Hello I am a new user of Kerio and was looking through the logs and alerts. I found alert or log in NIPS of a port scan that had been done on my computer while visiting Brinkshomesecurity and surfing the site. I did not get an alert while at the site, only found it in the logs & Alerts. What I am wondering is if I can see further information about this alert-log? I looked at the WEB logs and really can't tell for sure which entries caused the alert-log. I would also think if this was an alert, it should have splashed a pop-up or something. Am I missing setting up something to see clearer info on HIPS logs-alerts? When I installed the firewall, I selected advanced. See attached screen shot please? controler
An alert would have been a bit overboard. A portscan is nothing to worry about and all it does is see if your computer is actually there and connected to the internet, which Kerio doesn't confirm since it "stealths" all 65,000 something ports. All the information needed was provided in that log. It really isn't a big deal, Kerio is protecting you. Alphalutra1
Thanks I still do not see why that site needs to see if I am here. I don't see too many sites doing port scans that are not security sites or secure servers. controler
Question is: what difference does it make? There's nothing there that can harm you in any way, so why worry about it? Kerio is handling things fine..
My point was not if I was in harms way but why would a home security firm, which installs home security hardware being doing port scans to it's customers?
Ok, well, I don't know why either, but the wonders of the internet are many.. short answer: who knows?
Well that certainly does not tell you much. Does this version of Kerio also keep a text log somewhere that may have more detail? I doubt the Brinks site you were visiting was port scanning you. If that feature in the current Kerio is anything like the "Log Suspicious Packets" in the old Kerio, it is likely just late return packets being misinterpreted as such. Regards, CrazyM
Thank you I suppose I could dig into the help file a bit more. Here is an advanced setting for log to syslog in this version.
Code: [20/Feb/2006 08:54:44] "Ids" action = 'detected', raddr = '12.5.251.205', msg = 'PortScan', url = '', direc = 'in', class = 'network-scan', priority = portscan [20/Feb/2006 09:25:22] "Ids" action = 'detected', raddr = '12.5.251.205', msg = 'PortScan', url = '', direc = 'in', class = 'network-scan', priority = portscan Unfortunately the text log is no more helpful than the original information provided in the interface. No details on protocol or source/destination ports. As I noted earlier, I doubt it was a port scan from that site. More likely a false positive from the NIPS component. Regards, CrazyM
