Logo
 
firegen home | support | tcp/ip ports | logwiki | support forums
Altair Technologies Ltd. - Firegen report generated on 11/15/2011 7:15:32 PM

FireGen Report
InfoValue
Log profileLog profile Netscreen
Analyzed log(s) F:\Logs\SGS\logfile.txt.20060321 (151.00 MB)

Firewall typeSGS
Analysis intervalAll entries in the specified log
Firewalls
NoFirewallConnectionsTraffic (MB)DenialsWarningsURLs
1fw.celotexfiberboard.com239,3522,422.5933,8751,38400
Message types
NoCodeMessage sampleCount
2101Time reset, Type=step, Offset=-0.14222005
3107Closing log file01
4108Starting new log file, UTC offset used, Offset=-060001
5109Re-reading configuration file, Information=Bad Services traffic saturation alert threshold set to: 20.00 %34
6115Successful authentication from remote management client, User=jolson, Source IP=192.168.1.131, Source Name=192.168.1.131, Destination IP=192.168.1.253, Destination Port=245611
7116Remote management completed, User=jolson, Source IP=192.168.1.131, Source Name=192.168.1.131, Destination IP=192.168.1.253, Destination Port=245610
8117Daemon starting, Program Name=rtspd, Operation=Initialize, Resource=rtspd, Status=Success, State=Starting28
9118Daemon exiting, Program Name=GWControl Service, Operation=Validate, Resource=signal(15), Status=Success, State=OK01
10120Not sending ICMP Unreachable in response to non-informational ICMP received on interface, Source IP=68.50.76.167, Destination IP=65.5.124.15, IP Code=ICMP, IP Code=Unreachable (port), String Value=Inner Packet data follows, Source IP=65.5.124.15, Destination IP=68.50.76.167, IP Code=UDP, Source Port=11245, Destination Port=1026, Adapter=eth22,188
11121Statistics, Duration=1.31 , Authentication Result=N/A, ID=dDzAt, Sent=95, Received=334, Bytes=429, Source Interface=eth1, Source IP=64.18.0.230, Source Port=41170, Source Name=64.18.0.230, Client Destination=66.155.139.150, Client Port=25, Server Source=192.168.1.253, Server Source Port=60916, Destination Interface=eth0, Destination IP=192.168.1.3, Destination Port=25, Destination Name=192.168.1.3, Operation=N/A, Protocol=25/tcp, Rule ID=1239,352
12122Daemon listening on port(s), Program Name=User Library, Operation=Initialize, Resource= 80/tcp, 443/tcp, Status=Success, State=OK58
13124Parameters and filters set for interfaces, Setting=eth2, Operation=Modify, Revision=018
14131Remote management connection request, From=192.168.1.179, To=192.168.1.253, Source Port=4247, Destination Port=42305
15152LiveUpdate found files up-to-date, Program Name=IDS, Operation=Live Update, Resource=Intrusion Detection and Prevention Subscription Update, Status=Success, State=OK72
16164Received command to reload filter configuration, Operation=Modify, Revision=006
17170IDS: Open called on device ids17
18190HTTP_BAD_REQURL6_0, Title= HTTP Malformed URL, Policy Tag= SUSPICIOUS_HTTP, Vendor=SYMC, Class=sniffer, Family=integrity, Context Data=UkVHSVNURVIgc2lwOjY4LjE0Mi4yMzMuMTc5OjgwO3RyYW5zcG9ydD10Y3AgU0lQLzIuMA, Context Description=HTTP Request, Flow Cookie=TCP%EXACT%10.35.94.136:1029/68.142.233.179:80#255, IP Protocol=TCP, Level=32, Reliability=128, Payload=UkVHSVNURVIgc2lwOjY4LjE0Mi4yMzMuMTc5OjgwO3RyYW5zcG9ydD10Y3AgU0lQLzIuMA0KRnJvbTogPHNpcDpqYXNvbl9zY2huYWJsZWdnZXIyMDAxQDY4LjE0Mi4yMzMuMTc5OjgwPjt0YWc9ODM2MWNlOC0wLTEzYmItNWU, Payload left offset=52, Payload right offset=53, Start time=Mar 21, 2006 21:17:06, End Time=Mar 21, 2006 21:17:06, Source IP=10.35.94.136, Source Port=1029, Destination IP=68.142.233.179, Destination Port=80, Packet=RQACE+6nQAB+BnVQCiNeiESO6bMEBQBQ+R+dZaaNKkpQGP//QAgAAA, Interface=ids, Interface ID=232, Alert Source MAC addr=00:50:80:04:9d:81, Alert Destination MAC addr=00:00:00:00:00:00, VLAN ID=0, Outcome=unknown152
19201Repeated, Consolidated Message=232 NOTICE: Sending ICMP unreachable, Count=2, IP Code=Unreachable (host prohibited), Source IP=12.119.118.26, Destination IP=135.89.152.51, IP Code=ICMP, IP Subtype ID=26040, IP Code=Echo reply, Adapter=eth266
20216Access denied, Protocol=GWControl Service, Operation=Validate, Destination Name=216.52.1.1, Source Name=10.35.93.74, Status=Failure, State=Fail, Source IP=0.0.0.0, Rule= [default rule] [no rules found], PID=-2145566761, Service=123/udp29,719
21219Cannot parse URL, Program Name=httpd, Operation=Validate, Resource=OPTIONS / HTTP/1.1\r\ntranslate: f\r\nUser-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600\r\nHost: 66.155.139.150\r\nContent-Length: 0\r\nConnection: Keep-Alive\r\n\r\n, Status=Failure, State=Fail48
22226IP packet dropped due to bad source address, Source IP=127.0.0.1, Destination IP=192.168.1.10, IP Code=ICMP, IP Subtype ID=1234, IP Code=Echo request, Adapter=eth202
23227VPN packet dropped because the packet is either too old or has been received before by tunnel (potential replay attack), Source IP=204.183.33.108, Destination IP=66.155.139.158, IP Code=UDP, Source Port=56092, Destination Port=786, Tunnel=3.isakmp.30@204.183.33.10829
24228Cannot connect to port, Program Name=httpd, Operation=Connect, Resource=63.208.226.225, Status=[110] Connection tim, State=Fail, Protocol=http, Host=63.208.226.225, Destination Port=80, IP Address=63.208.226.225529
25229IP packet dropped, String Value=TCP Reset, Source IP=65.5.152.162, Destination IP=65.5.124.20, Source Port=37214, Destination Port=1354,101
26230Not authorized, Protocol=TCP GSP, Source IP=69.18.47.238, Source Port=2827, Source Name=69.18.47.23825
27232Sending ICMP unreachable, String Value=host unreachable, Source IP=10.35.93.74, Destination IP=216.52.1.1, Source Port=2054, Destination Port=12316,629
28238User proxy by means of outside interface is not allowed, use httpd.allow_external_proxy to change it, Program Name=httpd, Operation=Connect, Status=Failure, State=Denying, User=63.229.225.195, Interface=eth154
29239Sending TCP reset not allowed, Source IP=10.35.93.106, Destination IP=192.168.1.3, IP Code=TCP, Flag=SYN, Source Port=2082, Destination Port=135, Adapter=eth23,256
30240TCP packet dropped due to bad TCP flags combination, Source IP=88.136.165.218, Destination IP=65.5.124.4, IP Code=TCP, Flag=FIN, Source Port=51679, Destination Port=60729, Adapter=eth2, Probable Probe=QueSO, Flag=0x0103
31271Temporarily suppressing messages because the security gateway has reached log limits for driver messages at this level, Count=200, Interval=seconds03
32290MSSQL_STACKOVERFLOW, Title= MSSQL StackOverflow, CVE= CAN-2002-0649, Policy Tag= CUSTOM_SQL, Vendor=SYMC, Class=sniffer, Family=integrity, Flow Cookie=UDP%EXACT,SPOOF%58.1.104.113:1085/66.155.139.155:1434#255, IP Protocol=UDP, Level=150, Reliability=128, Payload left offset=0, Payload right offset=0, Start time=Mar 21, 2006 23:57:28, End Time=Mar 21, 2006 23:57:28, Source IP=58.1.104.113, Source Port=1085, Destination IP=66.155.139.155, Destination Port=1434, Packet=RQABlBtQAABtEcBgOgFocUKbi5sEPQWaAYDAZQ, Interface=ids, Interface ID=232, Alert Source MAC addr=00:04:dd:08:a4:42, Alert Destination MAC addr=00:00:00:00:00:00, VLAN ID=0, Outcome=unknown1,209
33301Repeated:, Consolidated Message=343 WARNING: Packet for interface was routed to interface, Count=2, Source IP=10.254.254.1, Destination IP=12.119.118.26, IP Code=ICMP, IP Code=Unreachable (host prohibited), String Value=Inner Packet data follows, Source IP=12.119.118.26, Destination IP=135.89.152.51, IP Code=ICMP, IP Subtype ID=26040, IP Code=Echo reply, Adapter=eth2, IP Address=66.155.139.158100
34334Denied access to command, Count=1, Source Name=83.110.176.142, Source IP=2.0.13.121, Destination Name=66.155.139.150, Destination IP=2.0.0.139, Source Interface=66.155.139.15829
35335VPN packet dropped because VPN is not enabled, Source IP=69.222.255.63, Destination IP=66.155.139.158, Payload=0xb22f3b85121
36343Using rule ID 8 because two equally good rules were found. Rule 5 = Rule 8, Program Name=GWControl Service, Operation=Validate, Status=Success, State=OK2,187
37344Non-transparent call, Source Name=220.135.254.38, Source IP=220.135.254.38, Destination Name=fw.celotexfiberboard.com, Destination IP=66.155.139.15812
38347Possible port scan detected, Adapter=eth2, Source IP=222.73.4.156, Destination IP=65.5.124.24, IP Code=TCP, Flag=SYN, Flag=ACK, Source Port=7000, Destination Port=50355
39370NET: 5 messages suppressed.01
40401Remote management login failed, User=jolson, Source IP=192.168.1.131, Source Name=192.168.1.131, Destination IP=192.168.1.253, Destination Port=245602
41452LiveUpdate failed, Program Name=Content Filtering, Operation=Live Update, Resource=Content Filtering URL Update, Status=Failure, State=Fail02
42456HTTPS service not supported, Program Name=httpd, Operation=Connect, Resource=192.168.1.3, Status=Failure, State=Abort146
43590COUNTER_UNACKED_SYNS_HIGH, Title= SYN flood, CVE= CVE-1999-0116, Policy Tag= DOS_FLOODS, Vendor=SYMC, Class=sniffer, Family=availability, Flow Cookie=TCP%COUNTER,SPOOF,SYNS%10.35.94.136:4497/204.15.225.163:80#512, IP Protocol=TCP, Level=-3, Reliability=128, Payload left offset=0, Payload right offset=0, Start time=Mar 21, 2006 16:48:59, End Time=Mar 21, 2006 16:48:59, Source IP=10.35.94.136, Source Port=4497, Destination IP=204.15.225.163, Destination Port=80, Interface=ids, Interface ID=232, Alert Source MAC addr=00:50:80:04:9d:81, Alert Destination MAC addr=00:00:00:00:00:00, VLAN ID=0, Outcome=unknown23
Firewall: fw.celotexfiberboard.com

