by   October 27 2011   
How to read logs Netgear ProSafe VPN Firewall FVS318v3 and other similar devices. Many of us have not had to read or understand the log reports created by our VPN appliances. In today's world we need to know what our VPN is telling us. I have an example of one log on a system that was online for only a few days.

How To Read Firewall Logs: Netgear ProSafe VPN Firewall FVS318v3

Your log report reads from Left to Right.

Left being the external location and right being the internal location represented by the 127.0.0.1 IP address.

The approach that I have used is to build a story of the connection.

My Questions are:

  • What is the propose of the connection?
  • Why was the connection made?
  • Did the connection complete?
  • Who attempted or made the connection?

The examples below are from today. Not much activity on the VPN Router but enough from selected connection types to explain how to read them.

Let's keep the order of things and create our questions we need to have answered.

Reading from Left to Right:

  • What Day and Time
  • Type of Protocol
  • The connection source IP
  • The destination or final connection IP.
  • Bytes transfered
  • Remote or external Port Connection
  • Local Port Connection
  • Router Port Type

The first log:

  • Fri, 2011-09-30 01:35:37
  • TCP packet
  • Source: 74.63.192.66
  • Destination: 127.0.0.1
  • Zero bytes transferred
  • Connection Port External 12200
  • Connection Port Local 8909
  • WAN

The analysis starts with points of interest. I always look at the connection port first to see or at least get an idea of the service the external connection was attempting to connect to. Example: Port 80 would typically be a web site as port 21 would be FTP.

In the first log the port was 8909 which typically is used by Proxy Servers or applications running as a proxy server. With this information I can start to profile the reason for the connection. With proxy server connection attempts to our system it would be clear this remote point was looking to use our proxy (if we had one) for their benefit. Because we do not offer proxy services and do not run proxy servers this connection attempt can be profiled to be a probe.

Now we have two items in our profile Proxy and Probe. Which 99.9% of the time is completed by a script. Scripted Proxy Probe.

Next we need to find the geographical connection area. This will help you determine if it was your next door neighbor, your kids on your network or a script running from a computer in China.

The Connection IP address: 74.63.192.66 is from United States.

So why was this computer attempting to probe our network for a proxy? This will require a little more research. I'll post how you can research directly from your desktop but for now I'll post the research results of this connection.

From researching more it was discovered that the computer running the IP 74.63.192.66 has a proxy service running. Here's one of the many ports which could be connected to: 74.63.192.66:8888

Remember, this information is posted for educational purposes and not intended to be used as a class assignment. If you have a router or VPN you should have enough information to create your own research project.

What we have learned from our first log entry.

A computer located in the US using lstn.net hosting services on IP 74.63.192.66 had a script running or acted as a proxy for another computer to probe our network for a proxy connection. This type of activity is generally associated with DDoS network setups or other activity that requires more than a single computer on a network. Proxy to proxy to proxy typically indicates illegal activity or it could be someone needs serious help (paranoid).

Now that you have your first research project completed you can browse over the other logs and identify quickly the proxy probe attempts.

Just about everything with 8909 as the destination port or as it reads in the logs Dst 8909 from WAN. (English: Destination port 8909 from the Internet).


The following are NTP (Network Time Protocol) requests sent to the online server that helps other devices keep correct time. (Wish that would work for humans)

Fri, 2011-09-30 01:50:41 - [Send out NTP Request to 12.7.210.177]

Fri,2011-09-30 01:50:42 - [Receive NTP Reply from 12.7.210.177]


Fri, 2011-09-30 01:59:23 - TCP packet - Source: 216.245.196.122 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8123 from WAN]

Fri, 2011-09-30 01:59:23 - TCP packet - Source: 216.245.196.122 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 2301 from WAN]

Fri, 2011-09-30 01:59:23 - TCP packet - Source: 216.245.196.122 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 1830 from WAN]

Fri, 2011-09-30 02:05:23 - TCP packet - Source: 221.194.46.176 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 2301 from WAN]

Fri, 2011-09-30 02:05:23 - TCP packet - Source: 221.194.46.176 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8000 from WAN]

Fri, 2011-09-30 02:05:23 - TCP packet - Source: 221.194.46.176 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8090 from WAN]

Fri, 2011-09-30 02:05:23 - TCP packet - Source: 221.194.46.176 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8085 from WAN]

Fri, 2011-09-30 02:10:11 - TCP packet - Source: 58.218.199.250 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8118 from WAN]

Fri, 2011-09-30 02:10:11 - TCP packet - Source: 58.218.199.250 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8088 from WAN]

Fri, 2011-09-30 02:10:11 - TCP packet - Source: 58.218.199.250 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8008 from WAN]

Fri, 2011-09-30 02:10:11 - TCP packet - Source: 58.218.199.250 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 9415 from WAN]

Fri, 2011-09-30 02:12:35 - TCP packet - Source: 74.63.192.66 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8909 from WAN]

Fri, 2011-09-30 02:12:35 - TCP packet - Source: 74.63.192.66 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8085 from WAN]

