通商産業省委託事業
平成12年3月
情報処理振興事業協会
「ログの活用方法に関する調査」
ログの活用方法に関する調査報告書
ログの活用方法に関する調査報告書
ログの活用方法に関する調査報告書
ログの活用方法に関する調査報告書
(添付資料)
(添付資料)
(添付資料)
(添付資料)
■目次■
■目次■
■目次■
■目次■
1111 テストショット1
テストショット1
テストショット1 ________________________________
テストショット1
________________________________
_________________________________________________________
________________________________
_________________________
_________________________
_________________________ 1111
1.1
1.1
1.1
1.1
TCP
TCP
TCP
TCP ポートスキャン
ポートスキャン
ポートスキャン
ポートスキャン ________________________________
________________________________
________________________________
__________________________________________________________
__________________________
__________________________
__________________________ 1111
1.2
1.2
1.2
1.2
TCP
TCP
TCP
TCP ハーフスキャン
ハーフスキャン
ハーフスキャン
ハーフスキャン ________________________________
________________________________
________________________________
__________________________________________________________
__________________________
__________________________
__________________________ 3333
1.3
1.3
1.3
1.3
TCP fin
TCP fin
TCP fin
TCP fin ステルススキャン
ステルススキャン
ステルススキャン
ステルススキャン ________________________________
________________________________
_____________________________________________________
________________________________
_____________________
_____________________
_____________________ 5555
1.4
1.4
1.4
1.4
TCP NULL
TCP NULL
TCP NULL
TCP NULL ステルススキャン
ステルススキャン
ステルススキャン
ステルススキャン ________________________________
________________________________
________________________________
_________________________________________________
_________________
_________________ 7777
_________________
1.5
1.5
1.5
1.5
UDP ICMP Unreachable
UDP ICMP Unreachable
UDP ICMP Unreachable スキャン
UDP ICMP Unreachable
スキャン
スキャン ________________________________
スキャン
____________________________________________
________________________________
________________________________
____________
____________
____________ 10
10
10
10
1.6
1.6
1.6
1.6
finger
finger
finger ________________________________
finger
________________________________
________________________________________________________________
________________________________
_____________________________________
________________________________
________________________________
_____
_____ 12
_____
12
12
12
1.7
1.7
1.7
1.7
phf
phf
phf ________________________________
phf
________________________________
________________________________
________________________________________________________________
________________________________________
________________________________
________________________________
________
________ 13
________
13
13
13
1.8
1.8
1.8
1.8
nph-test-cgi
nph-test-cgi
nph-test-cgi
nph-test-cgi ________________________________
________________________________
________________________________
________________________________________________________________
________________________________
________________________________
________________________________ 14
14
14
14
1.9
1.9
1.9
1.9
php
php
php ________________________________
php
________________________________
________________________________________________________________
________________________________
_______________________________________
________________________________
________________________________
_______
_______
_______ 16
16
16
16
1.10
1.10
1.10
1.10 ftp
ftp
ftp
ftp オンラインパスワードクラッキング
オンラインパスワードクラッキング
オンラインパスワードクラッキング
オンラインパスワードクラッキング________________________________
________________________________
_________________________________________
________________________________
_________
_________
_________ 18
18
18
18
1.11
1.11
1.11
1.11 http
http
http
http オンラインパスワードクラッキング
オンラインパスワードクラッキング
オンラインパスワードクラッキング ________________________________
オンラインパスワードクラッキング
________________________________
________________________________
________________________________________
________
________ 23
________
23
23
23
1.12
1.12
1.12
1.12 smtp VRFY,EXPN
smtp VRFY,EXPN
smtp VRFY,EXPN
smtp VRFY,EXPN ________________________________
________________________________
__________________________________________________________
________________________________
__________________________
__________________________
__________________________ 26
26
26
26
1.13
1.13
1.13
1.13 smtp
smtp
smtp
smtp 不正中継
不正中継
不正中継________________________________
不正中継
________________________________
________________________________
______________________________________________________________
______________________________
______________________________ 27
______________________________
27
27
27
1.14
1.14
1.14
1.14 OOB
OOB
OOB
OOB ________________________________
________________________________
________________________________
________________________________________________________________
________________________________
______________________________________
________________________________
______
______
______ 31
31
31
31
1.15
1.15
1.15
1.15 SYN FLOOD
SYN FLOOD
SYN FLOOD
SYN FLOOD ________________________________
________________________________
_______________________________________________________________
________________________________
_______________________________
_______________________________
_______________________________ 32
32
32
32
1.16
1.16
1.16
1.16 Land
Land
Land
Land ________________________________
________________________________
________________________________
________________________________________________________________
________________________________
______________________________________
________________________________
______
______
______ 35
35
35
35
1.17
1.17
1.17
1.17 Teardrop
Teardrop
Teardrop
Teardrop________________________________
________________________________
________________________________
________________________________________________________________
________________________________
___________________________________
________________________________
___
___
___ 36
36
