When I was out of town, the firewall logged the following data. The 192.168.***.xx2 address is a syslog machine. It does nothing but display packet data in realtime it also makes copies of all syslog data. I use wallwatcher, the mynetwatchman client, and the emailer for dshield on this machine. I allow WW to do rdns lookups on all addresses.
Other than someone breaking into my home just to try and access **** from that particular machine, why would this activity be logged? More importantly, why only when I was out of town? I have never seen this type of activity before.
I have uploaded some gifs of the Daily Report of 12/13 and 12/14.
83 attempts:
2008:12:13-03:39:10 (none) httpproxy[3797]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="192.168.***.xx2" user="" statuscode="403" cached="0" profile="profile_0" filteraction="action_REF_DefaultHTTPCFFAction" size="3215" time="1 ms" request="0xb0a8e0f0"
url="www.mynetwatchman.com/insertwebreportraw.asp
95 attempts:
2008:12:14-01:54:32 (none) httpproxy[3797]: id="0060" severity="info" sys="SecureWeb" sub="http" name="web request blocked, forbidden category detected" action="block" method="GET" srcip="192.168.***.xx2" user="" statuscode="403" cached="0" profile="profile_0" filteraction="action_REF_DefaultHTTPCFFAction" size="3213" time="1 ms" request="0xb0a811b8" url="www.mynetwatchman.com/insertwebreportraw.asp
Thanks,
Jim
This thread was automatically locked due to age.