fw.celotexfiberboard.com - Traffic and denials per hour









HourTraffic (MB)%Connections%Denials%
00-0112.000.513,2281.181,0843.20
01-0210.000.432,8341.048832.61
02-0329.001.214,3661.601,1533.40
03-0417.000.712,1610.799302.75!!!
04-0514.000.583,9701.451,1813.49
05-06108.004.4910,4853.841,0012.95
06-0759.002.478,0092.931,2813.78
07-08130.005.3720,7427.591,1153.29
08-09167.006.9321,1177.732,0866.16
09-10141.005.8419,2367.041,8635.50
10-11157.006.4823,1218.462,1986.49
11-12216.008.9322,9098.381,8755.54
12-13168.006.9720,9337.661,9205.67
13-14282.0011.6823,5608.621,7465.15
14-15226.009.3521,4427.852,0075.92
15-16265.0010.9513,8665.071,7235.09
16-17131.005.4115,3645.621,9295.69
17-1865.002.729,1673.361,5914.70
18-1969.002.867,7112.821,1403.37
19-2030.001.275,7122.091,1513.40
20-2174.003.073,4381.269502.80
21-2209.000.392,9761.091,1133.29!!!
22-2323.000.953,1241.148472.50
23-2409.000.403,7561.371,1083.27
fw.celotexfiberboard.com - Interfaces
NoInterfacesConnectionsMB%DenialsWarnings
1eth033612.4400.510000
2eth0 to eth141,175665.4027.470000
3eth0 to eth22200.0000.000000
4eth0 to N/A1000.0200.000000
5eth1 to eth013,436245.0810.120000
6eth160400.0000.000000
7eth1 to N/A1300.0100.000000
8eth2 to eth030916.8300.690000
9eth2 to eth1182,9051,334.2555.080000
10eth2 to N/A0111.0500.460000
11N/A to eth02100.0100.000000
12N/A520137.4905.680000
13eth20000.0000.005500
14Not specified0000.0000.0033,8201,384
 Total239,3522,422.59 33,8751,384
Firewall: fw.celotexfiberboard.com - Interface: eth0 - Go to top
Top 10 sources
NoSourceBytes%Comment
1192.168.1.310,331,77179.1815139 denials recorded on 4/3/2006 11:01:31 PM
2192.168.1.1441,212,4119.29 
3192.168.1.73633,8244.86 
4192.168.1.179365,2582.80 
5192.168.1.141291,9122.24 
6192.168.1.138116,0540.89 
7192.168.1.15394,9320.73 
8192.168.1.1452,4560.02 



Top 10 destinations
NoDestinationBytes%Comment
1192.168.1.311,062,98384.7815139 denials recorded on 4/3/2006 11:01:31 PM
2192.168.1.2051,985,63515.22 



Top 10 sources, protocols and bytes
NoSourceProtocolConnectionsBytes%Comment
1192.168.1.3HTTP-HTTPS3410,331,77179.1815139 denials recorded on 4/3/2006 11:01:31 PM
2192.168.1.144HTTP1471,212,4119.29 
3192.168.1.73HTTP-HTTPS15633,8244.86 
4192.168.1.179HTTP34365,2582.80 
5192.168.1.141HTTP86291,9122.24 
6192.168.1.138HTTP14116,0540.89 
7192.168.1.153HTTP-HTTPS0393,7500.72 
8192.168.1.145HTTP-HTTPS011,4740.01 
9192.168.1.153HTTP011,1820.01 
10192.168.1.145HTTP019820.01 

Top 10 sources, destinations, protocols and bytes
NoSourceDestinationProtocolConnectionsBytes%Comment
1192.168.1.3192.168.1.3HTTP-HTTPS3410,331,77179.1815139 denials recorded on 4/3/2006 11:01:31 PM
2192.168.1.144192.168.1.205HTTP1471,212,4119.29 
3192.168.1.73192.168.1.3HTTP-HTTPS15633,8244.86 
4192.168.1.179192.168.1.205HTTP34365,2582.80 
5192.168.1.141192.168.1.205HTTP86291,9122.24 
6192.168.1.138192.168.1.205HTTP14116,0540.89 
7192.168.1.153192.168.1.3HTTP-HTTPS0393,7500.72 
8192.168.1.145192.168.1.3HTTP-HTTPS011,4740.01 
9192.168.1.153192.168.1.3HTTP011,1820.01 
10192.168.1.145192.168.1.3HTTP019820.01 

Top 10 protocols
NoProtocolConnectionsBytes%Comment
1HTTP-HTTPS5311,060,81984.77 
2HTTP2831,987,79915.23 



Firewall: fw.celotexfiberboard.com - Interfaces: eth0 to eth1 - Go to top
Top 10 sources
NoSourceBytes%Comment
1192.168.1.3203,860,34029.2215139 denials recorded on 4/3/2006 11:01:31 PM
2192.168.1.139170,960,01324.50 
3192.168.1.17967,000,9749.60 
4192.168.1.19058,090,3508.33 
5192.168.1.17330,625,5774.39 
6192.168.1.14426,343,7663.78 
7192.168.1.13826,175,0463.75 
8192.168.1.14525,995,1703.73 
9192.168.1.13223,400,6413.35 
10192.168.1.18213,017,3431.87 



