[KB2958] Kişisel güvenlik duvarı günlüğü kodları ve anlamları (5.x)

Çözüm

You may encounter the following event names in the ESET Smart Security 5 firewall log.

NOTE:

For a more information on the firewall log, press F1 on your keyboard to access in-context help. From the Contents tab, browse to Work with ESET Smart Security → Network → Logging

For instructions on how to submit log files to ESET Customer Care for analysis, visit the following ESET Knowledgebase article: How do I access log files and submit them for analysis? (5.x).

 
Kural tanımlama dosyası yüklenmedi – EPFW modülü doğru bir şekilde yüklenmemiş.

Kullanılabilir kural bulunamadı – Gelen bağlantılar otomatik moddaki bir kural ile eşleşmez, bu nedenle varsayılan olarak bağlantı engellenir.

Yanlış Ethernet paketi – Ulaşan paket uzunluğu çok kısa. Paket geçerli Ethernet veya IP/IPv6 başlığından Packet is too short to contain valid Ethernet or IP/IPv6 header.

Yanlış IP paket uzunluğu – Paket, IPv4/IPv6 başlığında belirtilenden daha kısa veya bu bir ICMP paketi ve başlık çok kısa.

Yanlış IP paketi sağlamasıIPv4 başlığında yanlış sağlama. Sağlama doğrulaması gelişmiş ayarlarda etkin olmalıdır.

Yanlış TCP paket uzunluğu – TCP Paketi, TCP paket başlığında belirtilenden daha kısa.

Incorrect TCP packet checksum – TCP başlığında yanlış sağlama. Sağlama doğrulaması gelişmiş ayarlarda etkin olmalıdır.

Incorrect UPD packet length – UDP Paketi, UDP paket başlığında belirtilenden daha kısa.

Suspicious IP packet fragment – Suspicious fragmentation according to RFC1858.

Unknown IP packet version – Wrong IP version indicated in IPv4 packet.

Incorrect UDP packet checksum – Wrong checksum in UDP header. Checksum validation must be enabled in advanced options (separate for in and out).

No application listening on the port – Connection attempt to a port where no application listens. It does not matter if this connection will be allowed or denied if there was an application listening.

Communication denied by rule – Rule with LOG action was matched, or “Log all blocked” is selected in Troubleshooting section.

Communication allowed by rule – Rule with LOG action was matched.

Decision on allowing communication delegated to user – Rule with LOG action was matched.

Detected attack against security hole – Malicious data is being transferred in an application protocol (such as DCE/RPC, SMB).

Attempt to attack this computer by worm – Malicious data are being transferred in an application protocol (such as DCE/RPC, SMB).

Attempt to send worm from this computer– Malicious data are being transferred in an application protocol (such as DCE/RPC, SMB).

Detected Port Scanning attack – Someone is trying to connect to many different ports on your computer within a short period of time.

Detected ARP cache poisoning attack – Someone is trying to update your ARP cache with a different MAC address than is already cached.

Detected DNS cache poisoning attack – Received DNS reply not requested. (Usually contains different domain addresses).

Detected ICMP Flooding attack – Received many ICMP packets from one particular IP within a short time.

Detected TCP Flooding attack – Received many TCP SYN packets (connection requests) from one particular IP within a short time.

Identical IP addresses detected in network – Received two ARP replies for one particular IP with different MAC adresses (A standardized network address assigned to network interfaces for communications on the physical network) within a short period of time.

TCP packet not belonging to any open connection – TCP packet does not belong to any existing flow.

Detected covert channel exploit in ICMP packet – Unexpected data found in ICMP echo messages. User might have an application that implements PING or might be running Linux as a virtual computer. Allowing communication for bridged connections can help to avoid false positives from virtual computers.

Detected unexpected data in protocol – Improperly formatted ARP, DNS or ICMP echo packets. Or zero port in TCP/UDP/.

Address temporarily blocked by active defense (IDS) – IP address was previously blocked by Active defense. Blocking unsafe addresses after detection should be enabled.

Packet blocked by active defense (IDS) – Packet was blocked by IDS without specific reason. You should not see this log.