Fri, 2011-09-30 02:15:42 - TCP packet - Source: 221.192.199.49 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 2479 from WAN]

Fri, 2011-09-30 02:15:42 - TCP packet - Source: 221.192.199.49 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 6588 from WAN]

Fri, 2011-09-30 02:15:42 - TCP packet - Source: 221.192.199.49 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 9415 from WAN]

Fri, 2011-09-30 02:15:42 - TCP packet - Source: 221.192.199.49 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 9090 from WAN]

Fri, 2011-09-30 02:21:28 - TCP packet - Source: 58.218.199.147 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 9415 from WAN]

Fri, 2011-09-30 02:21:28 - TCP packet - Source: 58.218.199.147 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 9090 from WAN]

Fri, 2011-09-30 02:21:28 - TCP packet - Source: 58.218.199.147 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 2301 from WAN]

Fri, 2011-09-30 02:21:28 - TCP packet - Source: 58.218.199.147 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 6588 from WAN]

Fri, 2011-09-30 02:24:21 - TCP packet - Source: 208.74.78.69 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 39538 Dst 3306 from WAN]

Fri, 2011-09-30 02:28:11 - TCP packet - Source: 58.218.199.227 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 2301 from WAN]

Fri, 2011-09-30 02:28:11 - TCP packet - Source: 58.218.199.227 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 73 from WAN]

Fri, 2011-09-30 02:29:52 - TCP packet - Source: 216.245.196.122 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8123 from WAN]

Fri, 2011-09-30 02:31:33 - TCP packet - Source: 74.63.192.66 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8909 from WAN]

Fri, 2011-09-30 02:31:33 - TCP packet - Source: 74.63.192.66 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8085 from WAN]

Fri, 2011-09-30 02:42:35 - TCP packet - Source: 123.125.17.50 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 49392 Dst 3389 from WAN]

Fri, 2011-09-30 02:49:33 - TCP packet - Source: 74.63.192.66 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8909 from WAN]

Fri, 2011-09-30 02:49:33 - TCP packet - Source: 74.63.192.66 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8085 from WAN]

Fri, 2011-09-30 03:00:35 - TCP packet - Source: 216.245.196.122 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8123 from WAN]

Fri, 2011-09-30 03:00:35 - TCP packet - Source: 216.245.196.122 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 2301 from WAN]

Fri, 2011-09-30 03:07:47 - TCP packet - Source: 74.63.192.66 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8909 from WAN]

Fri, 2011-09-30 03:07:47 - TCP packet - Source: 74.63.192.66 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8085 from WAN]

Fri, 2011-09-30 03:14:16 - TCP packet - Source: 115.167.88.10 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 53590 Dst 8181 from WAN]

Fri, 2011-09-30 03:18:35 - TCP packet - Source: 221.194.46.176 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 3246 from WAN]

Fri, 2011-09-30 03:18:35 - TCP packet - Source: 221.194.46.176 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 9000 from WAN]

Fri, 2011-09-30 03:18:35 - TCP packet - Source: 221.194.46.176 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8123 from WAN]

Fri, 2011-09-30 03:18:35 - TCP packet - Source: 221.194.46.176 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8008 from WAN]

Fri, 2011-09-30 03:18:35 - TCP packet - Source: 221.194.46.176 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 73 from WAN]

Fri, 2011-09-30 03:20:16 - TCP packet - Source: 58.218.199.250 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 2479 from WAN]

Fri, 2011-09-30 03:20:16 - TCP packet - Source: 58.218.199.250 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8085 from WAN]

Fri, 2011-09-30 03:20:16 - TCP packet - Source: 58.218.199.250 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 73 from WAN]

Fri, 2011-09-30 03:20:16 - TCP packet - Source: 58.218.199.250 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8000 from WAN]

Fri, 2011-09-30 03:26:16 - TCP packet - Source: 74.63.192.66 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8909 from WAN]

Fri, 2011-09-30 03:26:16 - TCP packet - Source: 74.63.192.66 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8085 from WAN]

Fri, 2011-09-30 03:31:04 - TCP packet - Source: 216.245.196.122 - Destination: 127.0.0.1 - [Zero bytes transferred for connection Src 12200 Dst 8123 from WAN]

 


Below I can see that I didn't set the Time Zone from the Schedule page on this router. A quick login at 3:40AM wouldn't happen but the default setting was PST. Lucky thing I read my logs.

Fri, 2011-09-30 03:40:23 - [admin login fail. Password error - IP : 192.168.100.100]

Fri, 2011-09-30 03:40:30 - [admin login fail. Password error - IP : 192.168.100.100]

Fri, 2011-09-30 03:40:37 - [admin login successful - IP : 192.168.100.100]

 

 

 

How to read logs Netgear ProSafe VPN Firewall FVS318v3 and other similar devices. Many of us have not had to read or understand the log reports created by our VPN appliances. In today's world we need to know what our VPN is telling us. I have an example of one log on a system that was online for only a few days.