Top 10 destinations
NoDestinationBytes%Comment
1cds301.ord.llnw.net (68.142.72.171)84,441,30812.10 
2cds302.ord.llnw.net (68.142.72.172)54,888,4647.87 
3hrpayroll-ml.ceridian.com (170.153.222.25)47,442,4216.80 
4bda-216-9-250-181.bis3.ap.blackberry.com (216.9.250.181)42,813,1726.14 
5zeus.lunarpages.com (216.193.211.2)25,777,0363.69 
6mx03.bis.na.blackberry.com (216.9.248.34)17,919,8512.57 
7mx01.bis.na.blackberry.com (216.9.248.32)14,262,7652.04 
863-246-140-18.static.sagonet.net (63.246.140.18)13,143,7481.88 
9mx04.bis.na.blackberry.com (216.9.248.35)12,238,3321.75 
10host151.2000greetings.com (199.218.5.151)8,564,5111.23 



Top 10 sources, protocols and bytes
NoSourceProtocolConnectionsBytes%Comment
1192.168.1.3TCP/25 - smtp1,665202,617,42829.0415139 denials recorded on 4/3/2006 11:01:31 PM
2192.168.1.139HTTP5,025166,832,58523.91 
3192.168.1.190HTTP-HTTPS1,89151,376,2657.36 
4192.168.1.173HTTP2,93329,631,2744.25 
5192.168.1.145HTTP1,65625,221,8353.61 
6192.168.1.138HTTP3,03024,988,0023.58 
7192.168.1.144HTTP2,40923,515,6783.37 
8192.168.1.132HTTP1,95023,144,6413.32 
9192.168.1.179HTTP1,63620,376,3112.92 
10192.168.1.131HTTP71611,225,1161.61 

Top 10 sources, destinations, protocols and bytes
NoSourceDestinationProtocolConnectionsBytes%Comment
1192.168.1.139cds301.ord.llnw.net (68.142.72.171)HTTP0584,440,93712.10 
2192.168.1.139cds302.ord.llnw.net (68.142.72.172)HTTP0454,888,4647.87 
3192.168.1.190hrpayroll-ml.ceridian.com (170.153.222.25)HTTP-HTTPS99047,442,4216.80 
4192.168.1.3bda-216-9-250-181.bis3.ap.blackberry.com (216.9.250.181)TCP/25 - smtp1842,813,1726.1415139 denials recorded on 4/3/2006 11:01:31 PM
5192.168.1.3mx03.bis.na.blackberry.com (216.9.248.34)TCP/25 - smtp10517,919,8512.57 
6192.168.1.3zeus.lunarpages.com (216.193.211.2)TCP/25 - smtp0416,059,2042.30 
7192.168.1.3mx01.bis.na.blackberry.com (216.9.248.32)TCP/25 - smtp10914,262,7652.04 
8192.168.1.3mx04.bis.na.blackberry.com (216.9.248.35)TCP/25 - smtp9412,238,3321.75 
9192.168.1.179zeus.lunarpages.com (216.193.211.2)HTTP609,717,8321.39 
10192.168.1.132host151.2000greetings.com (199.218.5.151)HTTP458,564,5111.23 

Top 10 protocols
NoProtocolConnectionsBytes%Comment
1HTTP27,740366,377,69052.51 
2TCP/25 - smtp1,690202,668,25029.05 
3HTTP-HTTPS4,22580,375,52111.52 
4TCP/1214 - kazaa089,355,0031.34 
5TCP/4524027,090,1991.02 
6UDP/53 - dns8376,534,9430.94 
7TCP/2463025,306,5260.76 
8TCP/3694014,946,7010.71 
9TCP/3932012,660,2420.38 
10TCP/1521 - oracle022,270,0320.33 



Top 10 protocol TCP/25 - smtp: Sources, destinations, and traffic
NoSourceDestinationConnectionsBytesComment
1192.168.1.3bda-216-9-250-181.bis3.ap.blackberry.com (216.9.250.181)1842,813,17215139 denials recorded on 4/3/2006 11:01:31 PM
2192.168.1.3mx03.bis.na.blackberry.com (216.9.248.34)10517,919,851 
3192.168.1.3zeus.lunarpages.com (216.193.211.2)0416,059,204 
4192.168.1.3mx01.bis.na.blackberry.com (216.9.248.32)10914,262,765 
5192.168.1.3mx04.bis.na.blackberry.com (216.9.248.35)9412,238,332 
6192.168.1.3mx02.bis.na.blackberry.com (216.9.248.33)1047,390,442 
7192.168.1.3bda-216-9-250-163.bis3.ap.blackberry.com (216.9.250.163)216,347,192 
8192.168.1.3mx01.birch.net (216.212.0.63)024,790,768 
9192.168.1.3bda-216-9-250-168.bis3.ap.blackberry.com (216.9.250.168)293,289,441 
10192.168.1.3bda-216-9-250-177.bis3.ap.blackberry.com (216.9.250.177)223,244,345 

Firewall: fw.celotexfiberboard.com - Interfaces: eth0 to eth2 - Go to top
Top 10 sources
NoSourceBytes%Comment
1192.168.1.3352100.0015139 denials recorded on 4/3/2006 11:01:31 PM

Top 10 destinations
NoDestinationBytes%Comment
110.80.80.7511231.8223 denials recorded on 3/21/2006 9:36:42 AM
210.0.0.58329.09 
310.35.94.136329.09 
410.35.94.139329.09 
510.35.94.112329.09 
610.0.0.77329.09 
710.35.94.121329.09 
810.35.93.103329.09 
9192.168.0.176164.557 denials recorded on 3/21/2006 9:36:42 AM



Top 10 sources, protocols and bytes
NoSourceProtocolConnectionsBytes%Comment
1192.168.1.3UDP/4143034813.6415139 denials recorded on 4/3/2006 11:01:31 PM
2192.168.1.3UDP/112602329.09 
3192.168.1.3UDP/477402329.09 
4192.168.1.3UDP/274002329.09 
5192.168.1.3UDP/109102329.09 
6192.168.1.3UDP/113002329.09 
7192.168.1.3UDP/124402329.09 
8192.168.1.3UDP/315602329.09 
9192.168.1.3UDP/427102329.09 
10192.168.1.3UDP/335702329.09 

Top 10 sources, destinations, protocols and bytes
NoSourceDestinationProtocolConnectionsBytes%Comment
1192.168.1.310.80.80.75UDP/4143034813.6423 denials recorded on 3/21/2006 9:36:42 AM
23 denials recorded on 3/21/2006 9:36:42 AM
15139 denials recorded on 4/3/2006 11:01:31 PM
2192.168.1.310.0.0.58UDP/112602329.09 
3192.168.1.310.35.94.136UDP/477402329.09 
4192.168.1.310.80.80.75UDP/274002329.09 
5192.168.1.310.35.94.139UDP/109102329.09 
6192.168.1.310.35.94.112UDP/113002329.09 
7192.168.1.310.0.0.77UDP/124402329.09 
8192.168.1.310.35.94.121UDP/315602329.09 
9192.168.1.310.80.80.75UDP/427102329.09 
10192.168.1.310.35.93.103UDP/335702329.09 

Top 10 protocols
NoProtocolConnectionsBytes%Comment
1UDP/4143034813.64 
2UDP/112602329.09 
3UDP/477402329.09 
4UDP/274002329.09 
5UDP/109102329.09 
6UDP/113002329.09 
7UDP/124402329.09 
8UDP/315602329.09 
9UDP/427102329.09 
10UDP/335702329.09 



Firewall: fw.celotexfiberboard.com - Interfaces: eth0 to N/A - Go to top
Top 10 sources
NoSourceBytes%Comment
1192.168.1.17925,01399.79 
2192.168.1.136520.21 



Top 10 destinations
NoDestinationBytes%Comment
1192.168.1.25325,065100.00 

Top 10 sources, protocols and bytes
NoSourceProtocolConnectionsBytes%Comment
1192.168.1.179SRL-3DES0825,01399.79 
2192.168.1.136PING02520.21 

Top 10 sources, destinations, protocols and bytes
NoSourceDestinationProtocolConnectionsBytes%Comment
1192.168.1.179192.168.1.253SRL-3DES0825,01399.79 
2192.168.1.136192.168.1.253PING02520.21 

Top 10 protocols
NoProtocolConnectionsBytes%Comment
1SRL-3DES0825,01399.79 
2PING02520.21 



Firewall: fw.celotexfiberboard.com - Interfaces: eth1 to eth0 - Go to top
Top 10 sources
NoSourceBytes%Comment
1exprod5mc109.postini.com (64.18.0.220)27,544,87310.72 
2exprod5mx194.postini.com (64.18.0.40)8,594,4743.34 
3exprod5mx195.postini.com (64.18.0.41)8,320,0383.24 
4exprod5mx267.postini.com (64.18.0.90)5,665,6552.20 
564.18.0.2455,664,8332.20 
6exprod5mx270.postini.com (64.18.0.93)5,273,4832.05 
7exprod5mc111.postini.com (64.18.0.222)5,054,2611.97 
864-142-91-60.dsl.static.sonic.net (64.142.91.60)5,041,9911.96 
9exprod5ob105.obsmtp.com (64.18.0.179)4,993,8281.94 
1010.80.80.734,514,7101.76 



