Reporting. SonicWALL Reporting 1

Transcription

1 Reporting SonicWALL Reporting 1

2 Table of Contents OVERVIEW OF SONICWALL REPORTING 3 CATEGORIES OF REPORTS 4 OVERVIEW OF SONICWALL SUMMARY REPORTS 6 AUTHENTICATION SUMMARY REPORTS 6 STATUS SUMMARY REPORT 6 BANDWIDTH SUMMARY REPORT 6 ROI SUMMARY REPORT 6 SERVICES SUMMARY REPORT 7 VPN USAGE SUMMARY REPORT 7 WEB USAGE SUMMARY REPORT 7 BROWSE TIME SUMMARY REPORT 7 WEB FILTER SUMMARY REPORT 8 FTP SUMMARY REPORT 8 MAIL SUMMARY REPORT 8 ATTACK SUMMARY REPORT 8 VIRUS ATTACK SUMMARY REPORT 9 INTRUSION PREVENTION SUMMARY REPORT 9 EXECUTIVE SUMMARY OF REPORTS 10 FOR JANUARY 15, Authentication Summary 10 Status Summary 10 Bandwidth Summary 10 ROI Summary 11 Services Summary 11 VPN Summary 11 Web Usage Summary 11 Browse Time Summary 11 FTP Summary 12 Mail Summary 12 Attack Summary 12 Virus Attack Summary 12 Intrusion Prevention Summary 12 SAMPLE SONICWALL REPORT SonicWALL Reporting 2

3 Overview of SonicWALL Reporting Monitoring critical network events and activities, such as security threats, inappropriate Web usages and bandwidth levels are essential components for any network. SonicWALL s Reporting Solutions complement SonicWALL's Internet Security offerings by providing detailed and comprehensive reports of network activity. SonicWALL GMS and ViewPoint make up a family of products built to deliver an advancement in network reporting. Both GMS and ViewPoint offer dynamic, real-time and historical network summaries that take advantage of SonicWALL s robust reporting module, thus offering a unique view into any network. With customizable compliance reports that can be delivered in a variety of exportable formats, organizations and service providers can use the power of SonicWALL Reporting to maintain a pulse on network patterns, track thwarted security events and report usage trends. Furthermore, administrators can monitor network access, enhance security and anticipate future bandwidth needs. SonicWALL s Reporting Solutions: Display bandwidth use by IP address and service Identify inappropriate Web use Provide detailed reports of attacks Collect and aggregate system and network errors Show VPN events and problems Present visitor traffic to a Web site Provide detailed daily firewall logs to analyze specific events SonicWALL s Reporting Solutions offer a simple view into a complex world of digital activity powered by SonicWALL Internet security appliances. This document identifies key SonicWALL summary reports and a complete sample report. Now take a Deeper Look into what SonicWALL Reporting has to offer. SonicWALL Reporting 3

4 Categories of Reports Below is a list of report categories available in SonicWALL s Reporting environment: Login Reports o User Login o Admin Login o Failed Login Status Reports o Status Summary Bandwidth Reports o Bandwidth Summary o Bandwidth Top Users ROI Reports o ROI Summary o ROI Top Users Service Reports o Services Summary VPN Reports o VPN Summary o VPN Top Users o VPN By Policy o VPN By Policy Hourly o VPN By Service Web Usage Reports o Web Usage Summary o Web Usage Top Sites o Web Usage Top Users o Web Usage By User o Web Usage By Category o Web Usage By Site Browse Time Reports o Browse Time Summary o Browse Time Top Users o Browse Time By User Web Filter Reports o Web Filter Summary o Web Filter Top Sites o Web Filter Top Users o Web Filter By User, By Site o Web Filter By Category FTP Reports o FTP Usage Summary o FTP Usage Top Users SonicWALL Reporting 4

5 Mail Reports o Mail Usage Summary o Mail Usage Top Users Attacks Reports o Attacks Summary o Attacks By Category o Attacks Errors Virus Attacks Reports o Virus Attacks Summary o Virus Attacks Top Viruses Spyware Reports o Spyware Summary o Spyware By Category Intrusions Reports Intrusions Summary Intrusions By Category SonicWALL Reporting 5

6 Overview of SonicWALL Summary Reports Authentication Summary Reports The Authentication Login reports show user logins, administrator logins and failed login attempts for users and administrators. For example, the user login report shows users that have logged into the SonicWALL appliance (e.g. during a specified day) to bypass content filtering or to access local network resources remotely. The administrator login report shows successful administrator logins during the specified day. This report is useful for identifying misuse and unauthorized management of a SonicWALL appliance. Status Summary Report Status reports display the number of hours that one or more SonicWALL appliances were online and functional during the specified time period. From this information, an administrator can find trouble spots within their network. For example, this report could reveal a SonicWALL appliance that is having network connectivity issues caused by either the internal network or by the ISP. For a managed service provider, this report is extremely useful in illustrating the commitment in delivering a Service Level Agreement (SLA) to a managed customer. Bandwidth Summary Report Bandwidth reports display the amount of data transferred through one or more selected SonicWALL appliances. Bandwidth reports are an ideal starting point for viewing overall bandwidth usage. Administrators can view bandwidth usage view by the hour, day or over a period of days. Additionally, companies can view the top users of their bandwidth. From this information, the organization can determine network strategies. For instance, if the company needs more bandwidth, they might decide to upgrade network equipment, opt to upgrade the bandwidth for their Internet access or they may simply decide to curtail their bandwidth usage for select employees. ROI Summary Report Return on Investment (ROI) reports display the total cost of consumed network bandwidth (measured in Mbytes) transferred through one or more selected SonicWALL appliances. ROI reports are an ideal starting point for viewing the overall cost of consumed network bandwidth usage. Administrators can view ROI usage view by the hour, day or over a period of days. Additionally, they can view the top users who consume the most network bandwidth and the percentage of the total cost attributed to each top user. SonicWALL Reporting 6