36
36
1.18
1.18
1.18
1.18 Smurf
Smurf
Smurf
Smurf ________________________________
________________________________
________________________________________________________________
________________________________
________________________________
________________________________
_____________________________________
_____
_____ 37
_____
37
37
37
1.19
1.19
1.19
1.19 UDP F
UDP F
UDP F
UDP Flood
lood
lood ________________________________
lood
________________________________
________________________________
________________________________________________________________
________________________________
____________________________________ 38
________________________________
38
38
38
1.20
1.20
1.20
1.20 Malformed HTTP Request Header
Malformed HTTP Request Header
Malformed HTTP Request Header
Malformed HTTP Request Header ________________________________
________________________________
____________________________________________
________________________________
____________
____________
____________ 40
40
40
40
1.21
1.21
1.21
1.21 Connection Flood
Connection Flood
Connection Flood
Connection Flood ________________________________
________________________________
________________________________
___________________________________________________________
___________________________
___________________________ 41
___________________________
41
41
41
1.22
1.22
1.22
1.22 rpc.sadmind
rpc.sadmind
rpc.sadmind
rpc.sadmind
(バッファオーバーフロー)
(バッファオーバーフロー) ________________________________
(バッファオーバーフロー)
(バッファオーバーフロー)
________________________________
________________________________
_____________________________________
_____
_____ 43
_____
43
43
43
1.23
1.23
1.23
1.23 rpc.sadmind
rpc.sadmind
rpc.sadmind
rpc.sadmind
(侵入)
(侵入) ________________________________
(侵入)
(侵入)
________________________________
________________________________
______________________________________________________
______________________
______________________
______________________ 44
44
44
44
1.24
1.24
1.24
1.24 Malformed HTR Request
Malformed HTR Request
Malformed HTR Request
Malformed HTR Request
(バッファオーバーフロー)
(バッファオーバーフロー)
(バッファオーバーフロー)
(バッファオーバーフロー) _________________________
_________________________
_________________________
_________________________ 45
45
45
45
1.25
1.25
1.25
2222 テストショット2
テストショット2
テストショット2 ________________________________
テストショット2
________________________________
________________________________________________________
________________________________
________________________
________________________
________________________ 50
50
50
50
2.1
2.1
2.1
2.1
TCP
TCP
TCP ポートスキャン
TCP
ポートスキャン
ポートスキャン
ポートスキャン ________________________________
_________________________________________________________
________________________________
________________________________
_________________________
_________________________
_________________________ 50
50
50
50
2.2
2.2
2.2
2.2
TCP
TCP
TCP ハーフスキャン
TCP
ハーフスキャン
ハーフスキャン
ハーフスキャン ________________________________
_________________________________________________________
________________________________
________________________________
_________________________
_________________________
_________________________ 55
55
55
55
2.3
2.3
2.3
2.3
TCP fin
TCP fin
TCP fin ステルススキャン
TCP fin
ステルススキャン
ステルススキャン
ステルススキャン ________________________________
____________________________________________________
________________________________
________________________________
____________________
____________________
____________________ 57
57
57
57
2.4
2.4
2.4
2.4
TCP NULL
TCP NULL
TCP NULL ステルススキャン
TCP NULL
ステルススキャン
ステルススキャン
ステルススキャン ________________________________
_________________________________________________
________________________________
________________________________
_________________
_________________
_________________ 60
60
60
60
2.5
2.5
2.5
2.5
UDP ICMP Unreach
UDP ICMP Unreach
UDP ICMP Unreach
UDP ICMP Unreachable
able
able
able スキャン
スキャン ________________________________
スキャン
スキャン
________________________________
____________________________________________
________________________________
____________
____________
____________ 62
62
62
62
2.6
2.6
2.6
2.6
finger
finger
finger ________________________________
finger
________________________________
________________________________________________________________
________________________________
_____________________________________
________________________________
________________________________
_____
_____ 65
_____
65
65
65
2.7
2.7
2.7
2.7
ftp
ftp
ftp オンラインパスワードクラッキング
ftp
オンラインパスワードクラッキング
オンラインパスワードクラッキング
オンラインパスワードクラッキング________________________________
_________________________________________
________________________________
________________________________
_________
_________
_________ 67
67
67
67
2.8
2.8
2.8
2.8
http
http
http オンラインパスワードクラッキング
http
オンラインパスワードクラッキング
オンラインパスワードクラッキング ________________________________
オンラインパスワードクラッキング
________________________________________
________________________________
________________________________
________
________ 76
________
76
76
76
2.9
2.9
2.9
2.9
smtp VRFY,EXPN
smtp VRFY,EXPN
smtp VRFY,EXPN
smtp VRFY,EXPN ________________________________
________________________________
__________________________________________________________
________________________________
__________________________
__________________________
__________________________ 79
79
79
79
2.10
2.10
2.10
2.10 smtp
smtp
smtp
smtp 不正中継
不正中継
不正中継________________________________
不正中継
________________________________
________________________________
______________________________________________________________
______________________________
______________________________ 81
______________________________
81
81
81
2.11
2.11
2.11
2.11 Smurf
Smurf
Smurf
Smurf ________________________________
