IDP rule

rod.fuller · « **Reply #2 on:** February 03, 2010, 11:18:21 AM »

Any idea where I can find a list of message types and what they mean?

Fatman · « **Reply #3 on:** February 03, 2010, 12:40:47 PM »

The log manual on security.dlink.com.tw is your one stop shop for the oracle of log messages.

D-Link Forums

News:

Author Topic: Messages in log (Read 4464 times)

rod.fuller

Messages in log

chechito

Re: Messages in log

rod.fuller

Re: Messages in log

Fatman

Re: Messages in log