About the information in the Network Threat Protection reports and logs

Article:HOWTO27550

Created: 2010-01-09

Updated: 2010-01-20

Article URL http://www.symantec.com/docs/HOWTO27550

Article Type
How To

Product(s)

Show all

Environment

Show all

CLOSE X

Windows Server 2008
Web Edition (x86) SP2, Web Edition (x86), Web Edition (x64) SP2, Web Edition (x64), Standard (x86-32bit) SP2, Standard (x86-32bit), Standard (x64-64bit) SP2, Standard (x64-64bit), Server Core, Enterprise (x86-32bit) SP2, Enterprise (x86-32bit), Enterprise (x64-64bit) SP2, Enterprise (x64-64bit), DataCenter (x86-32bit) SP2, DataCenter (x86-32bit), DataCenter (x64-64bit) SP2, DataCenter (x64-64bit)

Windows Server 2008 R2
WebServer (x64-64bit), Standard (x64-64bit), Enterprise (x64-64bit), DataCenter (x64-64bit)

VMWare ESX
4.0, 3.5 U4, 3.5 U3, 3.5 U2, 3.5 U1, 3.5, 3.0.2, 3.0.1, 3.0, 2.5

Windows XP
Pro 5.1 SP3, Pro 5.1 SP2, Pro 5.1 SP1, Pro 5.1 64 bit SP3, Pro 5.1 64 bit SP2, Pro 5.1 64 bit SP1, Embedded SP3, Embedded SP2, Embedded SP1

Windows Vista
Ultimate RC2, Ultimate (x86) 6.0.6000, Ultimate (x64) 6.0.6000, Starter (x86) 6.0.6000, RC2, Home RC2, Home Premium RC2, Home Premium (x86) 6.0.6000, Home Premium (x64) 6.0.6000, Home Basic (x86) 6.0.6000, Home Basic (x64) 6.0.6000, Enterprise RC2, Enterprise 6.0.6000, Business RC2, Business (x86) 6.0.6000, Business (x64) 6.0.6000

Windows Small Business Server 2008
Standard Edition, Premium Edition

Windows Server 2003 R2
Web Edition (x86), Web Edition (x64), Storage Server Edition (x86), Storage Server Edition (x64), Standard Edition (x86), Standard Edition (x64), Enterprise Edition (x86), Enterprise Edition (x64), Datacenter Edition (x86), Datacenter Edition (x64)

GSX Server for Windows
3.2

Windows Server 2003
Web Server, Web Edition SP2, Web Edition SP1, Storage Server SP2, Storage Server SP1, Storage Server (x64) SP2, Storage Server (x64) SP1, Storage Server (x64), Storage Server, Standard Server(x64), Standard Server SP2 (x64), Standard Server SP2, Standard Server SP1 (x64), Standard Server SP1, Standard Server, Enterprise SP2(x64), Enterprise SP2, Enterprise SP1(x64), Enterprise SP1(IA64), Enterprise ServerSP1, Enterprise Server, Enterprise (x64), Enterprise (IA64), Datacenter SP2(x64)

VMware Workstation
6.5, 6.0, 5.0

Windows Small Business Server 2003
Standard Edition

Windows Fundamentals for Legacy PCs
5.1 SP3

Languages

Show all

About the information in the Network Threat Protection reports and logs

Network Threat Protection reports and logs let you track a computer’s activity and its interaction with other computers and networks. They record information about the traffic that tries to enter or exit the computers through their network connections.

Network Threat Protection logs contain details about attacks on the firewall, such as the following information:

Denial-of-service attacks
Port scans
Changes that were made to executable files

Network Threat Protection logs collect information about intrusion prevention. They also contain information about the connections that were made through the firewall (traffic), the Windows registry keys, files, and DLLs that are accessed. They contain information about the data packets that pass through the computers. The operational changes that were made to computers are also logged in these logs. This information may include when services start and stop or when someone configures software. Among the other types of information that may be available are items such as the time and the event type and the action taken. It can also include the direction, host name, IP address, and the protocol that was used for the traffic involved. If it applies to the event, the information can also include the severity level.

Table: Network Threat Protection reports and logs summary describes some typical uses for the kind of information that you can get from Network Threat Protection reports and logs.

