Results 1 to 6 of 6
  1. #1
    3 Star Lounger baumgrenze's Avatar
    Join Date
    Feb 2001
    Location
    California, USA
    Posts
    262
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Router Log Tutorial

    I would appreciate a link to a brief tutorial on how to read a router log. I'm particularly interested in learning to recognize signs of trouble.

    I've gotten hints that suggest that excessive entries that read "TCP connection dropped" that come from the same address and seek access to a variety of ports are an item of concern to the internet community in general, but I find this hard to confirm.

    On 4/14-15/03 (during a 24 hour period) my Netgear FR314 logged 551 such probes where the frequency was greater than 6 or more. This was many times what I see on an average day. If this is unusual, I want to know what a responsible net citizen should do under such circumstances.

    I also want to better understand the significance of dropped UDP packets, where I can see no pattern regarding addresses and ports. Is this more a result of poor dsl service than the handiwork of hackers? Yesterday my log contained 210 such references, again a larger than normal collection.

    Thanks for any insights and suggestions for further reading. I must be using the wrong search terms in Google.

    baumgrenze
    Baumgrenze
    Hier sind wir tief eingewurzelt.

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Router Log Tutorial

    Does NetGear offer anything specific? I've read a couple different firewall logs, but my sense is that each has its own way of saying things. In SonicWall, for example, a dropped packet was one that the firewall rules dictated should be ignored. But if there was a real attack, the firewall would say SYN flood or Ping of Death and not give you tons of detail. Not sure I'm helping here...

  3. #3
    3 Star Lounger baumgrenze's Avatar
    Join Date
    Feb 2001
    Location
    California, USA
    Posts
    262
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Re: Router Log Tutorial

    Thanks for the prompt reply.

    Netgear applies what it calls 'stateful packet inspection' and it is what I've been relying on as a firewall. Perhaps I should install software as well, but I have not yet done so.

    I have the router set up to post messages like the ones you note, both to the log and to an email at the time of the incident. I also get a daily log of all postings.

    I guess it spooks me when one user tries every few seconds for 51 times to find an open port on my system. In the past, when it has just been one offender, I've used ARIN to look up the address and then sent a copy of the log to "abuse@xxx". I can't tell if that is having any benefit or not. When I saw the, to me, flood of attempts a few days ago I wondered if there was a federal agency that should be warned that a concerted effort to set up a DOS attack was starting.

    Am I being 'chicken little?'

    Thanks,

    baumgrenze
    Baumgrenze
    Hier sind wir tief eingewurzelt.

  4. #4
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Router Log Tutorial

    Yes, stateful packet inspection is a firewall technology. The first few weeks, the log can be very exciting, but after a while, it's like spam: delete and move on. You should neither take it personally nor, if you have all the ports closed, worry about it. Of course, if you have nothing else to do with your time, you could try to hunt them down... bear in mind, though, that there are thousands of "zombies" on the Internet looking to infest new systems. Often, you are being probed by machines whose owners have no idea what's going on because they don't know they've been infiltrated. So if ARIN indicates an otherwise reputable institution, you might contact them rather than their upstream provider.

  5. #5
    3 Star Lounger baumgrenze's Avatar
    Join Date
    Feb 2001
    Location
    California, USA
    Posts
    262
    Thanks
    6
    Thanked 0 Times in 0 Posts

    Re: Router Log Tutorial

    Edited by WyllyWylly to add URL code. See the Quick Guide.[/i] <img src=/S/smile.gif border=0 alt=smile width=15 height=15>

    I found this website while looking for something else last night. Do you know anything about them? It hought it looked interesting enough to enquire.

    http://isc.incidents.org/about.html

    An Invitation To Participate
    The Internet Storm Center project succeeds through active participation of people who use firewalls and intrusion detection systems and who understand how sharing the data from those systems is a powerful way to help themselves and the entire Internet community. To participate, email us at isw@sans.org . If you reside in the asia-pacific region, please contact apinfo@incidents.org .
    At the same time, national CERTs, managed security service providers, ISPs, and large organizations are invited to become Internet Storm Center SACCs. If you would like to participate, send us a note at isw@sans.org describing the user community you serve.
    Baumgrenze
    Hier sind wir tief eingewurzelt.

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Router Log Tutorial

    SANS has a lot of resources and also offers (not inexpensive) security courses and certifications. I'm on their mailing list, although I haven't used any of the paid services yet. There are a number of interesting security guides on their web site(s), probably most accessible through sans.org.

    I would be surprised if many home users were participating in the Internet Storm Center because, unlike their ISP, which controls the main pipeline and logs millions of packets, any given end-user will see very little traffic.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •