[KB2958] What do firewall log codes mean?

Issue

Solution

You may encounter the following event names in the ESET Firewall log.

Access Firewall log Help:

For more information about the ESET Firewall log, press F1 on your keyboard to access Help; from the Contents tab, expand Working with ESET Smart Security Premium → Network protection Logging. Or click here to visit the Logging topic.

Click here for instructions to find and submit log files to ESET Technical Support for analysis.


Rule definition file not loaded – EPFW module is not properly loaded.

No usable rule found – Incoming connections in automatic mode don’t match any rule, therefore they are denied by default.

Incorrect Ethernet packet – Too short of a packet was received. Packet is too short to contain valid Ethernet or IP/IPv6 header.

Incorrect IP packet length – Packet is shorter than indicated in its IPv4/IPv6 header, or the packet is ICMP and it is too short to contain ICMP header.

Incorrect IP packet checksum – Wrong checksum in IPv4 header. Checksum validation must be enabled in advanced options (separate for in and out).

Incorrect TCP packet length – TCP Packet is too short to contain TCP packet header.

Incorrect TCP packet checksum – Wrong checksum in TCP header. Checksum validation must be enabled in advanced options (separate for in and out).

Incorrect UDP packet length – UDP packet is too short to contain UDP header.

Suspicious IP packet fragment – Suspicious fragmentation according to RFC1858.

Unknown IP packet version – Wrong IP version indicated in IPv4 packet.

Incorrect UDP packet checksum – Wrong checksum in UDP header. Checksum validation must be enabled in advanced options (separate for in and out).

No application listening on the port – Connection attempt to a port where no application listens. It does not matter if this connection will be allowed or denied if there was an application listening.

Communication denied by rule – Rule with LOG action was matched, or “Log all blocked” is selected in Troubleshooting section.

Communication allowed by rule – Rule with LOG action was matched.

Decision on allowing communication delegated to user – Rule with LOG action was matched.

Detected attack against security hole – Malicious data is being transferred in an application protocol (such as DCE/RPC, SMB).

Attempt to attack this computer by worm Malicious data are being transferred in an application protocol (such as DCE/RPC, SMB).

Attempt to send worm from this computer– Malicious data are being transferred in an application protocol (such as DCE/RPC, SMB).

Detected Port Scanning attack Someone is trying to connect to many different ports on your computer within a short period of time.

Detected ARP cache poisoning attack Someone is trying to update your ARP cache with a different MAC address than is already cached.

Detected DNS cache poisoning attack – Received DNS reply not requested. (Usually contains different domain addresses).

Detected ICMP Flooding attack – Received many ICMP packets from one particular IP within a short time.

Detected TCP Flooding attack Received many TCP SYN packets (connection requests) from one particular IP within a short time.

Identical IP addresses detected in network – Received two ARP replies for one particular IP with different MAC addresses (A standardized network address assigned to network interfaces for communications on the physical network) within a short period of time.

TCP packet not belonging to any open connection – TCP packet does not belong to any existing flow.

Detected covert channel exploit in ICMP packet – Unexpected data found in ICMP echo messages. User might have an application that implements PING or might be running Linux as a virtual computer. Allowing communication for bridged connections can help to avoid false positives from virtual computers.

Detected unexpected data in protocol Improperly formatted ARP, DNS or ICMP echo packets. Or zero port in TCP/UDP/.

Address temporarily blocked by active defense (IDS) IP address was previously blocked by Active defense. Blocking unsafe addresses after detection should be enabled.

Packet blocked by active defense (IDS) – Packet was blocked by IDS without specific reason. You should not see this log.

Extra hulp