________________________________
________________________________________________________________
________________________________
________________________________
________________________________
_____________________________________
_____
_____ 87
_____
87
87
87
2.12
2.12
2.12
2.12 UDP Flood
UDP Flood
UDP Flood
UDP Flood ________________________________
________________________________
________________________________
________________________________________________________________
________________________________
____________________________________ 89
________________________________
89
89
89
2.13
2.13
2.13
2.13 Malformed HTTP Request Header
Malformed HTTP Request Header
Malformed HTTP Request Header
Malformed HTTP Request Header ________________________________
________________________________
____________________________________________
________________________________
____________
____________
____________ 90
90
90
90
2.14
2.14
2.14
2.14 rpc.sadmind
rpc.sadmind
rpc.sadmind
rpc.sadmind
(バッファオーバーフロー)
(バッファオーバーフロー) ________________________________
(バッファオーバーフロー)
(バッファオーバーフロー)
________________________________
________________________________
_____________________________________
_____
_____ 91
_____
91
91
91
2.15
2.15
2.15
2.15 rpc.sadmind
rpc.sadmind
rpc.sadmind
rpc.sadmind
(侵入)
(侵入) ________________________________
(侵入)
(侵入)
________________________________
________________________________
______________________________________________________
______________________
______________________
______________________ 93
93
93
93
2.16
2.16
2.16
2.16 Malformed HTR Request
Malformed HTR Request
Malformed HTR Request
Malformed HTR Request
(バッファオーバーフロー)
(バッファオーバーフロー)
(バッファオーバーフロー)
(バッファオーバーフロー) _________________________
_________________________
_________________________
_________________________ 95
95
95
95
2.17
2.17
2.17
2.17 Malformed HTR Request
Malformed HTR Request
Malformed HTR Request
Malformed HTR Request
(侵入)
(侵入) ________________________________
(侵入)
(侵入)
________________________________
________________________________
__________________________________________
__________
__________ 96
__________
96
96
96
3333 RealSecure Network Engine
RealSecure Network Engine
RealSecure Network Engine ポリシー設定
RealSecure Network Engine
ポリシー設定
ポリシー設定
ポリシー設定 ________________________________
________________________________
____________________________________ 100
________________________________
100
100
100
4444 RealSecure System Agent
RealSecure System Agent
RealSecure System Agent ポリシー設定
RealSecure System Agent
ポリシー設定
ポリシー設定
ポリシー設定 ________________________________
________________________________
________________________________
___________________________________
___
___
___ 105
105
105
105
1
テストショット1
1.1 TCP
ポートスキャン
1.1.1 RealSecure Network Engine 1
ログ
ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 1795,2000/3/14 13:07:00,Port_Scan,6,1780,204,1780,204,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,, 0,,0,192.168.10.11,FALSE,0 1796,2000/3/14 13:07:20,Port_Scan,6,3291,8,3291,8,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,0,1 92.168.10.11,FALSE,0 1797,2000/3/14 13:07:37,Port_Scan,6,4902,554,4902,554,1728123052,168470720,172.16.1.103,192.168.10.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E 8,,0,,0,192.168.10.11,FALSE,0 1798,2000/3/14 13:08:11,Port_Scan,6,4396,435,4396,435,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E 8,,0,,0,192.168.10.11,FALSE,0 1799,2000/3/14 13:08:32,SYNFlood,6,0,699,Any,699,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1800,2000/3/14 13:08:52,SYNFlood,6,0,480,Any,480,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1801,2000/3/14 13:08:56,SYNFlood,6,0,424,Any,424,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1802,2000/3/14 13:09:01,SYNFlood,6,0,453,Any,453,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1803,2000/3/14 13:09:01,SYNFlood,6,0,648,Any,648,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1804,2000/3/14 13:09:04,SYNFlood,6,0,1112,Any,1112,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 : (snip 135 records) : 1939,2000/3/14 13:09:50,SYNFlood,6,0,507,Any,507,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1940,2000/3/14 13:09:50,SYNFlood,6,0,421,Any,421,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1941,2000/3/14 13:09:50,SYNFlood,6,0,1418,Any,1418,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 1942,2000/3/14 13:09:51,SYNFlood,6,0,440,Any,440,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1943,2000/3/14 13:09:51,SYNFlood,6,0,274,Any,274,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 1944,2000/3/14 13:09:51,SYNFlood,6,0,174,Any,174,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1945,2000/3/14 13:09:52,SYNFlood,6,0,307,Any,307,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 1946,2000/3/14 13:09:52,SYNFlood,6,0,495,Any,495,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 1947,2000/3/14 13:09:52,SYNFlood,6,0,1068,Any,1068,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 1948,2000/3/14 13:09:52,SYNFlood,6,0,865,Any,865,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 1949,2000/3/14 13:09:52,SYNFlood,6,0,806,Any,806,0,168470720,0.0.0.0,192.168.10.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0
1.1.2 RealSecure Network Engine 2
ログ
1.1.3 FireWall-1 ログ
1.1.4 RealSecure System Agent
ログ
検出なし
1.1.5 Syslog
ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 14410,2000/3/14 13:07:00,Port_Scan,6,1780,204,1780,204,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E:EA, ,0,,0,192.168.20.11,FALSE,0 14411,2000/3/14 13:07:20,Port_Scan,6,3291,8,3291,8,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5:05,,0,,0, 192.168.20.11,FALSE,0“No” “Date” “Time” “Inter.” “Origin” “Type” Action” “Service” “Source” “Destination” “Proto.” “Rule” “S_Port” “User” “SrcKeyID” “DstKeyID” “XlateSrc” XlateDst” “XLateSPort” “XlateDPort” “Info.”