Table: Network Threat Protection reports and logs summary

Report or log	Typical uses
Top Targets Attacked report	Use this report to identify which groups, subnets, computers, or ports are attacked most frequently. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks. You may want to take some action based on this report. For example, you might find that the clients that attach through a VPN are attacked much more frequently. You might want to group those computers so that you can apply a more stringent security policy.
Top Sources of Attack report	Use this report to identify which hosts attack your network most frequently. This report consists of a pie chart with relative bars that shows the top hosts that initiated attacks against your network. It includes information such as the number and percentage of attacks, the attack type and severity, and the distribution of attacks.
Top Types of Attack report	Use this report to identify the types of attack that are directed at your network most frequently. The possible types of attack that you can monitor include port scans, denial-of-service attacks, and MAC spoofing. This report consists of a pie chart with associated relative bars. It includes information such as the number and percentage of events. It also includes the group and severity, as well as the event type and number by group.
Top Blocked Applications report Blocked Applications Over Time report	Use these reports together to identify the applications that are used most frequently to attack your network. You can also see whether or not the applications being used for attacks have changed over time. The Top Blocked Applications report consists of a pie chart with relative bars that show the top applications that were prevented from accessing your network. It includes information such as the number and percentage of attacks, the group and severity, and the distribution of attacks by group. The Blocked Applications Over Time report consists of a line chart and table. It displays the total number of applications that were prevented from accessing your network over a time period that you select. It includes the event time, the number of attacks, and the percentage. You can display the information for all computers, or by group, IP address, operating system, or user.
Attacks over Time report	Use this report to identify the groups, IP addresses, operating systems, and users that are attacked most frequently in your network. Use it to also identify the most frequent type of attack that occurs. This report consists of one or more line charts that display attacks during the selected time period. For example, if the time range is the last month, the report displays the total number of attacks per day for the past month. It includes the number and percentage of attacks. You can view attacks for all computers, or by the top operating systems, users, IP addresses, groups, or attack types.
Security Events by Severity report	Use this report to see a summary of the severity of security events in your network. This report consists of a pie chart that displays the total number and percentage of security events in your network, ranked according to their severity.
Top Traffic Notifications report Traffic Notifications Over Time report	Use these reports to show the number of attacks that violated the firewall rules that you configured to notify you about violations. Use them to see which groups are most at risk of attack through the firewall. The Top Traffic Notifications report consists of a pie chart with relative bars that lists the group or subnet, and the number and percentage of notifications. It shows the number of notifications that were based on firewall rule violations that you configured as important to be notified about. The rules that are counted are those where you checked the Send Email Alert option in the Logging column of the Firewall Policy Rules list. You can view information for all, for the Traffic log, or for the Packet log, grouped by top groups or subnets. The Traffic Notifications Over Time report consists of a line chart. It shows the number of notifications that were based on firewall rule violations over time. The rules that are counted are those where you checked the Send Email Alert option in the Logging column of the Firewall Policy Rules list. You can display the information in this report for all computers, or by group, IP address, operating system, or user.
Full Report report	Use this report to see the information that appears in all the Network Threat Protection quick reports in one place. This report gives you the following Network Threat Protection information in a single report: Top Types of Attack Top Targets Attacked by Group Top Targets Attacked by Subnet Top Targets Attacked by Client Top Sources of Attack Top Traffic Notifications by Group (Traffic) Top Traffic Notifications by Group (Packets) Top Traffic Notifications by Subnet (Traffic) Top Traffic Notifications by Subnet (Packets)
Attacks log	Use this log if you need more detailed information about a specific attack that occurred.
Traffic log	Use this log if you need more information about a specific traffic event or type of traffic that passes through your firewall.
Packets log	Use this log if you need more information about a specific packet. You may want to look at packets to more thoroughly investigate a security event that was listed in a report.

About the reports you can run

Legacy ID

349970

Article URL http://www.symantec.com/docs/HOWTO27550

About the information in the Network Threat Protection reports and logs

About the information in the Network Threat Protection reports and logs

Legacy ID

Please Sign In

Knowledge Base Search

Knowledge Base Search

MySymantec

MySymantec

Contacting Support

Contacting Support