FWLOGSUM REPORT Accepted Entries Sorted by source Report generated on: Mon Jul 9 16:25:32 2007 Period for report data: 20 Oct 2001 at 17:21:03 to 26 Nov 2001 at 9:02:26 Period for matched data: 17 Nov 2001 at 14:10:58 to 26 Nov 2001 at 9:02:26 Total entries processed: 18995 Entries matched on: 18650 Inbound traffic: 18952 Outbound traffic: 8 Control Messages: 35 Alert Entries: 2 Encrypted/Decrypted Entries: 4 Unknown entries 0 Entries ignored: 0 Attack Types: 0 Unique Attack URLs: 0 FW-1 HOST SOURCE ADDRESS DESTINATION ADDRESS SERVICE COUNT RULE ----------------------------------------------------------------------------------------------------------------------------------- FWFOOMAIN01 134.251.64.243 webfoogen1.foo.com tcp(smtp) 2 1 FWFOOMAIN01 192.1.1.13 corelinkmain01.foo.com tcp(telnet) 4 1 FWFOOMAIN01 192.1.1.13 webwebmain01.foo.com icmp(0/0) 1 1 FWFOOMAIN01 apollo.foo.com corelinkmain01.foo.com icmp(0/0) 1 1 FWFOOMAIN01 apollo.foo.com webfoogen1.foo.com icmp(0/0) 1 1 FWFOOMAIN01 corelinkmain01.foo.com ns4.foo.com udp(ntp-udp) 14 3 FWFOOMAIN01 corelinkmain01.foo.com ns4.foo.net.nz udp(ntp-udp) 3 2 FWFOOMAIN01 corelinkmain01.foo.com devel.lab.foo.com icmp(3/1) 1 2 FWFOOMAIN01 corelinkmain01.foo.com ns4.foo.com udp(ntp-udp) 9167 2 FWFOOMAIN01 corelinkmain01.foo.com apollo.foo.com icmp(8/0) 1 2 FWFOOGW02 corelinkmain01.foo.com ns4.foo.net.nz udp(ntp-udp) 1 2 FWFOOMAIN01 corelinkmain01.foo.com apollo.foo.com tcp(TACACSplus) 8 2 FWFOOMAIN01 corelinkmain01.foo.com apollo.foo.com tcp(TACACSplus) 3 3 FWFOOMAIN01 corelinkmain01.foo.com rtnw.foo.com udp(snmp-trap) 12 2 FWFOOGW02 corelinkmain01.foo.com.au ns4.foo.net.au udp(ntp-udp) 1 2 FWFOOMAIN01 devel.lab.foo.com webfoogen1.foo.com tcp(pop-3) 1 1 FWFOOMAIN01 devel.lab.foo.com webfoogen1.foo.com tcp(ftp) 9 1 FWFOOMAIN01 devel.lab.foo.com fwfoomain01.foo.com tcp(ftp) 2 3 FWFOOMAIN01 devel.lab.foo.com 192.1.1.8 tcp(telnet) 1 1 FWFOOMAIN01 devel.lab.foo.com fwfoomain01.foo.com tcp(telnet) 1 3 FWFOOMAIN01 devel.lab.foo.com webfoogen1.foo.com icmp(8/0) 1 1 FWFOOMAIN01 devel.lab.foo.com webfoogen1.foo.com tcp(telnet) 115 1 FWFOOMAIN01 dhcp-100-101-160-062.dhcp.foo.com corelinkmain01.foo.com tcp(telnet) 9 1 FWFOOMAIN01 dhcp-100-101-162-201.dhcp.foo.com webwebmain01.foo.com icmp(8/0) 4 1 FWFOOMAIN01 dhcp-100-101-162-201.dhcp.foo.com webwebmain01.foo.com tcp(ftp) 3 1 FWFOOMAIN01 dhcp-100-101-166-057.dhcp.foo.com fwfoomain01-2 tcp(telnet) 1 1 FWFOOMAIN01 dhcp-100-101-166-059.dhcp.foo.com fwfoomain01-2 tcp(telnet) 2 1 FWFOOMAIN01 dhcp-100-101-167-223.dhcp.foo.com fwmain01.foo.com tcp(http) 2 1 FWFOOMAIN01 dhcp-100-101-167-223.dhcp.foo.com fwmain01.foo.com tcp(http) 27 1 FWFOOMAIN01 dhcp-100-101-167-223.dhcp.foo.com fwmain01.foo.com tcp(http) 2 1 FWFOOMAIN01 dhcp-100-101-167-233.dhcp.foo.com fwfoomain01.foo.com tcp(telnet) 12 3 FWFOOMAIN01 