TCP TCP TCP fin TCP NULL UDP ICMP Unreachable finger phf nph-test-cgi php ftp 18 1

(1)

通商産業省委託事業

平成１２年３月

情報処理振興事業協会

｢ログの活用方法に関する調査｣

ログの活用方法に関する調査報告書

（添付資料）

(2)

■目次■

1111 テストショット１

テストショット１

テストショット１ ________________________________

テストショット１

________________________________

_________________________________________________________

________________________________

_________________________

_________________________ 1111

1.1

1.1 TCP

TCP

TCP ポートスキャン

ポートスキャン

ポートスキャン ________________________________

________________________________

__________________________________________________________

__________________________

__________________________ 1111

1.2

1.2 TCP

TCP

TCP ハーフスキャン

ハーフスキャン

ハーフスキャン ________________________________

________________________________

__________________________________________________________

__________________________

__________________________ 3333

1.3

1.3 TCP fin

TCP fin

TCP fin ステルススキャン

ステルススキャン

ステルススキャン ________________________________

________________________________

_____________________________________________________

________________________________

_____________________

_____________________ 5555

1.4

1.4 TCP NULL

TCP NULL

TCP NULL ステルススキャン

ステルススキャン

ステルススキャン ________________________________

________________________________

_________________________________________________

_________________

_________________ 7777

_________________

1.5

1.5 UDP ICMP Unreachable

UDP ICMP Unreachable

UDP ICMP Unreachable スキャン

UDP ICMP Unreachable

スキャン

スキャン ________________________________

スキャン

____________________________________________

________________________________

____________

____________ 10

10

1.6

1.6 finger

finger

finger ________________________________

finger

________________________________

________________________________________________________________

________________________________

_____________________________________

________________________________

_____

_____ 12

_____

12

1.7

1.7 phf

phf

phf ________________________________

phf

________________________________

________________________________________________________________

________________________________________

________________________________

________

________ 13

________

13

1.8

1.8 nph-test-cgi

nph-test-cgi

nph-test-cgi ________________________________

________________________________

________________________________________________________________

________________________________

________________________________ 14

14

1.9

1.9 php

php

php ________________________________

php

________________________________

________________________________________________________________

________________________________

_______________________________________

________________________________

_______

_______ 16

16

1.10

1.10 1.10 ftp

ftp

ftp オンラインパスワードクラッキング

オンラインパスワードクラッキング

オンラインパスワードクラッキング________________________________

________________________________

_________________________________________

________________________________

_________

_________ 18

18

1.11

1.11 1.11 http

http

http オンラインパスワードクラッキング

オンラインパスワードクラッキング

オンラインパスワードクラッキング ________________________________

オンラインパスワードクラッキング

________________________________

________________________________________

________

________ 23

________

23

1.12

1.12 1.12 smtp VRFY,EXPN

smtp VRFY,EXPN

smtp VRFY,EXPN ________________________________

________________________________

__________________________________________________________

________________________________

__________________________

__________________________ 26

26

1.13

1.13 1.13 smtp

smtp

smtp 不正中継

不正中継

不正中継________________________________

不正中継

________________________________

______________________________________________________________

______________________________

______________________________ 27

______________________________

27

1.14

1.14 1.14 OOB

OOB

OOB ________________________________

________________________________

________________________________________________________________

________________________________

______________________________________

________________________________

______

______ 31

31

1.15

1.15 1.15 SYN FLOOD

SYN FLOOD

SYN FLOOD ________________________________

________________________________

_______________________________________________________________

________________________________

_______________________________

_______________________________ 32

32

1.16

1.16 1.16 Land

Land

Land ________________________________

________________________________

________________________________________________________________

________________________________

______________________________________

________________________________

______

______ 35

35

1.17

1.17 1.17 Teardrop

Teardrop

Teardrop________________________________

________________________________

________________________________________________________________

________________________________

___________________________________

________________________________

___

___ 36

36

1.18

1.18 1.18 Smurf

Smurf

Smurf ________________________________

________________________________

________________________________________________________________

________________________________

_____________________________________

_____

_____ 37

_____

37

1.19

1.19 1.19 UDP F

UDP F

UDP Flood

lood

lood ________________________________

lood

________________________________

________________________________________________________________

________________________________

____________________________________ 38

________________________________

38

1.20

1.20 1.20 Malformed HTTP Request Header

Malformed HTTP Request Header

Malformed HTTP Request Header ________________________________

________________________________

____________________________________________

________________________________

____________

____________ 40

40

1.21

1.21 1.21 Connection Flood

Connection Flood

Connection Flood ________________________________

________________________________

___________________________________________________________

___________________________

___________________________ 41

___________________________

41

1.22

1.22 1.22 rpc.sadmind

rpc.sadmind

（バッファオーバーフロー）

（バッファオーバーフロー） ________________________________

（バッファオーバーフロー）

________________________________

_____________________________________

_____

_____ 43

_____

43

1.23

1.23 1.23 rpc.sadmind

rpc.sadmind

（侵入）

（侵入） ________________________________

（侵入）

________________________________

______________________________________________________

______________________

______________________ 44

44

1.24

1.24 1.24 Malformed HTR Request

Malformed HTR Request

（バッファオーバーフロー）

（バッファオーバーフロー） _________________________

_________________________

_________________________ 45

45

1.25

(3)