Top 10 destinations
NoDestinationBytes%Comment
1192.168.1.3138,184,65053.7715139 denials recorded on 4/3/2006 11:01:31 PM
2192.168.1.205118,804,39646.23 



Top 10 sources, protocols and bytes
NoSourceProtocolConnectionsBytes%Comment
1exprod5mc109.postini.com (64.18.0.220)TCP/25 - smtp3927,544,87310.72 
2exprod5mx194.postini.com (64.18.0.40)TCP/25 - smtp528,594,4743.34 
3exprod5mx195.postini.com (64.18.0.41)TCP/25 - smtp458,320,0383.24 
4exprod5mx267.postini.com (64.18.0.90)TCP/25 - smtp515,665,6552.20 
564.18.0.245TCP/25 - smtp545,664,8332.20 
6exprod5mx270.postini.com (64.18.0.93)TCP/25 - smtp555,273,4832.05 
7exprod5mc111.postini.com (64.18.0.222)TCP/25 - smtp395,054,2611.97 
864-142-91-60.dsl.static.sonic.net (64.142.91.60)HTTP895,041,9911.96 
9exprod5ob105.obsmtp.com (64.18.0.179)TCP/25 - smtp444,993,8281.94 
1010.80.80.73HTTP-HTTPS4444,510,1361.75 

Top 10 sources, destinations, protocols and bytes
NoSourceDestinationProtocolConnectionsBytes%Comment
1exprod5mc109.postini.com (64.18.0.220)192.168.1.3TCP/25 - smtp3927,544,87310.7215139 denials recorded on 4/3/2006 11:01:31 PM
2exprod5mx194.postini.com (64.18.0.40)192.168.1.3TCP/25 - smtp528,594,4743.34 
3exprod5mx195.postini.com (64.18.0.41)192.168.1.3TCP/25 - smtp458,320,0383.24 
4exprod5mx267.postini.com (64.18.0.90)192.168.1.3TCP/25 - smtp515,665,6552.20 
564.18.0.245192.168.1.3TCP/25 - smtp545,664,8332.20 
6exprod5mx270.postini.com (64.18.0.93)192.168.1.3TCP/25 - smtp555,273,4832.05 
7exprod5mc111.postini.com (64.18.0.222)192.168.1.3TCP/25 - smtp395,054,2611.97 
864-142-91-60.dsl.static.sonic.net (64.142.91.60)192.168.1.205HTTP895,041,9911.96 
9exprod5ob105.obsmtp.com (64.18.0.179)192.168.1.3TCP/25 - smtp444,993,8281.94 
1010.80.80.73192.168.1.3HTTP-HTTPS4444,510,1361.75 

Top 10 protocols
NoProtocolConnectionsBytes%Comment
1HTTP8,716118,829,73146.24 
2TCP/25 - smtp2,512111,221,44943.28 
3HTTP-HTTPS2,20826,937,86610.48 



Top 10 protocol TCP/25 - smtp: Sources, destinations, and traffic
NoSourceDestinationConnectionsBytesComment
1exprod5mc109.postini.com (64.18.0.220)192.168.1.33927,544,87315139 denials recorded on 4/3/2006 11:01:31 PM
2exprod5mx194.postini.com (64.18.0.40)192.168.1.3528,594,474 
3exprod5mx195.postini.com (64.18.0.41)192.168.1.3458,320,038 
4exprod5mx267.postini.com (64.18.0.90)192.168.1.3515,665,655 
564.18.0.245192.168.1.3545,664,833 
6exprod5mx270.postini.com (64.18.0.93)192.168.1.3555,273,483 
7exprod5mc111.postini.com (64.18.0.222)192.168.1.3395,054,261 
8exprod5ob105.obsmtp.com (64.18.0.179)192.168.1.3444,993,828 
9exprod5mx268.postini.com (64.18.0.91)192.168.1.3343,926,833 
10exprod5mc118.postini.com (64.18.0.230)192.168.1.3512,902,927 

Firewall: fw.celotexfiberboard.com - Interface: eth1 - Go to top
Top 10 sources
NoSourceBytes%Comment
1d463ce8c.datahighways.de (212.99.206.140)104100.00 
259.14.163.5000.00 
3VG-4-11.dialup.access.telecore.net.ru (213.135.64.160)000.00 
466-214-116-136.dhcp.hspr.ca.charter.com (66.214.116.136)000.00 
569-18-47-238.lisco.net (69.18.47.238)000.00 
6file.tnu.edu.tw (140.129.140.206)000.00 
7204.16.208.119000.00 
861.153.250.34000.00 
9218.232.109.197000.00 
1066.21.51.121000.00 



Top 10 destinations
NoDestinationBytes%Comment
166.155.139.1505250.00 
266.155.139.1555250.00 



Top 10 sources, protocols and bytes
NoSourceProtocolConnectionsBytes%Comment
1d463ce8c.datahighways.de (212.99.206.140)FTP02104100.00 
259.14.163.5TCP/721202000.00 
3VG-4-11.dialup.access.telecore.net.ru (213.135.64.160)TCP/25 - smtp01000.00 
466-214-116-136.dhcp.hspr.ca.charter.com (66.214.116.136)TCP/445 - netbios18000.00 
569-18-47-238.lisco.net (69.18.47.238)TCP/25 - smtp22000.00 
6file.tnu.edu.tw (140.129.140.206)UDP/1434 - ms sql monitor01000.00 
7204.16.208.119UDP/1027 - blaster-worm02000.00 
861.153.250.34UDP/1434 - ms sql monitor01000.00 
9218.232.109.197TCP/721207000.00 
1066.21.51.121TCP/445 - netbios03000.00 

Top 10 sources, destinations, protocols and bytes
NoSourceDestinationProtocolConnectionsBytes%Comment
1d463ce8c.datahighways.de (212.99.206.140)66.155.139.150FTP015250.00 
2d463ce8c.datahighways.de (212.99.206.140)66.155.139.155FTP015250.00 
359.14.163.566.155.139.150TCP/721201000.00 
459.14.163.566.155.139.155TCP/721201000.00 
5VG-4-11.dialup.access.telecore.net.ru (213.135.64.160)66.155.139.155TCP/25 - smtp01000.00 
666-214-116-136.dhcp.hspr.ca.charter.com (66.214.116.136)66.155.139.150TCP/445 - netbios09000.00 
766-214-116-136.dhcp.hspr.ca.charter.com (66.214.116.136)66.155.139.155TCP/445 - netbios09000.00 
869-18-47-238.lisco.net (69.18.47.238)66.155.139.155TCP/25 - smtp22000.00 
9file.tnu.edu.tw (140.129.140.206)66.155.139.155UDP/1434 - ms sql monitor01000.00 
10204.16.208.11966.155.139.150UDP/1027 - blaster-worm01000.00 

Top 10 protocols
NoProtocolConnectionsBytes%Comment
1FTP02104100.00 
2TCP/721214000.00 
3TCP/25 - smtp23000.00 
4TCP/445 - netbios160000.00 
5UDP/1434 - ms sql monitor17000.00 
6UDP/1027 - blaster-worm05000.00 
7PING12000.00 
8TCP/4899 - radmin46000.00 
9TCP/22 - ssh09000.00 
10TCP/1026 - trojan06000.00 



Top 10 protocol TCP/25 - smtp: Sources, destinations, and traffic
NoSourceDestinationConnectionsBytesComment
1VG-4-11.dialup.access.telecore.net.ru (213.135.64.160)66.155.139.1550100 
269-18-47-238.lisco.net (69.18.47.238)66.155.139.1552200 

Firewall: fw.celotexfiberboard.com - Interfaces: eth1 to N/A - Go to top
Top 10 sources
NoSourceBytes%Comment
1129.33.94.735,92063.81 
2198.248.214.72,96031.90 
3222.238.84.21800.86 
466.155.248.199720.78 
5107.198-pool-nas2-lor.sccoast.net (66.153.198.107)720.78 
6207.218.223.100580.63 
767.15.240.38580.63 
8207.218.223.93580.63 



