Logging
Output 9: Example Malware Protection log messages
2016 Nov 17 02:13:08 local5.info awplus IPS[1939]: [Drop] MALWARE: Virus
detected by signature URL:http:/[172.16.92.2]/data/byte/sample.exe [http]
172.16.92.2:80 -> 192.168.92.1:60784
2016 Nov 17 02:32:02 local5.info awplus IPS[2014]: [Drop] MALWARE: Virus
detected by signature [tcp] 172.16.92.2:42168 -> 192.168.92.1:45528
2016 Nov 17 02:33:59 local5.info awplus IPS[1913]: [Drop] MALWARE: File with
known bad MD5 detected (ITW) URL:http:/[172.16.92.2]/data/md5/EICAR-Test-File
[http] 172.16.92.2:80 -> 192.168.92.1:60820
2016 Nov 17 02:36:32 local5.info awplus IPS[2004]: [Drop] MALWARE: File with
known bad MD5 detected (ITW) [smtp] 192.168.92.1:45820 -> 172.16.92.2:25
URL Filtering Log Messages
By default, URL filtering messages are generated when there are:
Blacklist and whitelist hits—logged at severity info (6) level.
Invalid match criteria, detected while loading third party and custom blacklist and whitelist files—
logged at err (3) level.
Missing configured custom blacklist and/or whitelist files, while starting/restarting the feature—
logged at warning (4) level.
From AlliedWare Plus version 5.4.7-1.x, you can turn on additional URL request logging to log all
URL requests, including permitted requests. Use the following commands:
awplus(config)#
awplus(config-url-filter)#
Log messages for blacklist or whitelist hits include information in the following format:
<action> URLFILTER: [URL:<url>] <protocol> <source-ip>:<source-port> ->
<dest-ip>:<dest-port>
Table 8: URL Filtering log message elements
Message element
<action>
<url>
<protocol>
<source-ip>:<source-port>
<dest-ip>:<dest-port>
C613-22104-00 REV B
url-filter
log url-requests
Description
Which action is applied; [ALERT], [DROP] or [http].
The requested URL if the flow is HTTP.
The protocol e.g., SMTP, HTTP, TCP, ICMP.
The source IP address and source port for the packet.
The destination IP address and source port for the packet.
Advanced Network Protection
URL Filtering Log Messages
|
Page 69