4Mar2000" "13:06:56" "nei0" "fw" "log" "accept" "" "ipa3" "dmz-mail" "icmp" "4" "" "" "" "" "" "" "" "" " icmp-type 8 icmp-code 0" "40" "14Mar2000" "13:06:56" "nei0" "fw" "log" "accept" "http" "ipa3" "dmz-mail" "tcp" "4" "60991" "" "" "" "" "" "" "" " len 40" "41" "14Mar2000" "13:06:56" "nei1" "fw" "log" "accept" "" "dmz-mail" "ipa3" "icmp" "8" "" "" "" "" "" "" "" "" " icmp-type 0 icmp-code 0"
"42" "14Mar2000" "13:07:00" "nei0" "fw" "log" "accept" "118" "ipa3" "dmz-mail" "tcp" "4" "1744" "" "" "" "" "" "" "" " len 60" "43" "14Mar2000" "13:07:00" "nei0" "fw" "log" "accept" "1426" "ipa3" "dmz-mail" "tcp" "4" "1745" "" "" "" "" "" "" "" " len 60" "44" "14Mar2000" "13:07:00" "nei0" "fw" "log" "accept" "2011" "ipa3" "dmz-mail" "tcp" "4" "1746" "" "" "" "" "" "" "" " len 60" "45" "14Mar2000" "13:07:00" "nei0" "fw" "log" "accept" "45" "ipa3" "dmz-mail" "tcp" "4" "1747" "" "" "" "" "" "" "" " len 60" "46" "14Mar2000" "13:07:00" "nei0" "fw" "log" "accept" "853" "ipa3" "dmz-mail" "tcp" "4" "1748" "" "" "" "" "" "" "" " len 60" "47" "14Mar2000" "13:07:00" "nei0" "fw" "log" "accept" "371" "ipa3" "dmz-mail" "tcp" "4" "1749" "" "" "" "" "" "" "" " len 60" "48" "14Mar2000" "13:07:00" "nei0" "fw" "log" "accept" "2025" "ipa3" "dmz-mail" "tcp" "4" "1750" "" "" "" "" "" "" "" " len 60" :
(snip 3035 records) :
"3074" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "1430" "ipa3" "dmz-www" "tcp" "5" "4789" "" "" "" "" "" "" "" " len 60" "3075" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "433" "ipa3" "dmz-www" "tcp" "5" "4790" "" "" "" "" "" "" "" " len 60" "3076" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "2112" "ipa3" "dmz-www" "tcp" "5" "4791" "" "" "" "" "" "" "" " len 60" "3077" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "652" "ipa3" "dmz-www" "tcp" "5" "4792" "" "" "" "" "" "" "" " len 60" "3078" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "445" "ipa3" "dmz-www" "tcp" "5" "4793" "" "" "" "" "" "" "" " len 60" "3079" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "577" "ipa3" "dmz-www" "tcp" "5" "4794" "" "" "" "" "" "" "" " len 60" "3080" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "799" "ipa3" "dmz-www" "tcp" "5" "4795" "" "" "" "" "" "" "" " len 60" "3081" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "574" "ipa3" "dmz-www" "tcp" "5" "4796" "" "" "" "" "" "" "" " len 60" "3082" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "649" "ipa3" "dmz-www" "tcp" "5" "4797" "" "" "" "" "" "" "" " len 60" "3083" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "705" "ipa3" "dmz-www" "tcp" "5" "4798" "" "" "" "" "" "" "" " len 60"
Mar 14 13:07:02 mail sendmail[348]: SMTP connect from IDENT:root@ipa3 [172.16.1.103] (172.16.1.103)
Mar 14 13:07:02 mail sendmail[348]: NOQUEUE: --> 220 mail.dmz.local ESMTP Sendmail 8.9.3/3.7W; Tue, 14 Mar 2000 13:07:02 +0900 (JST) Mar 14 13:07:02 mail sendmail[348]: NOQUEUE: --> 421 mail.dmz.local Lost input channel from IDENT:root@ipa3 [172.16.1.103]
1.2 TCP
ハーフスキャン
1.2.1 RealSecure Network Engine 1
ログ
ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 1950,2000/3/14 13:11:40,Port_Scan,6,36503,661,36503,661,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E 8,,0,,0,192.168.10.11,FALSE,0 1951,2000/3/14 13:11:40,SYNFlood,6,0,1008,Any,1008,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 1952,2000/3/14 13:11:42,SYNFlood,6,0,1365,Any,1365,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 1953,2000/3/14 13:11:51,Port_Scan,6,34680,945,34680,945,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E 8,,0,,0,192.168.10.11,FALSE,0 1954,2000/3/14 13:12:03,SYNFlood,6,0,2600,Any,2600,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 1955,2000/3/14 13:12:05,SYNFlood,6,0,528,Any,528,0,168470720,0.0.0.0,192.168.10.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 1956,2000/3/14 13:12:07,SYNFlood,6,0,95,Any,Sudup,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11 ,FALSE,0 1957,2000/3/14 13:12:07,SYNFlood,6,0,5011,Any,5011,0,168470720,0.0.0.0,192.168.10.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 1958,2000/3/14 13:12:08,SYNFlood,6,0,884,Any,884,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 1959,2000/3/14 13:12:08,SYNFlood,6,0,7002,Any,7002,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 : (snip 129 records) : 2089,2000/3/14 13:13:04,SYNFlood,6,0,990,Any,990,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 2090,2000/3/14 13:13:05,SYNFlood,6,0,574,Any,574,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 2091,2000/3/14 13:13:05,SYNFlood,6,0,692,Any,692,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 2092,2000/3/14 13:13:05,SYNFlood,6,0,333,Any,333,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 2093,2000/3/14 13:13:05,SYNFlood,6,0,5191,Any,5191,0,168470720,0.0.0.0,192.168.10.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.1 1,FALSE,0 2094,2000/3/14 13:13:06,SYNFlood,6,0,697,Any,697,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 2095,2000/3/14 13:13:07,SYNFlood,6,0,292,Any,292,0,169781440,0.0.0.0,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11, FALSE,0 2096,2000/3/14 13:13:07,SYNFlood,6,0,995,Any,995,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,FA LSE,0 2097,2000/3/14 13:13:08,SYNFlood,6,0,1013,Any,1013,0,34908352,0.0.0.0,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8,,0,,1,192.168.10.11,