2222 テストショット２

テストショット２

テストショット２ ________________________________

テストショット２

________________________________

________________________________________________________

________________________________

________________________

________________________ 50

50

2.1

2.1 TCP

TCP

TCP ポートスキャン

TCP

ポートスキャン

ポートスキャン ________________________________

_________________________________________________________

________________________________

_________________________

_________________________ 50

50

2.2

2.2 TCP

TCP

TCP ハーフスキャン

TCP

ハーフスキャン

ハーフスキャン ________________________________

_________________________________________________________

________________________________

_________________________

_________________________ 55

55

2.3

2.3 TCP fin

TCP fin

TCP fin ステルススキャン

TCP fin

ステルススキャン

ステルススキャン ________________________________

____________________________________________________

________________________________

____________________

____________________ 57

57

2.4

2.4 TCP NULL

TCP NULL

TCP NULL ステルススキャン

TCP NULL

ステルススキャン

ステルススキャン ________________________________

_________________________________________________

________________________________

_________________

_________________ 60

60

2.5

2.5 UDP ICMP Unreach

UDP ICMP Unreach

UDP ICMP Unreachable

able

able スキャン

スキャン ________________________________

スキャン

________________________________

____________________________________________

________________________________

____________

____________ 62

62

2.6

2.6 finger

finger

finger ________________________________

finger

________________________________

________________________________________________________________

________________________________

_____________________________________

________________________________

_____

_____ 65

_____

65

2.7

2.7 ftp

ftp

ftp オンラインパスワードクラッキング

ftp

オンラインパスワードクラッキング

オンラインパスワードクラッキング________________________________

_________________________________________

________________________________

_________

_________ 67

67

2.8

2.8 http

http

http オンラインパスワードクラッキング

http

オンラインパスワードクラッキング

オンラインパスワードクラッキング ________________________________

オンラインパスワードクラッキング

________________________________________

________________________________

________

________ 76

________

76

2.9

2.9 smtp VRFY,EXPN

smtp VRFY,EXPN

smtp VRFY,EXPN ________________________________

________________________________

__________________________________________________________

________________________________

__________________________

__________________________ 79

79

2.10

2.10 2.10 smtp

smtp

smtp 不正中継

不正中継

不正中継________________________________

不正中継

________________________________

______________________________________________________________

______________________________

______________________________ 81

______________________________

81

2.11

2.11 2.11 Smurf

Smurf

Smurf ________________________________

________________________________

________________________________________________________________

________________________________

_____________________________________

_____

_____ 87

_____

87

2.12

2.12 2.12 UDP Flood

UDP Flood

UDP Flood ________________________________

________________________________

________________________________________________________________

________________________________

____________________________________ 89

________________________________

89

2.13

2.13 2.13 Malformed HTTP Request Header

Malformed HTTP Request Header

Malformed HTTP Request Header ________________________________

________________________________

____________________________________________

________________________________

____________

____________ 90

90

2.14

2.14 2.14 rpc.sadmind

rpc.sadmind

（バッファオーバーフロー）

（バッファオーバーフロー） ________________________________

（バッファオーバーフロー）

________________________________

_____________________________________

_____

_____ 91

_____

91

2.15

2.15 2.15 rpc.sadmind

rpc.sadmind

（侵入）

（侵入） ________________________________

（侵入）

________________________________

______________________________________________________

______________________

______________________ 93

93