dhcp-100-101-167-233.dhcp.foo.com fwfoomain01-2 icmp(8/0) 1 1 FWFOOMAIN01 fwfoomain01-2 fwrtrmain01.foo.com icmp(8/0) 1 1 FWFOOMAIN01 fwfoomain01-2 gwt.lab.foo.com icmp(0/0) 1 2 FWFOOMAIN01 fwfoomain01-2 dhcp-100-101-167-233.dhcp.foo.com icmp(0/0) 1 2 FWFOOMAIN01 fwfoomain01.foo.com webwebmain01.foo.com icmp(0/0) 1 1 FWFOOMAIN01 fwfoomain01.foo.com dhcp-100-101-167-233.dhcp.foo.com tcp(1487) 1 3 FWFOOMAIN01 fwfoomain01.foo.com apollo.foo.com icmp(3/3) 3 3 FWFOOMAIN01 fwmain01.foo.com dhcp-100-101-167-223.dhcp.foo.com tcp(X11) 2 2 FWFOOMAIN01 fwmain01.foo.com nzgtsdlc.rtr.foo.com icmp(8/0) 1 2 FWFOOMAIN01 fwrtrmain01.foo.com apollo.foo.com tcp(TACACSplus) 8 2 FWFOOMAIN01 fwrtrmain01.foo.com ns4.foo.net.nz udp(ntp-udp) 3 2 FWFOOMAIN01 fwrtrmain01.foo.com ns4.foo.net udp(ntp-udp) 4 2 FWFOOGW02 fwrtrmain01.foo.com ns4.foo.net.nz udp(ntp-udp) 1 2 FWFOOMAIN01 fwrtrmain01.foo.com ns4.foo.com udp(ntp-udp) 9132 2 FWFOOMAIN01 fwrtrmain01.foo.com rtnw.foo.com udp(snmp-trap) 5 2 FWFOOMAIN01 fwrtrmain01.foo.com fwfoomain01-2 icmp(0/0) 1 2 FWFOOMAIN01 fwrtrmain01.foo.com.au ns4.foo.net.nz.au udp(ntp-udp) 1 2 FWFOOMAIN01 gwt.lab.foo.com fwmain01.foo.com tcp(telnet) 1 1 FWFOOMAIN01 gwt.lab.foo.com webwebmain01.foo.com icmp(8/0) 1 1 FWFOOMAIN01 mlink.foo.co.uk ns4.foo.net.nz udp(ntp-udp) 1 2 FWFOOMAIN01 mlink.foo.co.uk ns4.foo.net udp(ntp-udp) 3 2 FWFOOMAIN01 mlink.foo.co.uk ns4.foo.com udp(ntp-udp) 2 3 FWFOOMAIN01 ns1.foo.com 192.1.1.20 tcp(smtp) 1 1 FWFOOMAIN01 ns1.foo.com webwebmain01.foo.com tcp(smtp) 1 1 FWFOOMAIN01 ns1.foo.com fwfoomain01.foo.com tcp(smtp) 1 3 FWFOOMAIN01 ns1.foo.com fwrtrmain01.foo.com tcp(smtp) 1 1 FWFOOMAIN01 ns1.foo.com fwmain01.foo.com tcp(smtp) 1 1 FWFOOMAIN01 ns1.foo.com 192.1.1.22 tcp(smtp) 1 1 FWFOOMAIN01 ns1.foo.com 192.1.1.21 tcp(smtp) 1 1 FWFOOMAIN01 nzcoremain01.rtr.foo.com fwfoomain01.foo.com icmp(4/0) 1 3 FWFOOMAIN01 nzgtsdlc.rtr.foo.com fwmain01.foo.com icmp(0/0) 1 1 FWFOOMAIN01 nzgtsdlc.rtr.foo.com webwebmain01.foo.com icmp(0/0) 1 1 FWFOOMAIN01 test.lab.foo.com fwfoomain01.foo.com tcp(smtp) 1 3 FWFOOMAIN01 test.lab.foo.com corelinkmain01.foo.com tcp(telnet) 1 1 FWFOOMAIN01 test.lab.foo.com fwfoomain01-2 tcp(smtp) 1 3 INTERNETGW test.lab.foo.com fwfoomain01-2 tcp(smtp) 1 1 FWFOOMAIN01 webfoogen1.foo.com zeus.lab.foo.com tcp(X11) 1 2 FWFOOMAIN01 webfoogen1.foo.com 134.251.64.243 tcp(ident) 2 2 FWFOOMAIN01 webfoogen1.foo.com hermes.foo.com tcp(smtp) 2 2 FWFOOMAIN01 webfoogen1.foo.com apollo.foo.com icmp(8/0) 1 2 FWFOOMAIN01 webfoogen1.foo.com devel.lab.foo.com icmp(0/0) 1 2 FWFOOMAIN01 webwebmain01.foo.com fwfoomain01.foo.com icmp(8/0) 1 2 FWFOOMAIN01 webwebmain01.foo.com 192.1.1.13 icmp(8/0) 1 2 FWFOOMAIN01 webwebmain01.foo.com nzgtsdlc.rtr.foo.com icmp(8/0) 1 2 FWFOOMAIN01 webwebmain01.foo.com dhcp-100-101-162-201.dhcp.foo.com icmp(0/0) 4 2 FWFOOMAIN01 zeus.lab.foo.com