1.2.2 RealSecure Network Engine 2
ログ
1.2.3 FireWall-1 ログ
1.2.4 RealSecure System Agent
ログ
検出なし
1.2.5 Syslog,イベントログ
検出なし
ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 14412,2000/3/14 13:11:51,Port_Scan,6,34680,945,34680,945,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5:0 5,,0,,0,192.168.20.11,FALSE,0“No” “Date” “Time” “Inter.” “Origin” “Type” Action” “Service” “Source” “Destination” “Proto.” “Rule” “S_Port” “User” “SrcKeyID” “DstKeyID” “XlateSrc” XlateDst” “XLateSPort” “XlateDPort” “Info.”
"3089" "14Mar2000" "13:11:39" "nei0" "fw" "log" "accept" "" "ipa3" "dmz-mail" "icmp" "4" "" "" "" "" "" "" "" "" " icmp-type 8 icmp-cod e 0"
"3090" "14Mar2000" "13:11:39" "nei0" "fw" "log" "accept" "http" "ipa3" "dmz-mail" "tcp" "4" "36523" "" "" "" "" "" "" "" " len 40" "3091" "14Mar2000" "13:11:39" "nei1" "fw" "log" "accept" "" "dmz-mail" "ipa3" "icmp" "8" "" "" "" "" "" "" "" "" " icmp-type 0 icmp-cod e 0"
"3092" "14Mar2000" "13:11:39" "nei0" "fw" "log" "accept" "331" "ipa3" "dmz-mail" "tcp" "4" "36503" "" "" "" "" "" "" "" " len 40" "3093" "14Mar2000" "13:11:39" "nei0" "fw" "log" "accept" "310" "ipa3" "dmz-mail" "tcp" "4" "36503" "" "" "" "" "" "" "" " len 40" "3094" "14Mar2000" "13:11:39" "nei0" "fw" "log" "accept" "352" "ipa3" "dmz-mail" "tcp" "4" "36503" "" "" "" "" "" "" "" " len 40" "3095" "14Mar2000" "13:11:39" "nei0" "fw" "log" "accept" "477" "ipa3" "dmz-mail" "tcp" "4" "36503" "" "" "" "" "" "" "" " len 40" "3096" "14Mar2000" "13:11:39" "nei0" "fw" "log" "accept" "533" "ipa3" "dmz-mail" "tcp" "4" "36503" "" "" "" "" "" "" "" " len 40" "3097" "14Mar2000" "13:11:39" "nei0" "fw" "log" "accept" "189" "ipa3" "dmz-mail" "tcp" "4" "36503" "" "" "" "" "" "" "" " len 40" "3098" "14Mar2000" "13:11:39" "nei0" "fw" "log" "accept" "354" "ipa3" "dmz-mail" "tcp" "4" "36503" "" "" "" "" "" "" "" " len 40" :
(snip 2990 records) :
"3074" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "1430" "ipa3" "dmz-www" "tcp" "5" "4789" "" "" "" "" "" "" "" " len 60" "3075" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "433" "ipa3" "dmz-www" "tcp" "5" "4790" "" "" "" "" "" "" "" " len 60" "3076" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "2112" "ipa3" "dmz-www" "tcp" "5" "4791" "" "" "" "" "" "" "" " len 60" "3077" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "652" "ipa3" "dmz-www" "tcp" "5" "4792" "" "" "" "" "" "" "" " len 60" "3078" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "445" "ipa3" "dmz-www" "tcp" "5" "4793" "" "" "" "" "" "" "" " len 60" "3079" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "577" "ipa3" "dmz-www" "tcp" "5" "4794" "" "" "" "" "" "" "" " len 60" "3080" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "799" "ipa3" "dmz-www" "tcp" "5" "4795" "" "" "" "" "" "" "" " len 60" "3081" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "574" "ipa3" "dmz-www" "tcp" "5" "4796" "" "" "" "" "" "" "" " len 60" "3082" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "649" "ipa3" "dmz-www" "tcp" "5" "4797" "" "" "" "" "" "" "" " len 60" "3083" "14Mar2000" "13:07:23" "nei0" "fw" "log" "accept" "705" "ipa3" "dmz-www" "tcp" "5" "4798" "" "" "" "" "" "" "" " len 60"
1.3 TCP
fin
ステルススキャン
1.3.1 RealSecure Network Engine 1
ログ
ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 2099,2000/3/14 13:15:15,Port_Scan,6,43662,131,43662,131,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E 8,,0,,0,192.168.10.11,FALSE,0 2100,2000/3/14 13:15:32,Port_Scan,6,57854,289,57854,289,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E 8,,0,,0,192.168.10.11,FALSE,0 2101,2000/3/14 13:15:48,Port_Scan,6,43840,208,43840,208,1728123052,169126080,172.16.1.103,192.168.20.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C: E8,,0,,0,192.168.10.11,FALSE,0
1.3.2 RealSecure Network Engine 2
ログ
1.3.3 FireWall-1 ログ
1.3.4 RealSecure System Agent
ログ
検出なし
1.3.5 Syslog,イベントログ
検出なし
ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 14413,2000/3/14 13:15:15,Port_Scan,6,43662,131,43662,131,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E:E A,,0,,0,192.168.20.11,FALSE,0 14414,2000/3/14 13:15:32,Port_Scan,6,57854,289,57854,289,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5:0 5,,0,,0,192.168.20.11,FALSE,0“No” “Date” “Time” “Inter.” “Origin” “Type” Action” “Service” “Source” “Destination” “Proto.” “Rule” “S_Port” “User” “SrcKeyID” “DstKeyID” “XlateSrc” XlateDst” “XLateSPort” “XlateDPort” “Info.”