2.16

2.16 2.16 Malformed HTR Request

Malformed HTR Request

（バッファオーバーフロー）

（バッファオーバーフロー） _________________________

_________________________

_________________________ 95

95

2.17

2.17 2.17 Malformed HTR Request

Malformed HTR Request

（侵入）

（侵入） ________________________________

（侵入）

________________________________

__________________________________________

__________

__________ 96

__________

96

96 3333 RealSecure Network Engine

RealSecure Network Engine

RealSecure Network Engine ポリシー設定

RealSecure Network Engine

ポリシー設定

ポリシー設定 ________________________________

________________________________

____________________________________ 100

________________________________

100

100 4444 RealSecure System Agent

RealSecure System Agent

RealSecure System Agent ポリシー設定

RealSecure System Agent

ポリシー設定

ポリシー設定 ________________________________

________________________________

___________________________________

___

___ 105

105

(4)

1 テストショット１

1.1 TCP

ポートスキャン

1.1.1 RealSecure Network Engine 1

ログ

ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 1795,2000/3/14 13:07:00,Port_Scan,6,1780,204,1780,204,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,, 0,,0,192.168.10.11,FALSE,0 1796,2000/3/14 13:07:20,Port_Scan,6,3291,8,3291,8,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,0,1 92.168.10.11,FALSE,0 1797,2000/3/14 13:07:37,Port_Scan,6,4902,554,4902,554,1728123052,168470720,172.16.1.103,192.168.10.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E 8,,0,,0,192.168.10.11,FALSE,0 1798,2000/3/14 13:08:11,Port_Scan,6,4396,435,4396,435,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E 8,,0,,0,192.168.10.11,FALSE,0 1799,2000/3/14 13:08:32,SYNFlood,6,0,699,Any,699,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1800,2000/3/14 13:08:52,SYNFlood,6,0,480,Any,480,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1801,2000/3/14 13:08:56,SYNFlood,6,0,424,Any,424,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1802,2000/3/14 13:09:01,SYNFlood,6,0,453,Any,453,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1803,2000/3/14 13:09:01,SYNFlood,6,0,648,Any,648,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1804,2000/3/14 13:09:04,SYNFlood,6,0,1112,Any,1112,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 : (snip 135 records) : 1939,2000/3/14 13:09:50,SYNFlood,6,0,507,Any,507,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1940,2000/3/14 13:09:50,SYNFlood,6,0,421,Any,421,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1941,2000/3/14 13:09:50,SYNFlood,6,0,1418,Any,1418,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 1942,2000/3/14 13:09:51,SYNFlood,6,0,440,Any,440,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1943,2000/3/14 13:09:51,SYNFlood,6,0,274,Any,274,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 1944,2000/3/14 13:09:51,SYNFlood,6,0,174,Any,174,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1945,2000/3/14 13:09:52,SYNFlood,6,0,307,Any,307,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 1946,2000/3/14 13:09:52,SYNFlood,6,0,495,Any,495,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1947,2000/3/14 13:09:52,SYNFlood,6,0,1068,Any,1068,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 1948,2000/3/14 13:09:52,SYNFlood,6,0,865,Any,865,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 1949,2000/3/14 13:09:52,SYNFlood,6,0,806,Any,806,0,168470720,0.0.0.0,192.168.10.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0

(5)

1.1.2 RealSecure Network Engine 2

ログ

1.1.3 FireWall-1 ログ

1.1.4 RealSecure System Agent

ログ

検出なし

1.1.5 Syslog

ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 14410,2000/3/14 13:07:00,Port_Scan,6,1780,204,1780,204,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E:EA, ,0,,0,192.168.20.11,FALSE,0 14411,2000/3/14 13:07:20,Port_Scan,6,3291,8,3291,8,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5:05,,0,,0, 192.168.20.11,FALSE,0

“No” “Date” “Time” “Inter.” “Origin” “Type” Action” “Service” “Source” “Destination” “Proto.” “Rule” “S_Port” “User” “SrcKeyID” “DstKeyID” “XlateSrc” XlateDst” “XLateSPort” “XlateDPort” “Info.”