Top 10 destinations
NoDestinationBytes%Comment
166.155.139.1589,278100.00 

Top 10 sources, protocols and bytes
NoSourceProtocolConnectionsBytes%Comment
1129.33.94.73PING045,92063.81 
2198.248.214.7PING022,96031.90 
3222.238.84.21PING02800.86 
466.155.248.199PING01720.78 
5107.198-pool-nas2-lor.sccoast.net (66.153.198.107)PING01720.78 
6207.218.223.100PING01580.63 
767.15.240.38PING01580.63 
8207.218.223.93PING01580.63 

Top 10 sources, destinations, protocols and bytes
NoSourceDestinationProtocolConnectionsBytes%Comment
1129.33.94.7366.155.139.158PING045,92063.81 
2198.248.214.766.155.139.158PING022,96031.90 
3222.238.84.2166.155.139.158PING02800.86 
466.155.248.19966.155.139.158PING01720.78 
5107.198-pool-nas2-lor.sccoast.net (66.153.198.107)66.155.139.158PING01720.78 
6207.218.223.10066.155.139.158PING01580.63 
767.15.240.3866.155.139.158PING01580.63 
8207.218.223.9366.155.139.158PING01580.63 

Top 10 protocols
NoProtocolConnectionsBytes%Comment
1PING139,278100.00 

Firewall: fw.celotexfiberboard.com - Interfaces: eth2 to eth0 - Go to top
Top 10 sources
NoSourceBytes%Comment
110.0.0.805,349,61230.32 
210.0.0.834,284,84324.29 
310.35.94.1371,675,1499.49 
4192.168.0.1761,420,1248.057 denials recorded on 3/21/2006 9:36:42 AM
510.35.94.1121,251,0527.09 
610.35.94.1211,200,4926.80 
710.35.93.1031,021,6925.79 
810.0.0.58656,8483.72 
910.35.94.139299,7841.70 
1010.80.80.75136,0280.7723 denials recorded on 3/21/2006 9:36:42 AM



Top 10 destinations
NoDestinationBytes%Comment
1192.168.1.511,375,88064.48 
2192.168.1.36,124,07334.7115139 denials recorded on 4/3/2006 11:01:31 PM
3192.168.1.1080,0330.45 
4192.168.1.263,1020.36 



Top 10 sources, protocols and bytes
NoSourceProtocolConnectionsBytes%Comment
110.0.0.80TCP/3389 - ms rdp025,349,61230.32 
210.0.0.83TCP/3389 - ms rdp024,284,84324.29 
310.35.94.137TCP/3389 - ms rdp021,675,1499.49 
4192.168.0.176TCP/1410061,414,3548.027 denials recorded on 3/21/2006 9:36:42 AM
510.35.94.112TCP/1410031,250,6107.09 
610.35.94.121TCP/1410101,198,7246.79 
710.35.93.103TCP/1410041,020,8085.79 
810.0.0.58TCP/141006656,8483.72 
910.35.94.139TCP/141003296,9421.68 
1010.80.80.75TCP/141010128,1860.7323 denials recorded on 3/21/2006 9:36:42 AM

Top 10 sources, destinations, protocols and bytes
NoSourceDestinationProtocolConnectionsBytes%Comment
110.0.0.80192.168.1.5TCP/3389 - ms rdp025,349,61230.32 
210.0.0.83192.168.1.5TCP/3389 - ms rdp024,284,84324.29 
310.35.94.137192.168.1.5TCP/3389 - ms rdp021,675,1499.49 
4192.168.0.176192.168.1.3TCP/1410061,414,3548.027 denials recorded on 3/21/2006 9:36:42 AM
7 denials recorded on 3/21/2006 9:36:42 AM
15139 denials recorded on 4/3/2006 11:01:31 PM
510.35.94.112192.168.1.3TCP/1410031,250,6107.09 
610.35.94.121192.168.1.3TCP/1410101,198,7246.79 
710.35.93.103192.168.1.3TCP/1410041,020,8085.79 
810.0.0.58192.168.1.3TCP/141006656,8483.72 
910.35.94.139192.168.1.3TCP/141003296,9421.68 
1010.80.80.75192.168.1.3TCP/141010128,1860.7323 denials recorded on 3/21/2006 9:36:42 AM

Top 10 protocols
NoProtocolConnectionsBytes%Comment
1TCP/3389 - ms rdp0811,375,88064.48 
2TCP/1410496,097,65434.56 
3UDP/53 - dns14866,2860.38 
4TCP/29672665,1600.37 
5TCP/135 - ms rpc3113,1820.07 
6TCP/13330612,4060.07 
7UDP/137 - netbios407,2240.04 
8TCP/445 - netbios015,2960.03 



Top 10 protocol TCP/3389 - ms rdp: Sources, destinations, and traffic
NoSourceDestinationConnectionsBytesComment
110.0.0.80192.168.1.5025,349,612 
210.0.0.83192.168.1.5024,284,843 
310.35.94.137192.168.1.5021,675,149 
4192.168.0.153192.168.1.50137,219 
5192.168.0.158192.168.1.50129,057 

Firewall: fw.celotexfiberboard.com - Interfaces: eth2 to eth1 - Go to top
Top 10 sources
NoSourceBytes%Comment
110.80.80.75265,081,62018.9523 denials recorded on 3/21/2006 9:36:42 AM
210.35.94.136235,404,12716.83 
310.35.93.84108,556,6987.76 
410.35.94.13065,104,8854.65 
510.0.0.7652,408,5173.75 
610.35.93.7642,821,9563.06 
7192.168.0.15238,589,7192.76 
810.35.94.12138,083,9882.72 
910.80.80.7330,840,5112.20 
10192.168.0.15830,189,3172.16 



Top 10 destinations
NoDestinationBytes%Comment
1hrpayroll-ml.ceridian.com (170.153.222.25)46,284,0533.31 
2216.185.128.20040,701,5382.91 
3204.10.29.528,350,9702.03 
469.25.149.4018,663,7331.33 
565.91.249.3916,007,7481.14 
669.9.169.21615,230,1511.09 
7204.2.224.5114,222,9191.02 
8199.41.238.6314,190,6791.01 
9bikiniriot.com (64.59.81.83)14,145,0561.01 
10204.10.29.814,063,9551.01 



Top 10 sources, protocols and bytes
NoSourceProtocolConnectionsBytes%Comment
110.80.80.75HTTP30,159245,114,72117.5223 denials recorded on 3/21/2006 9:36:42 AM
210.35.94.136HTTP32,964226,701,92016.20 
310.35.93.84HTTP7,789108,491,3727.75 
410.35.94.130HTTP4,22364,992,4234.65 
510.0.0.76HTTP5,06752,317,3053.74 
610.35.94.121HTTP6,43937,196,6732.66 
7192.168.0.152HTTP3,83236,543,8202.61 
810.35.93.76HTTP-HTTPS9335,644,4432.55 
910.80.80.73HTTP2,42130,835,5532.20 
1010.0.0.63HTTP3,46629,023,0262.07 

Top 10 sources, destinations, protocols and bytes
NoSourceDestinationProtocolConnectionsBytes%Comment
110.35.94.130216.185.128.200HTTP5240,701,5382.91 
210.35.93.76hrpayroll-ml.ceridian.com (170.153.222.25)HTTP-HTTPS8835,634,4752.55 
310.35.94.13669.25.149.40HTTP0918,663,7331.33 
410.35.94.13665.91.249.39HTTP79115,475,6261.11 
510.80.80.1204.10.29.5HTTP1014,177,3881.01 
610.35.94.234204.10.29.5HTTP0514,173,5821.01 
710.0.0.76bikiniriot.com (64.59.81.83)HTTP1,03814,145,0561.01 
810.35.93.100204.10.29.8HTTP0514,063,9551.01 
9192.168.0.253www.Level3.com (63.209.221.238)HTTP0514,063,9551.01 
1010.80.80.75199.41.238.63HTTP-HTTPS11913,523,3510.9723 denials recorded on 3/21/2006 9:36:42 AM

Top 10 protocols
NoProtocolConnectionsBytes%Comment
1HTTP152,4811,260,633,18390.11 
2HTTP-HTTPS6,646128,418,5519.18 
3TCP/27030043,455,9170.25 
4TCP/19352282,989,2520.21 
5TCP/9951252,680,7470.19 
6TCP/2703808276,4020.02 
7TCP/5190 - icq51237,9990.02 
8TCP/46513120,1380.01 
9IP/500290,3440.01 
10TCP/87650650,8510.00 