"6100" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "" "ipa3" "dmz-mail" "icmp" "4" "" "" "" "" "" "" "" "" " icmp-type 8 icmp-cod e 0"
"6101" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "http" "ipa3" "dmz-mail" "tcp" "4" "43682" "" "" "" "" "" "" "" " len 40" "6102" "14Mar2000" "13:15:15" "nei1" "fw" "log" "accept" "" "dmz-mail" "ipa3" "icmp" "8" "" "" "" "" "" "" "" "" " icmp-type 0 icmp-cod e 0"
"6103" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "251" "ipa3" "dmz-mail" "tcp" "4" "43662" "" "" "" "" "" "" "" " len 40" "6104" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "867" "ipa3" "dmz-mail" "tcp" "4" "43662" "" "" "" "" "" "" "" " len 40" "6105" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "975" "ipa3" "dmz-mail" "tcp" "4" "43662" "" "" "" "" "" "" "" " len 40" "6106" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "CreativePartnerClnt" "ipa3" "dmz-mail" "tcp" "4" "43662" "" "" "" "" "" "" "" " len 40"
"6107" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "2784" "ipa3" "dmz-mail" "tcp" "4" "43662" "" "" "" "" "" "" "" " len 40" "6108" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "usenet" "ipa3" "dmz-mail" "tcp" "4" "43662" "" "" "" "" "" "" "" " len 40" "6109" "14Mar2000" "13:15:15" "nei0" "fw" "log" "accept" "x400-snd" "ipa3" "dmz-mail" "tcp" "4" "43662" "" "" "" "" "" "" "" " len 40" :
(snip 4485 records) :
"10594" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "printer" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10595" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "92" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10596" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "445" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10597" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "1491" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10598" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "2010" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10599" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "22289" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10600" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "879" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10601" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "666" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10602" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "nbsession" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10603" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "284" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40" "10604" "14Mar2000" "13:15:54" "nei0" "fw" "log" "reject" "179" "ipa3" "fw-dmz" "tcp" "9" "43840" "" "" "" "" "" "" "" " len 40"
1.4 TCP
NULL
ステルススキャン
1.4.1 RealSecure Network Engine 1
ログ
ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 2102,2000/3/14 13:20:18,IPHalfScan,6,45876,556,45876,Remotefs,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:6 4:5C:E8,,0,,0,192.168.10.11,FALSE,0 2103,2000/3/14 13:20:18,IPHalfScan,6,45876,182,45876,182,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C: E8,,0,,0,192.168.10.11,FALSE,0 2104,2000/3/14 13:20:18,IPHalfScan,6,45876,154,45876,154,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C: E8,,0,,0,192.168.10.11,FALSE,0 2105,2000/3/14 13:20:18,IPHalfScan,6,45876,2232,45876,2232,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5 C:E8,,0,,0,192.168.10.11,FALSE,0 2106,2000/3/14 13:20:18,IPHalfScan,6,45876,67,45876,67,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C:E8, ,0,,0,192.168.10.11,FALSE,0 2107,2000/3/14 13:20:18,IPHalfScan,6,45876,650,45876,650,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C: E8,,0,,0,192.168.10.11,FALSE,0 2108,2000/3/14 13:20:18,IPHalfScan,6,45876,775,45876,775,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C: E8,,0,,0,192.168.10.11,FALSE,0 2109,2000/3/14 13:20:18,IPHalfScan,6,45876,5000,45876,5000,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5 C:E8,,0,,0,192.168.10.11,FALSE,0 2110,2000/3/14 13:20:18,IPHalfScan,6,45876,390,45876,390,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C: E8,,0,,0,192.168.10.11,FALSE,0 2111,2000/3/14 13:20:18,IPHalfScan,6,45876,855,45876,855,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64:5C: E8,,0,,0,192.168.10.11,FALSE,0 : (snip 9011 records) : 11121,2000/3/14 13:21:31,IPHalfScan,6,40214,784,40214,784,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11122,2000/3/14 13:21:31,IPHalfScan,6,40214,776,40214,776,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11123,2000/3/14 