4Mar2000" "13:06:56" "nei0" "fw" "log" "accept" "" "ipa3" "dmz-mail" "icmp" "4" "" "" "" "" "" "" "" "" " icmp-type 8 icmp-code 0" "40" "14Mar2000" "13:06:56" "nei0" "fw" "log" "accept" "http" "ipa3" "dmz-mail" "tcp" "4" "60991" "" "" "" "" "" "" "" " len 40" "41" "14Mar2000" "13:06:56" "nei1" "fw" "log" "accept" "" "dmz-mail" "ipa3" "icmp" "8" "" "" "" "" "" "" "" "" " icmp-type 0 icmp-code 0"

"42" "14Mar2000" "13:07:00" "nei0" "fw" "log" "accept" "118" "ipa3" "dmz-mail" "tcp" "4" "1744" "" "" "" "" "" "" "" " len 60" "43" "14Mar2000" "13:07:00" "nei0" "fw" "log" "accept" "1426" "ipa3" "dmz-mail" "tcp" "4" "1745" "" "" "" "" "" "" "" " len 60" "44" "14Mar2000" "13:07:00" "nei0" "fw" "log" "accept" "2011" "ipa3" "dmz-mail" "tcp" "4" "1746" "" "" "" "" "" "" "" " len 60" "45" "14Mar2000" "13:07:00" "nei0" "fw" "log" "accept" "45" "ipa3" "dmz-mail" "tcp" "4" "1747" "" "" "" "" "" "" "" " len 60" "46" "14Mar2000" "13:07:00" "nei0" "fw" "log" "accept" "853" "ipa3" "dmz-mail" "tcp" "4" "1748" "" "" "" "" "" "" "" " len 60" "47" "14Mar2000" "13:07:00" "nei0" "fw" "log" "accept" "371" "ipa3" "dmz-mail" "tcp" "4" "1749" "" "" "" "" "" "" "" " len 60" "48" "14Mar2000" "13:07:00" "nei0" "fw" "log" "accept" "2025" "ipa3" "dmz-mail" "tcp" "4" "1750" "" "" "" "" "" "" "" " len 60" :

(snip 3035 records) :

"3074" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "1430" "ipa3" "dmz-www" "tcp" "5" "4789" "" "" "" "" "" "" "" " len 60" "3075" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "433" "ipa3" "dmz-www" "tcp" "5" "4790" "" "" "" "" "" "" "" " len 60" "3076" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "2112" "ipa3" "dmz-www" "tcp" "5" "4791" "" "" "" "" "" "" "" " len 60" "3077" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "652" "ipa3" "dmz-www" "tcp" "5" "4792" "" "" "" "" "" "" "" " len 60" "3078" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "445" "ipa3" "dmz-www" "tcp" "5" "4793" "" "" "" "" "" "" "" " len 60" "3079" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "577" "ipa3" "dmz-www" "tcp" "5" "4794" "" "" "" "" "" "" "" " len 60" "3080" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "799" "ipa3" "dmz-www" "tcp" "5" "4795" "" "" "" "" "" "" "" " len 60" "3081" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "574" "ipa3" "dmz-www" "tcp" "5" "4796" "" "" "" "" "" "" "" " len 60" "3082" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "649" "ipa3" "dmz-www" "tcp" "5" "4797" "" "" "" "" "" "" "" " len 60" "3083" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "705" "ipa3" "dmz-www" "tcp" "5" "4798" "" "" "" "" "" "" "" " len 60"

Mar 14 13:07:02 mail sendmail[348]: SMTP connect from IDENT:root@ipa3 [172.16.1.103] (172.16.1.103)

Mar 14 13:07:02 mail sendmail[348]: NOQUEUE: --> 220 mail.dmz.local ESMTP Sendmail 8.9.3/3.7W; Tue, 14 Mar 2000 13:07:02 +0900 (JST) Mar 14 13:07:02 mail sendmail[348]: NOQUEUE: --> 421 mail.dmz.local Lost input channel from IDENT:root@ipa3 [172.16.1.103]

(6)