Top 10 protocol TCP/25 - smtp: Sources, destinations, and traffic
NoSourceDestinationConnectionsBytesComment
1221.140.55.7165.5.124.00300 
2221.140.55.7165.5.124.10300 
3221.140.55.7165.5.124.20300 
4221.140.55.7165.5.124.30300 
5221.140.55.7165.5.124.40300 
6221.140.55.7165.5.124.50300 
7221.140.55.7165.5.124.80300 
8221.140.55.7165.5.124.70300 
9221.140.55.7165.5.124.60300 
10221.140.55.7165.5.124.90300 

Firewall: fw.celotexfiberboard.com - Interfaces: eth2 to N/A - Go to top
Top 10 sources
NoSourceBytes%Comment
1192.168.0.25311,586,736100.00 

Top 10 destinations
NoDestinationBytes%Comment
1www.hpq.com (192.6.234.10)11,586,736100.00 

Top 10 sources, protocols and bytes
NoSourceProtocolConnectionsBytes%Comment
1192.168.0.253FTP-DATA0111,586,736100.00 

Top 10 sources, destinations, protocols and bytes
NoSourceDestinationProtocolConnectionsBytes%Comment
1192.168.0.253www.hpq.com (192.6.234.10)FTP-DATA0111,586,736100.00 

Top 10 protocols
NoProtocolConnectionsBytes%Comment
1FTP-DATA0111,586,736100.00 

Firewall: fw.celotexfiberboard.com - Interfaces: N/A to eth0 - Go to top
Top 10 sources
NoSourceBytes%Comment
1sciftpgw.commerce.stercomm.com (209.95.224.122)6,600100.00 

Top 10 destinations
NoDestinationBytes%Comment
1192.168.1.136,600100.00 

Top 10 sources, protocols and bytes
NoSourceProtocolConnectionsBytes%Comment
1sciftpgw.commerce.stercomm.com (209.95.224.122)FTP-DATA216,600100.00 

Top 10 sources, destinations, protocols and bytes
NoSourceDestinationProtocolConnectionsBytes%Comment
1sciftpgw.commerce.stercomm.com (209.95.224.122)192.168.1.13FTP-DATA216,600100.00 

Top 10 protocols
NoProtocolConnectionsBytes%Comment
1FTP-DATA216,600100.00 

Firewall: fw.celotexfiberboard.com - Interface: N/A - Go to top
Top 10 sources
NoSourceBytes%Comment
166.155.139.158137,082,78995.09 
2192.168.1.1796,174,2134.28 
3192.168.1.131706,3720.49 
410.35.94.13651,2850.04 
5192.168.1.13633,1380.02 
610.35.93.8433,1380.02 
710.35.94.10919,0120.01 
810.80.80.7513,8110.0123 denials recorded on 3/21/2006 9:36:42 AM
9192.168.1.311,5340.0115139 denials recorded on 4/3/2006 11:01:31 PM
10mail.dampa.dk (80.199.83.65)8,4290.01 



Top 10 destinations
NoDestinationBytes%Comment
1204.183.33.108126,691,00887.88 
2192.168.1.2536,880,5854.77 
3cpe-66-74-28-105.dc.res.rr.com (66.74.28.105)3,250,3142.25 
4c-24-15-78-209.hsd1.il.comcast.net (24.15.78.209)2,251,0611.56 
5adsl-70-156-143-129.mia.bellsouth.net (70.156.143.129)1,900,8391.32 
6dsl-216-227-96-131.fairpoint.net (216.227.96.131)735,1950.51 
7c-68-49-50-223.hsd1.md.comcast.net (68.49.50.223)675,7360.47 
8c-24-12-191-23.hsd1.il.comcast.net (24.12.191.23)489,3540.34 
9c-67-163-115-70.hsd1.va.comcast.net (67.163.115.70)422,5830.29 
10c-67-163-52-39.hsd1.il.comcast.net (67.163.52.39)304,1780.21 



Top 10 sources, protocols and bytes
NoSourceProtocolConnectionsBytes%Comment
166.155.139.158ESP/SHA119137,082,78995.09 
2192.168.1.179SGMI046,174,2134.28 
3192.168.1.131SGMI02706,3720.49 
410.35.94.136HTTP7051,2850.04 
5192.168.1.136HTTP4233,1380.02 
610.35.93.84HTTP4233,1380.02 
710.35.94.109HTTP1119,0120.01 
810.80.80.75HTTP2513,8110.0123 denials recorded on 3/21/2006 9:36:42 AM
9192.168.1.3HTTP14611,5340.0115139 denials recorded on 4/3/2006 11:01:31 PM
10mail.dampa.dk (80.199.83.65)HTTP078,4290.01 

Top 10 sources, destinations, protocols and bytes
NoSourceDestinationProtocolConnectionsBytes%Comment
166.155.139.158204.183.33.108ESP/SHA04126,691,00887.88 
2192.168.1.179192.168.1.253SGMI046,174,2134.28 
366.155.139.158cpe-66-74-28-105.dc.res.rr.com (66.74.28.105)ESP/SHA113,250,3142.25 
466.155.139.158c-24-15-78-209.hsd1.il.comcast.net (24.15.78.209)ESP/SHA152,251,0611.56 
566.155.139.158adsl-70-156-143-129.mia.bellsouth.net (70.156.143.129)ESP/SHA011,900,8391.32 
666.155.139.158dsl-216-227-96-131.fairpoint.net (216.227.96.131)ESP/SHA06735,1950.51 
7192.168.1.131192.168.1.253SGMI02706,3720.49 
866.155.139.158c-68-49-50-223.hsd1.md.comcast.net (68.49.50.223)ESP/SHA04675,7360.47 
966.155.139.158c-24-12-191-23.hsd1.il.comcast.net (24.12.191.23)ESP/SHA01489,3540.34 
1066.155.139.158c-67-163-115-70.hsd1.va.comcast.net (67.163.115.70)ESP/SHA03422,5830.29 

Top 10 protocols
NoProtocolConnectionsBytes%Comment
1ESP/SHA119137,082,78995.09 
2SGMI066,880,5854.77 
3HTTP378204,6910.14 
4FTP01920.00 
5TCP/25 - smtp02000.00 
6CIFS11000.00 
7FTP-DATA02000.00 
8UDP/123 - ntp01000.00 



Top 10 protocol TCP/25 - smtp: Sources, destinations, and traffic
NoSourceDestinationConnectionsBytesComment
1VG-4-11.dialup.access.telecore.net.ru (213.135.64.160)N/A0100 
2mailgate1.sitestar.net (72.236.205.252)N/A0100 

Firewall: fw.celotexfiberboard.com - Interface: eth2 - Go to top
Top 10 denied sources
NoSourceConnectionsFirst denial%Comment
110.80.80.75233/21/2006 9:36:42 AM41.8223 denials recorded on 3/21/2006 9:36:42 AM
2222.73.4.156143/21/2006 10:21:51 AM25.4514 denials recorded on 3/21/2006 10:21:51 AM
3192.168.0.176073/21/2006 9:36:42 AM12.737 denials recorded on 3/21/2006 9:36:42 AM
410.35.93.106043/21/2006 9:36:42 AM07.27 
510.35.94.121033/21/2006 6:05:27 AM05.45 
6222.73.4.158023/21/2006 1:29:22 AM03.64 
7218.66.104.246013/21/2006 1:11:01 AM01.82 
810.35.93.103013/21/2006 9:36:43 AM01.82 

Top 10 destinations for denied connections
NoDestinationConnectionsFirst denial%Comment
1192.168.1.3383/21/2006 6:05:27 AM69.0915139 denials recorded on 4/3/2006 11:01:31 PM
265.5.124.18023/21/2006 1:11:01 AM03.64 
365.5.124.24023/21/2006 12:25:41 PM03.64 
465.5.124.9013/21/2006 1:29:22 AM01.82 
565.5.124.6013/21/2006 1:30:14 AM01.82 
665.5.124.29013/21/2006 10:21:51 AM01.82 
765.5.124.12013/21/2006 11:14:31 AM01.82 
865.5.124.23013/21/2006 12:15:26 PM01.82 
965.5.124.25013/21/2006 1:07:01 PM01.82 
1065.5.124.0013/21/2006 1:13:34 PM01.82 

