Endpoint Protection

 View Only

  • 1.  Interpreting Logs

    Posted May 25, 2009 08:31 PM
    I have a client freaking out that someone is trying to intrude into his system.

    "I get messages from Symantec about ‘traffic from ip address is blocked from ….sid 21702’"

    he has also sent me his log file - here is an example of the many lines in it.

    10590 17/05/2009 9:10:47 AM Blocked 10 Outgoing IPv6 [type=0x86DD] 0.0.0.0 33-33-00-01-00-03 0 0.0.0.0 00-1C-BF-1D-E8-2E 34525 bret 2020GROUP Default 1 17/05/2009 9:09:46 AM 17/05/2009 9:09:46 AM Block IPv6

    I'm a bit new to all this - can anyone point me in the right direction as to what is happening to hime.

    Craig Mills


  • 2.  RE: Interpreting Logs

    Broadcom Employee
    Posted May 26, 2009 01:26 AM


    you can verify by looking at the NTP traffic logs and corelate...

    i tried to distinguish each field. This is basically a rule for block IP v 6

    10590
    Timestamp  17/05/2009 9:10:47 AM
    Action:Blocked
    Severity:10 Outgoing
    Service: IPv6 [type=0x86DD]
    remote Host :0.0.0.0
    remote MAC:33-33-00-01-00-03
    localhost:0 0.0.0.0
    local mac: 00-1C-BF-1D-E8-2E
    locla port:34525
    user:bret
    userdomain:2020GROUP
    location:Default
    occurences:1
    begin time:17/05/2009 9:09:46 AM
    end time:17/05/2009 9:09:46 AM
    rile name:Block IPv6


    Pete!