1.2 TCP

ハーフスキャン

1.2.1 RealSecure Network Engine 1

ログ

ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 1950,2000/3/14 13:11:40,Port_Scan,6,36503,661,36503,661,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E 8,,0,,0,192.168.10.11,FALSE,0 1951,2000/3/14 13:11:40,SYNFlood,6,0,1008,Any,1008,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 1952,2000/3/14 13:11:42,SYNFlood,6,0,1365,Any,1365,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 1953,2000/3/14 13:11:51,Port_Scan,6,34680,945,34680,945,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E 8,,0,,0,192.168.10.11,FALSE,0 1954,2000/3/14 13:12:03,SYNFlood,6,0,2600,Any,2600,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 1955,2000/3/14 13:12:05,SYNFlood,6,0,528,Any,528,0,168470720,0.0.0.0,192.168.10.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 1956,2000/3/14 13:12:07,SYNFlood,6,0,95,Any,Sudup,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11 ,FALSE,0 1957,2000/3/14 13:12:07,SYNFlood,6,0,5011,Any,5011,0,168470720,0.0.0.0,192.168.10.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 1958,2000/3/14 13:12:08,SYNFlood,6,0,884,Any,884,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 1959,2000/3/14 13:12:08,SYNFlood,6,0,7002,Any,7002,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 : (snip 129 records) : 2089,2000/3/14 13:13:04,SYNFlood,6,0,990,Any,990,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 2090,2000/3/14 13:13:05,SYNFlood,6,0,574,Any,574,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 2091,2000/3/14 13:13:05,SYNFlood,6,0,692,Any,692,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 2092,2000/3/14 13:13:05,SYNFlood,6,0,333,Any,333,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 2093,2000/3/14 13:13:05,SYNFlood,6,0,5191,Any,5191,0,168470720,0.0.0.0,192.168.10.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 2094,2000/3/14 13:13:06,SYNFlood,6,0,697,Any,697,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 2095,2000/3/14 13:13:07,SYNFlood,6,0,292,Any,292,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 2096,2000/3/14 13:13:07,SYNFlood,6,0,995,Any,995,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 2097,2000/3/14 13:13:08,SYNFlood,6,0,1013,Any,1013,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,

(7)

1.2.2 RealSecure Network Engine 2

ログ

1.2.3 FireWall-1 ログ

1.2.4 RealSecure System Agent

ログ

検出なし

1.2.5 Syslog,イベントログ

検出なし

ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 14412,2000/3/14 13:11:51,Port_Scan,6,34680,945,34680,945,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5:0 5,,0,,0,192.168.20.11,FALSE,0

"3089" "14Mar2000" "13:11:39" "nei0" "fw" "log" "accept" "" "ipa3" "dmz-mail" "icmp" "4" "" "" "" "" "" "" "" "" " icmp-type 8 icmp-cod e 0"

"3090" "14Mar2000" "13:11:39" "nei0" "fw" "log" "accept" "http" "ipa3" "dmz-mail" "tcp" "4" "36523" "" "" "" "" "" "" "" " len 40" "3091" "14Mar2000" "13:11:39" "nei1" "fw" "log" "accept" "" "dmz-mail" "ipa3" "icmp" "8" "" "" "" "" "" "" "" "" " icmp-type 0 icmp-cod e 0"

"3074" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "1430" "ipa3" "dmz-www" "tcp" "5" "4789" "" "" "" "" "" "" "" " len 60" "3075" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "433" "ipa3" "dmz-www" "tcp" "5" "4790" "" "" "" "" "" "" "" " len 60" "3076" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "2112" "ipa3" "dmz-www" "tcp" "5" "4791" "" "" "" "" "" "" "" " len 60" "3077" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "652" "ipa3" "dmz-www" "tcp" "5" "4792" "" "" "" "" "" "" "" " len 60" "3078" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "445" "ipa3" "dmz-www" "tcp" "5" "4793" "" "" "" "" "" "" "" " len 60" "3079" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "577" "ipa3" "dmz-www" "tcp" "5" "4794" "" "" "" "" "" "" "" " len 60" "3080" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "799" "ipa3" "dmz-www" "tcp" "5" "4795" "" "" "" "" "" "" "" " len 60" "3081" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "574" "ipa3" "dmz-www" "tcp" "5" "4796" "" "" "" "" "" "" "" " len 60" "3082" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "649" "ipa3" "dmz-www" "tcp" "5" "4797" "" "" "" "" "" "" "" " len 60" "3083" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "705" "ipa3" "dmz-www" "tcp" "5" "4798" "" "" "" "" "" "" "" " len 60"