13:21:31,IPHalfScan,6,40214,6143,40214,6143,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:6 4:5C:E8,,0,,0,192.168.10.11,FALSE,0 11124,2000/3/14 13:21:31,IPHalfScan,6,40214,573,40214,573,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11125,2000/3/14 13:21:31,IPHalfScan,6,40214,2106,40214,2106,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:6 4:5C:E8,,0,,0,192.168.10.11,FALSE,0 11126,2000/3/14 13:21:31,IPHalfScan,6,40215,415,40215,415,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11127,2000/3/14 13:21:33,IPHalfScan,6,40215,288,40215,288,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11128,2000/3/14 13:21:33,IPHalfScan,6,40215,784,40215,784,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11129,2000/3/14 13:21:33,IPHalfScan,6,40215,776,40215,776,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11130,2000/3/14 13:21:33,IPHalfScan,6,40215,6143,40215,6143,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:6 4:5C:E8,,0,,0,192.168.10.11,FALSE,0 11131,2000/3/14 13:21:33,IPHalfScan,6,40215,573,40215,573,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:64: 5C:E8,,0,,0,192.168.10.11,FALSE,0 11132,2000/3/14 13:21:33,IPHalfScan,6,40215,2106,40215,2106,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18:6 4:5C:E8,,0,,0,192.168.10.11,FALSE,0
1.4.2 RealSecure Network Engine 2
ログ
ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 14415,2000/3/14 13:20:18,IPHalfScan,6,45876,556,45876,Remotefs,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20: 76:1E:EA,,0,,0,192.168.20.11,FALSE,0 14416,2000/3/14 13:20:18,IPHalfScan,6,45876,182,45876,182,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E: EA,,0,,0,192.168.20.11,FALSE,0 14417,2000/3/14 13:20:18,IPHalfScan,6,45876,154,45876,154,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E: EA,,0,,0,192.168.20.11,FALSE,0 14418,2000/3/14 13:20:18,IPHalfScan,6,45876,2232,45876,2232,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1 E:EA,,0,,0,192.168.20.11,FALSE,0 14419,2000/3/14 13:20:18,IPHalfScan,6,45876,67,45876,67,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E:E A,,0,,0,192.168.20.11,FALSE,0 14420,2000/3/14 13:20:18,IPHalfScan,6,45876,650,45876,650,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E: EA,,0,,0,192.168.20.11,FALSE,0 14421,2000/3/14 13:20:18,IPHalfScan,6,45876,775,45876,775,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E: EA,,0,,0,192.168.20.11,FALSE,0 14422,2000/3/14 13:20:18,IPHalfScan,6,45876,5000,45876,5000,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1 E:EA,,0,,0,192.168.20.11,FALSE,0 14423,2000/3/14 13:20:18,IPHalfScan,6,45876,390,45876,390,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E: EA,,0,,0,192.168.20.11,FALSE,0 14424,2000/3/14 13:20:18,IPHalfScan,6,45876,855,45876,855,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20:76:1E: EA,,0,,0,192.168.20.11,FALSE,0 : (snip 3087 records) : 17512,2000/3/14 13:20:41,IPHalfScan,6,43457,8,43457,8,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5:05,,0 ,,0,192.168.20.11,FALSE,0 17513,2000/3/14 13:20:41,IPHalfScan,6,43457,587,43457,587,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5: 05,,0,,0,192.168.20.11,FALSE,0 17514,2000/3/14 13:20:41,IPHalfScan,6,43457,500,43457,500,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5: 05,,0,,0,192.168.20.11,FALSE,0 17515,2000/3/14 13:20:41,IPHalfScan,6,43457,20,43457,FTP-Data,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:2 6:E5:05,,0,,0,192.168.20.11,FALSE,0 17516,2000/3/14 13:20:41,IPHalfScan,6,43457,62,43457,62,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5:05 ,,0,,0,192.168.20.11,FALSE,0 17517,2000/3/14 13:20:45,IPHalfScan,6,43457,1378,43457,1378,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26: E5:05,,0,,0,192.168.20.11,FALSE,0 17518,2000/3/14 13:20:45,IPHalfScan,6,43457,1371,43457,1371,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26: E5:05,,0,,0,192.168.20.11,FALSE,0 17519,2000/3/14 13:20:45,IPHalfScan,6,43457,467,43457,467,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5: 05,,0,,0,192.168.20.11,FALSE,0 17520,2000/3/14 13:20:45,IPHalfScan,6,43457,451,43457,451,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5: 05,,0,,0,192.168.20.11,FALSE,0 17521,2000/3/14 13:20:45,IPHalfScan,6,43457,909,43457,909,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26:26:E5: 05,,0,,0,192.168.20.11,FALSE,01.4.3 FireWall-1 ログ
1.4.4 RealSecure System Agent
ログ
検出なし
1.4.5 Syslog,イベントログ
検出なし
“No” “Date” “Time” “Inter.” “Origin” “Type” Action” “Service” “Source” “Destination” “Proto.” “Rule” “S_Port” “User” “SrcKeyID” “DstKeyID” “XlateSrc” XlateDst” “XLateSPort” “XlateDPort” “Info.”