webfoogen1.foo.com tcp(telnet) 35 1 SUMMARY INFORMATION Firewall Server: Top 10 of 3 ======================================================= FWFOOMAIN01 18646 99.98% FWFOOGW02 3 0.02% INTERNETGW 1 0.01% Users/Source Addresses: Top 10 of 26 ======================================================= corelinkmain01.foo.com 9210 49.38% fwrtrmain01.foo.com 9154 49.08% devel.lab.foo.com 130 0.70% zeus.lab.foo.com 35 0.19% dhcp-100-101-167-223.dhcp.foo.com 31 0.17% dhcp-100-101-167-233.dhcp.foo.com 13 0.07% dhcp-100-101-160-062.dhcp.foo.com 9 0.05% webwebmain01.foo.com 7 0.04% dhcp-100-101-162-201.dhcp.foo.com 7 0.04% ns1.foo.com 7 0.04% Users/Destination Addresses: Top 10 of 28 ======================================================= ns4.foo.com 18315 98.20% webfoogen1.foo.com 164 0.88% fwmain01.foo.com 34 0.18% apollo.foo.com 24 0.13% fwfoomain01.foo.com 19 0.10% rtnw.foo.com 17 0.09% corelinkmain01.foo.com 15 0.08% webwebmain01.foo.com 12 0.06% ns4.foo.net.nz 9 0.05% fwfoomain01-2 7 0.04% Service Usage: Top 10 of 16 ======================================================= udp(ntp-udp) 18333 98.30% tcp(telnet) 182 0.98% tcp(http) 31 0.17% tcp(TACACSplus) 19 0.10% udp(snmp-trap) 17 0.09% tcp(ftp) 14 0.08% tcp(smtp) 14 0.08% icmp(8/0) 14 0.08% icmp(0/0) 14 0.08% tcp(X11) 3 0.02% Rule Usage: Top 10 of 3 ======================================================= Rule 2 18372 98.51% Rule 1 236 1.27% Rule 3 42 0.23% Network Interface Usage: Top 10 of 6 ======================================================= FWFOOMAIN01 hme1 (inbound) 18386 98.58% FWFOOMAIN01 hme0 (inbound) 252 1.35% FWFOOMAIN01 hme0 (outbound) 6 0.03% FWFOOGW02 hme1 (inbound) 3 0.02% FWFOOMAIN01 hme1 (outbound) 2 0.01% Internet Gateway (inbound) 1 0.01% Alert Types: Top 10 of 2 ======================================================= log 1 0.01% mail 1 0.01% Source Domains: Top 10 of 5 ======================================================= US Commercial 18632 99.90% Unresolved 7 0.04% United Kingdom 6 0.03% Unknown 3 0.02% Australia 2 0.01% Destination Domains: Top 10 of 6 ======================================================= US Commercial 18618 99.83% New Zealand 9 0.05% Network 7 0.04% Unknown 7 0.04% Unresolved 7 0.04% Australia 2 0.01% Daily Usage ======================================================= 20Nov2001 2711 14.54% 21Nov2001 2689 14.42% 18Nov2001 2672 14.33% 19Nov2001 2658 14.25% 22Nov2001 2617 14.03% 25Nov2001 1743 9.35% 23Nov2001 1436 7.70% 17Nov2001 1084 5.81% 26Nov2001 1040 5.58% Hourly Periods: Top 10 ======================================================= 8AM-9AM 880 4.72% 11AM-12AM 813 4.36% 3PM-4PM 807 4.33% 10AM-11AM 803 4.31% 6PM-7PM 794 4.26% 9AM-10AM 794 4.26% 4PM-5PM 794 4.26% 10PM-11PM 794 4.26% 12AM-1PM 789 4.23% 5PM-6PM 788 4.23% Produced by fwlogsum Version: 5.0.3 http://www.ginini.com/software/fwlogsum/