(8)

1.3 TCP

fin

ステルススキャン

1.3.1 RealSecure Network Engine 1

ログ

ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 2099,2000/3/14 13:15:15,Port_Scan,6,43662,131,43662,131,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E 8,,0,,0,192.168.10.11,FALSE,0 2100,2000/3/14 13:15:32,Port_Scan,6,57854,289,57854,289,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E 8,,0,,0,192.168.10.11,FALSE,0 2101,2000/3/14 13:15:48,Port_Scan,6,43840,208,43840,208,1728123052,169126080,172.16.1.103,192.168.20.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C: E8,,0,,0,192.168.10.11,FALSE,0

(9)

1.3.2 RealSecure Network Engine 2

ログ

1.3.3 FireWall-1 ログ

1.3.4 RealSecure System Agent

ログ

検出なし

1.3.5 Syslog,イベントログ

検出なし

ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 14413,2000/3/14 13:15:15,Port_Scan,6,43662,131,43662,131,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E:E A,,0,,0,192.168.20.11,FALSE,0 14414,2000/3/14 13:15:32,Port_Scan,6,57854,289,57854,289,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5:0 5,,0,,0,192.168.20.11,FALSE,0

"6100" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "" "ipa3" "dmz-mail" "icmp" "4" "" "" "" "" "" "" "" "" " icmp-type 8 icmp-cod e 0"

"6101" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "http" "ipa3" "dmz-mail" "tcp" "4" "43682" "" "" "" "" "" "" "" " len 40" "6102" "14Mar2000" "13:15:15" "nei1" "fw" "log" "accept" "" "dmz-mail" "ipa3" "icmp" "8" "" "" "" "" "" "" "" "" " icmp-type 0 icmp-cod e 0"

"6103" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "251" "ipa3" "dmz-mail" "tcp" "4" "43662" "" "" "" "" "" "" "" " len 40" "6104" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "867" "ipa3" "dmz-mail" "tcp" "4" "43662" "" "" "" "" "" "" "" " len 40" "6105" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "975" "ipa3" "dmz-mail" "tcp" "4" "43662" "" "" "" "" "" "" "" " len 40" "6106" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "CreativePartnerClnt" "ipa3" "dmz-mail" "tcp" "4" "43662" "" "" "" "" "" "" "" " len 40"

"6107" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "2784" "ipa3" "dmz-mail" "tcp" "4" "43662" "" "" "" "" "" "" "" " len 40" "6108" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "usenet" "ipa3" "dmz-mail" "tcp" "4" "43662" "" "" "" "" "" "" "" " len 40" "6109" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "x400-snd" "ipa3" "dmz-mail" "tcp" "4" "43662" "" "" "" "" "" "" "" " len 40" :

"10594" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "printer" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10595" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "92" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10596" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "445" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10597" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "1491" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10598" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "2010" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10599" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "22289" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10600" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "879" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10601" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "666" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10602" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "nbsession" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10603" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "284" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10604" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "179" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40"

(10)