"10605" "14Mar2000" "13:20:18" "nei0" "fw" "log" "accept" "" "ipa3" "dmz-mail" "icmp" "4" "" "" "" "" "" "" "" "" " icmp-type 8 icmp-co de 0"
"10606" "14Mar2000" "13:20:18" "nei0" "fw" "log" "accept" "http" "ipa3" "dmz-mail" "tcp" "4" "45896" "" "" "" "" "" "" "" " len 40" "10607" "14Mar2000" "13:20:18" "nei1" "fw" "log" "accept" "" "dmz-mail" "ipa3" "icmp" "8" "" "" "" "" "" "" "" "" " icmp-type 0 icmp-co de 0"
"10608" "14Mar2000" "13:20:18" "nei0" "fw" "log" "accept" "556" "ipa3" "dmz-mail" "tcp" "4" "45876" "" "" "" "" "" "" "" " len 40" "10609" "14Mar2000" "13:20:18" "nei0" "fw" "log" "accept" "182" "ipa3" "dmz-mail" "tcp" "4" "45876" "" "" "" "" "" "" "" " len 40" "10610" "14Mar2000" "13:20:18" "nei0" "fw" "log" "accept" "154" "ipa3" "dmz-mail" "tcp" "4" "45876" "" "" "" "" "" "" "" " len 40" "10611" "14Mar2000" "13:20:18" "nei0" "fw" "log" "accept" "2232" "ipa3" "dmz-mail" "tcp" "4" "45876" "" "" "" "" "" "" "" " len 40" "10612" "14Mar2000" "13:20:18" "nei0" "fw" "log" "accept" "67" "ipa3" "dmz-mail" "tcp" "4" "45876" "" "" "" "" "" "" "" " len 40" "10613" "14Mar2000" "13:20:18" "nei0" "fw" "log" "accept" "650" "ipa3" "dmz-mail" "tcp" "4" "45876" "" "" "" "" "" "" "" " len 40" "10614" "14Mar2000" "13:20:18" "nei0" "fw" "log" "accept" "775" "ipa3" "dmz-mail" "tcp" "4" "45876" "" "" "" "" "" "" "" " len 40" :
(snip 3032 records) :
"13647" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "8" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13648" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "587" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13649" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "500" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13650" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "ftp-data" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40"
"13651" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "62" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13652" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "1378" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13653" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "1371" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13654" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "467" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13655" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "451" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40" "13656" "14Mar2000" "13:20:41" "nei0" "fw" "log" "accept" "909" "ipa3" "dmz-www" "tcp" "5" "43457" "" "" "" "" "" "" "" " len 40"
1.5 UDP
ICMP
Unreachable
スキャン
1.5.1 RealSecure Network Engine 1
ログ
1.5.2 RealSecure Network Engine 2
ログ
ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 11133,2000/3/14 13:25:24,UDP_Port_Scan,17,53173,497,53173,497,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18: 64:5C:E8,,0,,0,192.168.10.11,FALSE,0 11134,2000/3/14 13:36:59,UDP_Port_Scan,17,53173,271,53173,271,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18: 64:5C:E8,,0,,0,192.168.10.11,FALSE,0 11135,2000/3/14 13:51:41,UDP_Port_Scan,17,46019,778,46019,778,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18: 64:5C:E8,,0,,0,192.168.10.11,FALSE,0 11136,2000/3/14 13:52:11,UDP_Port_Scan,17,40078,391,40078,391,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18: 64:5C:E8,,0,,0,192.168.10.11,FALSE,0 11137,2000/3/14 13:53:38,UDP_Port_Scan,17,53385,261,53385,261,1728123052,169781440,172.16.1.103,192.168.30.10,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20: 18:64:5C:E8,,0,,0,192.168.10.11,FALSE,0 11138,2000/3/14 13:54:17,UDP_Port_Scan,17,43605,676,43605,676,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:C0:F6:B3:0F:12,,00:20:18: 64:5C:E8,,0,,0,192.168.10.11,FALSE,0 ID,EventDate,EventName,ProtocolID,SourcePort,DestinationPort,SourcePortName,DestinationPortName,SourceAddress,DestinationAddress,SourceAddress Name,DestinationAddressName,TCPFlags,ICMPType,ICMPCode,EventPriority,KillActionSpecified,SourceEthernetAddr,SourceEthernetVendor,Destination EthernetAddr,DestinationEthernetVendor,RawDataLen,RawData,DecodePairCount,EngineIP,Pulled,EngineType 17522,2000/3/14 13:25:24,UDP_Port_Scan,17,53173,497,53173,497,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20: 76:1E:EA,,0,,0,192.168.20.11,FALSE,0 17523,2000/3/14 13:51:40,UDP_Port_Scan,17,46019,778,46019,778,1728123052,51685568,172.16.1.103,192.168.20.3,,,,1,FALSE,00:20:18:64:5C:E6,,00:C0:26: 26:E5:05,,0,,0,192.168.20.11,FALSE,0 17524,2000/3/14 13:52:11,UDP_Port_Scan,17,40078,391,40078,391,1728123052,34908352,172.16.1.103,192.168.20.2,,,,1,FALSE,00:20:18:64:5C:E6,,08:00:20: 76:1E:EA,,0,,0,192.168.20.11,FALSE,0