Top 10 denied protocols
NoDenied protocolConnectionsFirst denial%Comment
1TCP/135 - ms rpc383/21/2006 6:05:27 AM69.09 
2TCP/503023/21/2006 12:25:41 PM03.64 
3TCP/1004013/21/2006 1:11:01 AM01.82 
4TCP/826013/21/2006 1:29:22 AM01.82 
5TCP/336013/21/2006 1:30:14 AM01.82 
6TCP/743013/21/2006 10:21:51 AM01.82 
7TCP/308013/21/2006 11:14:31 AM01.82 
8TCP/690013/21/2006 12:15:26 PM01.82 
9TCP/353013/21/2006 1:07:01 PM01.82 
10TCP/195013/21/2006 1:13:34 PM01.82 



Top 10 denial reasons
NoDenial reasonConnectionsFirst denial%Comment
1Possible port scan detected553/21/2006 1:11:01 AM100.00 

Top 10 denied sources, destinations, protocols and reasons
NoSourceDestinationProtocolReasonConnectionsFirst denial%Comment
110.80.80.75192.168.1.3TCP/135 - ms rpcPossible port scan detected233/21/2006 9:36:42 AM41.8223 denials recorded on 3/21/2006 9:36:42 AM
23 denials recorded on 3/21/2006 9:36:42 AM
15139 denials recorded on 4/3/2006 11:01:31 PM
2192.168.0.176192.168.1.3TCP/135 - ms rpcPossible port scan detected073/21/2006 9:36:42 AM12.737 denials recorded on 3/21/2006 9:36:42 AM
310.35.93.106192.168.1.3TCP/135 - ms rpcPossible port scan detected043/21/2006 9:36:42 AM7.27 
410.35.94.121192.168.1.3TCP/135 - ms rpcPossible port scan detected033/21/2006 6:05:27 AM5.45 
5222.73.4.15665.5.124.24TCP/503Possible port scan detected023/21/2006 12:25:41 PM3.6414 denials recorded on 3/21/2006 10:21:51 AM
6218.66.104.24665.5.124.18TCP/1004Possible port scan detected013/21/2006 1:11:01 AM1.82 
7222.73.4.15865.5.124.9TCP/826Possible port scan detected013/21/2006 1:29:22 AM1.82 
8222.73.4.15865.5.124.6TCP/336Possible port scan detected013/21/2006 1:30:14 AM1.82 
910.35.93.103192.168.1.3TCP/135 - ms rpcPossible port scan detected013/21/2006 9:36:43 AM1.82 
10222.73.4.15665.5.124.29TCP/743Possible port scan detected013/21/2006 10:21:51 AM1.82 

Top 10 denied protocols and reasons
NoProtocolReasonDenials%Comment
1TCP/135 - ms rpcPossible port scan detected3869.09 
2TCP/503Possible port scan detected023.64 
3TCP/1004Possible port scan detected011.82 
4TCP/826Possible port scan detected011.82 
5TCP/336Possible port scan detected011.82 
6TCP/743Possible port scan detected011.82 
7TCP/308Possible port scan detected011.82 
8TCP/690Possible port scan detected011.82 
9TCP/353Possible port scan detected011.82 
10TCP/195Possible port scan detected011.82 

Firewall: fw.celotexfiberboard.com - Interfaces: Not specified - Go to top
Top 10 denied sources
NoSourceConnectionsFirst denial%Comment
1ns1.sfj.pnap.net (216.52.1.1)3,0403/21/2006 12:00:14 AM08.993040 denials recorded on 3/21/2006 12:00:14 AM
2niconet2k.com (65.110.41.44)2,6883/21/2006 12:00:13 AM07.952688 denials recorded on 3/21/2006 12:00:13 AM
364.134.205.12,1603/21/2006 12:01:33 AM06.392160 denials recorded on 3/21/2006 12:01:33 AM
410.5.55.982,1603/21/2006 8:10:25 AM06.39 
510.5.55.992,1543/21/2006 8:10:30 AM06.37 
6mail.daveevanstransports.com (24.158.21.10)1,3453/21/2006 12:00:11 AM03.98 
7mail.village-npb.org (65.5.152.162)5203/21/2006 12:03:04 AM01.54 
865.5.124.23853/21/2006 12:02:47 AM01.14 
965.5.124.183633/21/2006 12:02:48 AM01.07 
1065.5.124.233483/21/2006 12:02:47 AM01.03 

Top 10 destinations for denied connections
NoDestinationConnectionsFirst denial%Comment
110.35.93.743,3043/21/2006 12:00:14 AM09.77 
2192.168.1.1382,3283/21/2006 8:10:25 AM06.88 
310.80.80.642,1603/21/2006 12:01:33 AM06.39 
4192.168.1.1411,9863/21/2006 9:20:01 AM05.87 
510.254.1.51,3453/21/2006 12:00:11 AM03.98 
610.254.10.51,3443/21/2006 12:00:13 AM03.97 
710.254.254.2541,3443/21/2006 12:00:38 AM03.97 
8192.168.1.1821,3023/21/2006 8:36:09 AM03.85 
9origin-admin-sc9-b.stg-ciscoeos.com (204.16.208.112)8263/21/2006 12:48:56 AM02.44 
1010.35.94.1365553/21/2006 5:07:17 AM01.64 

Top 10 denied protocols
NoDenied protocolConnectionsFirst denial%Comment
1UDP/123 - ntp7,2883/21/2006 12:00:11 AM21.55 
2UDP/137 - netbios6,9223/21/2006 12:01:33 AM20.47 
3UDP/1026 - blaster-worm5,2293/21/2006 12:02:47 AM15.46 
4TCP/445 - netbios1,7243/21/2006 12:17:52 AM05.10 
5TCP/135 - ms rpc1,6163/21/2006 12:03:04 AM04.78 
6UDP/1027 - blaster-worm1,4433/21/2006 12:07:20 AM04.27 
7PING1,3913/21/2006 12:04:42 AM04.11 
8TCP/50619353/21/2006 8:44:53 AM02.76 
9TCP/72125473/21/2006 12:09:27 AM01.62 
10TCP/36015283/21/2006 12:00:57 AM01.56 



Top 10 denial reasons
NoDenial reasonConnectionsFirst denial%Comment
1 [default rule] [no rules found]29,5013/21/2006 12:00:11 AM87.23 
2TCP Reset3,8403/21/2006 12:00:57 AM11.35 
3packet addressed to firewall and no redirection found2613/21/2006 12:09:34 AM00.77 
4 [rule id 4] [explicit deny rule]2183/21/2006 3:16:06 AM00.64 



Top 10 denied sources, destinations, protocols and reasons
NoSourceDestinationProtocolReasonConnectionsFirst denial%Comment
1ns1.sfj.pnap.net (216.52.1.1)10.35.93.74UDP/123 - ntp [default rule] [no rules found]3,0403/21/2006 12:00:14 AM8.993040 denials recorded on 3/21/2006 12:00:14 AM
264.134.205.110.80.80.64UDP/137 - netbios [default rule] [no rules found]2,1603/21/2006 12:01:33 AM6.392160 denials recorded on 3/21/2006 12:01:33 AM
3mail.daveevanstransports.com (24.158.21.10)10.254.1.5UDP/123 - ntp [default rule] [no rules found]1,3453/21/2006 12:00:11 AM3.98 
4niconet2k.com (65.110.41.44)10.254.10.5UDP/123 - ntp [default rule] [no rules found]1,3443/21/2006 12:00:13 AM3.972688 denials recorded on 3/21/2006 12:00:13 AM
5niconet2k.com (65.110.41.44)10.254.254.254UDP/123 - ntp [default rule] [no rules found]1,3443/21/2006 12:00:38 AM3.97 
610.5.55.99192.168.1.138UDP/137 - netbios [default rule] [no rules found]1,1763/21/2006 8:10:30 AM3.48 
710.5.55.98192.168.1.138UDP/137 - netbios [default rule] [no rules found]1,1523/21/2006 8:10:25 AM3.41 
810.5.55.98192.168.1.141UDP/137 - netbios [default rule] [no rules found]1,0083/21/2006 9:20:01 AM2.98 
910.5.55.99192.168.1.141UDP/137 - netbios [default rule] [no rules found]9783/21/2006 9:20:06 AM2.89 
10140.242.26.910.35.93.74TCP/3601 [default rule] [no rules found]2643/21/2006 12:00:57 AM0.78 

Top 10 denied protocols and reasons
NoProtocolReasonDenials%Comment
1UDP/123 - ntp [default rule] [no rules found]7,28821.55 
2UDP/137 - netbios [default rule] [no rules found]6,92220.47 
3UDP/1026 - blaster-worm [default rule] [no rules found]5,22915.46 
4TCP/445 - netbios [default rule] [no rules found]1,7245.10 
5UDP/1027 - blaster-worm [default rule] [no rules found]1,4434.27 
6PING [default rule] [no rules found]1,3914.11 
7TCP/135 - ms rpcTCP Reset8162.41 
8TCP/135 - ms rpc [default rule] [no rules found]8002.37 
9TCP/5061 [default rule] [no rules found]4681.38 
10TCP/5061TCP Reset4671.38 