1.4 TCP

NULL

ステルススキャン

1.4.1 RealSecure Network Engine 1

ログ

ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 2102,2000/3/14 13:20:18,IPHalfScan,6,45876,556,45876,Remotefs,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:6 4:5C:E8,,0,,0,192.168.10.11,FALSE,0 2103,2000/3/14 13:20:18,IPHalfScan,6,45876,182,45876,182,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C: E8,,0,,0,192.168.10.11,FALSE,0 2104,2000/3/14 13:20:18,IPHalfScan,6,45876,154,45876,154,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C: E8,,0,,0,192.168.10.11,FALSE,0 2105,2000/3/14 13:20:18,IPHalfScan,6,45876,2232,45876,2232,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5 C:E8,,0,,0,192.168.10.11,FALSE,0 2106,2000/3/14 13:20:18,IPHalfScan,6,45876,67,45876,67,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8, ,0,,0,192.168.10.11,FALSE,0 2107,2000/3/14 13:20:18,IPHalfScan,6,45876,650,45876,650,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C: E8,,0,,0,192.168.10.11,FALSE,0 2108,2000/3/14 13:20:18,IPHalfScan,6,45876,775,45876,775,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C: E8,,0,,0,192.168.10.11,FALSE,0 2109,2000/3/14 13:20:18,IPHalfScan,6,45876,5000,45876,5000,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5 C:E8,,0,,0,192.168.10.11,FALSE,0 2110,2000/3/14 13:20:18,IPHalfScan,6,45876,390,45876,390,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C: E8,,0,,0,192.168.10.11,FALSE,0 2111,2000/3/14 13:20:18,IPHalfScan,6,45876,855,45876,855,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C: E8,,0,,0,192.168.10.11,FALSE,0 : (snip 9011 records) : 11121,2000/3/14 13:21:31,IPHalfScan,6,40214,784,40214,784,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11122,2000/3/14 13:21:31,IPHalfScan,6,40214,776,40214,776,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11123,2000/3/14 13:21:31,IPHalfScan,6,40214,6143,40214,6143,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:6 4:5C:E8,,0,,0,192.168.10.11,FALSE,0 11124,2000/3/14 13:21:31,IPHalfScan,6,40214,573,40214,573,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11125,2000/3/14 13:21:31,IPHalfScan,6,40214,2106,40214,2106,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:6 4:5C:E8,,0,,0,192.168.10.11,FALSE,0 11126,2000/3/14 13:21:31,IPHalfScan,6,40215,415,40215,415,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11127,2000/3/14 13:21:33,IPHalfScan,6,40215,288,40215,288,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11128,2000/3/14 13:21:33,IPHalfScan,6,40215,784,40215,784,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11129,2000/3/14 13:21:33,IPHalfScan,6,40215,776,40215,776,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11130,2000/3/14 13:21:33,IPHalfScan,6,40215,6143,40215,6143,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:6 4:5C:E8,,0,,0,192.168.10.11,FALSE,0 11131,2000/3/14 13:21:33,IPHalfScan,6,40215,573,40215,573,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11132,2000/3/14 13:21:33,IPHalfScan,6,40215,2106,40215,2106,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:6 4:5C:E8,,0,,0,192.168.10.11,FALSE,0

(11)

1.4.2 RealSecure Network Engine 2

ログ

ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 14415,2000/3/14 13:20:18,IPHalfScan,6,45876,556,45876,Remotefs,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20: 76:1E:EA,,0,,0,192.168.20.11,FALSE,0 14416,2000/3/14 13:20:18,IPHalfScan,6,45876,182,45876,182,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E: EA,,0,,0,192.168.20.11,FALSE,0 14417,2000/3/14 13:20:18,IPHalfScan,6,45876,154,45876,154,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E: EA,,0,,0,192.168.20.11,FALSE,0 14418,2000/3/14 13:20:18,IPHalfScan,6,45876,2232,45876,2232,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1 E:EA,,0,,0,192.168.20.11,FALSE,0 14419,2000/3/14 13:20:18,IPHalfScan,6,45876,67,45876,67,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E:E A,,0,,0,192.168.20.11,FALSE,0 14420,2000/3/14 13:20:18,IPHalfScan,6,45876,650,45876,650,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E: EA,,0,,0,192.168.20.11,FALSE,0 14421,2000/3/14 13:20:18,IPHalfScan,6,45876,775,45876,775,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E: EA,,0,,0,192.168.20.11,FALSE,0 14422,2000/3/14 13:20:18,IPHalfScan,6,45876,5000,45876,5000,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1 E:EA,,0,,0,192.168.20.11,FALSE,0 14423,2000/3/14 13:20:18,IPHalfScan,6,45876,390,45876,390,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E: EA,,0,,0,192.168.20.11,FALSE,0 14424,2000/3/14 13:20:18,IPHalfScan,6,45876,855,45876,855,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E: EA,,0,,0,192.168.20.11,FALSE,0 : (snip 3087 records) : 17512,2000/3/14 13:20:41,IPHalfScan,6,43457,8,43457,8,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5:05,,0 ,,0,192.168.20.11,FALSE,0 17513,2000/3/14 13:20:41,IPHalfScan,6,43457,587,43457,587,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5: 05,,0,,0,192.168.20.11,FALSE,0 17514,2000/3/14 13:20:41,IPHalfScan,6,43457,500,43457,500,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5: 05,,0,,0,192.168.20.11,FALSE,0 17515,2000/3/14 13:20:41,IPHalfScan,6,43457,20,43457,FTP-Data,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:2 6:E5:05,,0,,0,192.168.20.11,FALSE,0 17516,2000/3/14 13:20:41,IPHalfScan,6,43457,62,43457,62,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5:05 ,,0,,0,192.168.20.11,FALSE,0 17517,2000/3/14 13:20:45,IPHalfScan,6,43457,1378,43457,1378,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26: E5:05,,0,,0,192.168.20.11,FALSE,0 17518,2000/3/14 13:20:45,IPHalfScan,6,43457,1371,43457,1371,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26: E5:05,,0,,0,192.168.20.11,FALSE,0 17519,2000/3/14 13:20:45,IPHalfScan,6,43457,467,43457,467,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5: 05,,0,,0,192.168.20.11,FALSE,0 17520,2000/3/14 13:20:45,IPHalfScan,6,43457,451,43457,451,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5: 05,,0,,0,192.168.20.11,FALSE,0 17521,2000/3/14 13:20:45,IPHalfScan,6,43457,909,43457,909,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5: 05,,0,,0,192.168.20.11,FALSE,0

