Kerio Logs

Discussion in 'other firewalls' started by controler, Feb 21, 2006.

Thread Status:
Not open for further replies.
  1. controler

    controler Guest

    Hello

    I am a new user of Kerio and was looking through the logs and alerts.
    I found alert or log in NIPS of a port scan that had been done on my computer while visiting Brinkshomesecurity and surfing the site.
    I did not get an alert while at the site, only found it in the logs & Alerts.
    What I am wondering is if I can see further information about this alert-log?
    I looked at the WEB logs and really can't tell for sure which entries caused the
    alert-log. I would also think if this was an alert, it should have splashed a pop-up or something. Am I missing setting up something to see clearer info on HIPS logs-alerts?
    When I installed the firewall, I selected advanced.

    See attached screen shot please?



    controler
     

    Attached Files:

    Last edited by a moderator: Feb 21, 2006
  2. Alphalutra1

    Alphalutra1 Registered Member

    Joined:
    Dec 17, 2005
    Posts:
    1,160
    Location:
    127.0.0.0/255.0.0.0
    An alert would have been a bit overboard. A portscan is nothing to worry about and all it does is see if your computer is actually there and connected to the internet, which Kerio doesn't confirm since it "stealths" all 65,000 something ports. All the information needed was provided in that log. It really isn't a big deal, Kerio is protecting you.

    Alphalutra1
     
  3. controler

    controler Guest

    Thanks

    I still do not see why that site needs to see if I am here.

    I don't see too many sites doing port scans that are not security sites or secure servers.

    controler
     
  4. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Question is: what difference does it make? There's nothing there that can harm you in any way, so why worry about it? Kerio is handling things fine..;)
     
  5. controler

    controler Guest

    My point was not if I was in harms way but why would a home security firm, which installs home security hardware being doing port scans to it's customers?
     
  6. BILL G

    BILL G Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    80
    Location:
    MN USA
    A Fishing Expedition ?
     
  7. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,786
    Ok, well, I don't know why either, but the wonders of the internet are many.. short answer: who knows?
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Well that certainly does not tell you much. Does this version of Kerio also keep a text log somewhere that may have more detail?

    I doubt the Brinks site you were visiting was port scanning you. If that feature in the current Kerio is anything like the "Log Suspicious Packets" in the old Kerio, it is likely just late return packets being misinterpreted as such.

    Regards,

    CrazyM
     
  9. controler

    controler Guest

    Thank you

    I suppose I could dig into the help file a bit more.

    Here is an advanced setting for log to syslog in this version.
     

    Attached Files:

  10. controler

    controler Guest

    Then in the Kerio LOGS folder I found the IDS log attached.


    controler
     

    Attached Files:

  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Code:
    [20/Feb/2006 08:54:44]  "Ids" action = 'detected', raddr = '12.5.251.205', msg = 'PortScan', url = '', direc = 'in', class = 'network-scan', priority = portscan
    [20/Feb/2006 09:25:22]  "Ids" action = 'detected', raddr = '12.5.251.205', msg = 'PortScan', url = '', direc = 'in', class = 'network-scan', priority = portscan
    Unfortunately the text log is no more helpful than the original information provided in the interface. No details on protocol or source/destination ports. As I noted earlier, I doubt it was a port scan from that site. More likely a false positive from the NIPS component.

    Regards,

    CrazyM
     
Thread Status:
Not open for further replies.