Top 10 warning messages
NoSourceDestinationProtocolWarningCountFirst warning%Comment
1192.168.1.5192.168.0.90UDP/161 - snmpIDS: Suspicious SNMP traffic1453/21/2006 12:04:18 AM10.48 
2192.168.0.90192.168.1.5UDP/1041IDS: Suspicious SNMP traffic1443/21/2006 12:04:18 AM10.40 
3192.168.1.1066.155.139.151UDP/53 - dnsIDS: DNS Malformed Data1343/21/2006 12:00:16 AM9.68 
410.35.94.127172.22.192.20UDP/161 - snmpIDS: Suspicious SNMP traffic1163/21/2006 6:21:34 AM8.38 
510.35.94.127172.22.192.22UDP/161 - snmpIDS: Suspicious SNMP traffic1163/21/2006 6:21:58 AM8.38 
610.35.94.127172.22.192.19UDP/161 - snmpIDS: Suspicious SNMP traffic1133/21/2006 6:21:16 AM8.16 
710.35.94.111192.168.1.3TCP/25 - smtpIDS: SMTP Malformed Domain Name123/21/2006 9:31:37 AM0.8715139 denials recorded on 4/3/2006 11:01:31 PM
8TCP10.35.94.13668.142.233.168IDS: HTTP Malformed URL053/21/2006 3:32:31 PM0.36 
9TCP192.168.1.13668.142.233.170IDS: HTTP Malformed URL043/21/2006 9:37:58 AM0.29 
10TCP10.35.93.8468.142.233.164IDS: HTTP Malformed URL043/21/2006 1:53:06 PM0.29 

Other messages
NoCodeMessage sampleCountComment
1239Sending TCP reset not allowed, Source IP=10.35.93.106, Destination IP=192.168.1.3, IP Code=TCP, Flag=SYN, Source Port=2082, Destination Port=135, Adapter=eth2325615139 denials recorded on 4/3/2006 11:01:31 PM
2343Using rule ID 8 because two equally good rules were found. Rule 5 = Rule 8, Program Name=GWControl Service, Operation=Validate, Status=Success, State=OK2187 
3228Cannot connect to port, Program Name=httpd, Operation=Connect, Resource=63.208.226.225, Status=[110] Connection tim, State=Fail, Protocol=http, Host=63.208.226.225, Destination Port=80, IP Address=63.208.226.225529 
4456HTTPS service not supported, Program Name=httpd, Operation=Connect, Resource=192.168.1.3, Status=Failure, State=Abort146 
5335VPN packet dropped because VPN is not enabled, Source IP=69.222.255.63, Destination IP=66.155.139.158, Payload=0xb22f3b85121 
6301Repeated:, Consolidated Message=343 WARNING: Packet for interface was routed to interface, Count=2, Source IP=10.254.254.1, Destination IP=12.119.118.26, IP Code=ICMP, IP Code=Unreachable (host prohibited), String Value=Inner Packet data follows, Source IP=12.119.118.26, Destination IP=135.89.152.51, IP Code=ICMP, IP Subtype ID=26040, IP Code=Echo reply, Adapter=eth2, IP Address=66.155.139.158100 
7152LiveUpdate found files up-to-date, Program Name=IDS, Operation=Live Update, Resource=Intrusion Detection and Prevention Subscription Update, Status=Success, State=OK72 
8201Repeated, Consolidated Message=232 NOTICE: Sending ICMP unreachable, Count=2, IP Code=Unreachable (host prohibited), Source IP=12.119.118.26, Destination IP=135.89.152.51, IP Code=ICMP, IP Subtype ID=26040, IP Code=Echo reply, Adapter=eth266 
9122Daemon listening on port(s), Program Name=User Library, Operation=Initialize, Resource= 80/tcp, 443/tcp, Status=Success, State=OK58 
10238User proxy by means of outside interface is not allowed, use httpd.allow_external_proxy to change it, Program Name=httpd, Operation=Connect, Status=Failure, State=Denying, User=63.229.225.195, Interface=eth154 
11219Cannot parse URL, Program Name=httpd, Operation=Validate, Resource=OPTIONS / HTTP/1.1\r\ntranslate: f\r\nUser-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600\r\nHost: 66.155.139.150\r\nContent-Length: 0\r\nConnection: Keep-Alive\r\n\r\n, Status=Failure, State=Fail481 denials recorded on 11/13/2006 4:32:48 PM
12109Re-reading configuration file, Information=Bad Services traffic saturation alert threshold set to: 20.00 %34 
13334Denied access to command, Count=1, Source Name=83.110.176.142, Source IP=2.0.13.121, Destination Name=66.155.139.150, Destination IP=2.0.0.139, Source Interface=66.155.139.15829 
14227VPN packet dropped because the packet is either too old or has been received before by tunnel (potential replay attack), Source IP=204.183.33.108, Destination IP=66.155.139.158, IP Code=UDP, Source Port=56092, Destination Port=786, Tunnel=3.isakmp.30@204.183.33.10829 
15117Daemon starting, Program Name=rtspd, Operation=Initialize, Resource=rtspd, Status=Success, State=Starting28 
16230Not authorized, Protocol=TCP GSP, Source IP=69.18.47.238, Source Port=2827, Source Name=69.18.47.23825 
17124Parameters and filters set for interfaces, Setting=eth2, Operation=Modify, Revision=018 
18170IDS: Open called on device ids17 
19344Non-transparent call, Source Name=220.135.254.38, Source IP=220.135.254.38, Destination Name=fw.celotexfiberboard.com, Destination IP=66.155.139.15812 
20115Successful authentication from remote management client, User=jolson, Source IP=192.168.1.131, Source Name=192.168.1.131, Destination IP=192.168.1.253, Destination Port=245611 
21116Remote management completed, User=jolson, Source IP=192.168.1.131, Source Name=192.168.1.131, Destination IP=192.168.1.253, Destination Port=245610 
22164Received command to reload filter configuration, Operation=Modify, Revision=06 
23131Remote management connection request, From=192.168.1.179, To=192.168.1.253, Source Port=4247, Destination Port=4235 
24101Time reset, Type=step, Offset=-0.1422205 
25240TCP packet dropped due to bad TCP flags combination, Source IP=88.136.165.218, Destination IP=65.5.124.4, IP Code=TCP, Flag=FIN, Source Port=51679, Destination Port=60729, Adapter=eth2, Probable Probe=QueSO, Flag=0x013 
26271Temporarily suppressing messages because the security gateway has reached log limits for driver messages at this level, Count=200, Interval=seconds3 
27452LiveUpdate failed, Program Name=Content Filtering, Operation=Live Update, Resource=Content Filtering URL Update, Status=Failure, State=Fail2 
28226IP packet dropped due to bad source address, Source IP=127.0.0.1, Destination IP=192.168.1.10, IP Code=ICMP, IP Subtype ID=1234, IP Code=Echo request, Adapter=eth22 
29401Remote management login failed, User=jolson, Source IP=192.168.1.131, Source Name=192.168.1.131, Destination IP=192.168.1.253, Destination Port=24562 
30370NET: 5 messages suppressed.1 
31118Daemon exiting, Program Name=GWControl Service, Operation=Validate, Resource=signal(15), Status=Success, State=OK1 
To assist us in improving the analyzer, please send the messages above to support@firegen.com and they will be added to the next release of Firegen.

Analysis details
Analysis start time11/15/2011 7:15:30 PM
Analysis duration4.49 minutes (269 seconds)
Analysis engine versionSGS parser version: 0.01
FireGen30Service.exe - FireGen scheduler service: 3.0.0.0
Filtering criteriaAll entries
Excluded keywordsNone
Glossary
!!!Indicates that a high denials:connections ration has been detected. The current configured ratio is 3. The !!! indicates that the percentage of denials for that hour is bigger than 3 x the connections percentage. This indicates some unusual denial activity that may have to be investigated. The ratio can be configured on the Report Formats interface.
Other messagesThe Other messages represents a list of message not yet configured in the Firegen parser. Please send these messages to us (support@firegen.com) and we will add them in the next Firegen update. These messages are included in the list of message types but they are not yet fully understood by the analyzer.
  • Navigation