(12)

1.4.3 FireWall-1 ログ

1.4.4 RealSecure System Agent

ログ

検出なし

1.4.5 Syslog,イベントログ

検出なし

"10605" "14Mar2000" "13:20:18" "nei0" "fw" "log" "accept" "" "ipa3" "dmz-mail" "icmp" "4" "" "" "" "" "" "" "" "" " icmp-type 8 icmp-co de 0"

"10606" "14Mar2000" "13:20:18" "nei0" "fw" "log" "accept" "http" "ipa3" "dmz-mail" "tcp" "4" "45896" "" "" "" "" "" "" "" " len 40" "10607" "14Mar2000" "13:20:18" "nei1" "fw" "log" "accept" "" "dmz-mail" "ipa3" "icmp" "8" "" "" "" "" "" "" "" "" " icmp-type 0 icmp-co de 0"

"13647" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "8" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13648" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "587" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13649" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "500" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13650" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "ftp-data" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40"

"13651" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "62" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13652" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "1378" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13653" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "1371" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13654" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "467" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13655" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "451" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13656" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "909" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40"

(13)

1.5 UDP

ICMP

Unreachable

スキャン

1.5.1 RealSecure Network Engine 1

ログ

1.5.2 RealSecure Network Engine 2

ログ

ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 11133,2000/3/14 13:25:24,UDP_Port_Scan,17,53173,497,53173,497,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18: 64:5C:E8,,0,,0,192.168.10.11,FALSE,0 11134,2000/3/14 13:36:59,UDP_Port_Scan,17,53173,271,53173,271,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18: 64:5C:E8,,0,,0,192.168.10.11,FALSE,0 11135,2000/3/14 13:51:41,UDP_Port_Scan,17,46019,778,46019,778,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18: 64:5C:E8,,0,,0,192.168.10.11,FALSE,0 11136,2000/3/14 13:52:11,UDP_Port_Scan,17,40078,391,40078,391,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18: 64:5C:E8,,0,,0,192.168.10.11,FALSE,0 11137,2000/3/14 13:53:38,UDP_Port_Scan,17,53385,261,53385,261,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20: 18:64:5C:E8,,0,,0,192.168.10.11,FALSE,0 11138,2000/3/14 13:54:17,UDP_Port_Scan,17,43605,676,43605,676,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18: 64:5C:E8,,0,,0,192.168.10.11,FALSE,0 ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 17522,2000/3/14 13:25:24,UDP_Port_Scan,17,53173,497,53173,497,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20: 76:1E:EA,,0,,0,192.168.20.11,FALSE,0 17523,2000/3/14 13:51:40,UDP_Port_Scan,17,46019,778,46019,778,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26: 26:E5:05,,0,,0,192.168.20.11,FALSE,0 17524,2000/3/14 13:52:11,UDP_Port_Scan,17,40078,391,40078,391,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20: 76:1E:EA,,0,,0,192.168.20.11,FALSE,0