7 Similar to Bandwidth Summary Reports, this information be used to determine network strategies, which include increased bandwidth, upgrade in equipment, WAN optimization technology, or limit network bandwidth access through the use of throttling tools. Services Summary Report Service reports provide information on the amount of data transmitted through selected SonicWALL appliance by each service. Service reports are useful for revealing inappropriate usage of bandwidth and can help determine network policies. For example, if there is a large spike of bandwidth usage, a network administrator can determine whether this is caused by regular Web access, someone using FTP to transfer large files, an attempted Denial of Service (DoS) attack, or a variety of other services. VPN Usage Summary Report VPN Usage reports provide information on the amount of VPN usage that occurs through the selected SonicWALL appliance(s). VPN Usage reports can be used to view VPN usage by the hour, day, or over a period of days. Additionally, administrators can view the top users of their VPN tunnels. General bandwidth reports do not always provide a comprehensive view of the network bandwidth consumption. If a large amount of VPN traffic occurs, a company may need to increase their Internet connection, add WAN optimization equipment, or reconfigure the VPN network for site-to-site tunnels to efficiently route traffic. Web Usage Summary Report The Web Usage Summary report contains information on the amount of HTTP bandwidth handled by a SonicWALL device during each hour of the specified day. Web usage reports can be used to view Web bandwidth usage by the hour, day, or over a period of days. Administrators can monitor the top users of Web bandwidth and most viewed/visited sites for their company. These types of reports help companies gauge the productivity of their employees. Browse Time Summary Report Browse Time reports display the amount of time consumed browsing the Internet through one or more selected SonicWALL appliances. Administrators can view Browse Time usage views by the hour, day or over a period of days. Additionally, they can view users who browse the Internet the most and the percentage of the browse time accrued by each top user. From this information, a company can identify targeted network and behavioral strategies. For example, if the company needs to lower costs attributed to consumed network bandwidth, they will have the ability to generate Browse Time reports to identify the total amount of time used to browse to Web site sites that are not related to the employee s job function. SonicWALL Reporting 7

8 Web Filter Summary Report The Web Filter Summary Report contains information on the number of times users attempted to access blocked sites on a particular day through selected SonicWALL appliance(s). These reports include Web sites blocked by the Content Filter List or service, customized keyword filtering, and domain name filtering services. Web filter reports can be used to view blocked site access attempts by the hour, day or over a period of days. Additionally, administrators can view the users that most frequently attempt to access blocked sites and the most popular blocked sites. FTP Summary Report FTP usage reports provide information on the amount of FTP usage that occurs through the selected SonicWALL appliance(s). FTP usage reports can be used to view FTP bandwidth usage by the hour, day, or over a period of days. Additionally, administrators can view the top users of FTP bandwidth. General bandwidth reports do not always provide a complete picture of network bandwidth usage. If a large amount of FTP traffic occurs during peak times, a company may need more bandwidth, an upgrade in network equipment, a practice to avoid peak network times, or ask employees to use compression tools for large file transfers. Mail Summary Report Mail usage reports provide information on the amount of mail usage that occurs through the selected SonicWALL appliance(s). Mail usage reports can be used to view mail bandwidth usage by the hour, day, or even over a period of days. This report allows an administrator to view the top users of mail bandwidth. Mail usage reports include SMTP, POP3, and IMAP traffic. General bandwidth reports do not always provide a complete picture of network bandwidth usage. If a large amount of mail traffic occurs during peak times, a company may want to increase their bandwidth capacity, use Web-mail services more often in a hosted environment, or limit the size of attachments for SMTP traffic. Attack Summary Report Attacks reports show the number of attacks that were directed at or through the selected SonicWALL appliance(s). These include denial of service attacks, intrusions, probes, and all other malicious activity directed at the SonicWALL appliance or computers on the LAN or DMZ. As with any network deployment, SonicWALL recommends taking a multi-layer approach to network security. Through the aid of Attack Summary Reports, network administrators can see evidence of the attacks that have been thwarted using SonicWALL appliances. This will help gauge the effectiveness of the company s perimeter security device. SonicWALL Reporting 8

9 Virus Attack Summary Report Virus Attacks reports show the number of virus attacks that were directed at or through the selected SonicWALL appliance(s). Similar to the attack summary report, the Virus Attack report illustrates the effectiveness of the SonicWALL appliance to capture virus attacks before they penetrate the company s network. Intrusion Prevention Summary Report The Intrusion Prevention Service (IPS) reports show the number of attempted intrusions that occurred during the specified time period. These reports provide further evidence of SonicWALL s deep packet inspection signature technology. SonicWALL Reporting 9

10 Executive Summary of Reports For January 15, 2007 This Executive Summary of Reports highlights key findings in various network, usage, services and security reports. Use this report to help do the following: Evaluate the effectiveness of and compliance of your Internet usage policy Document the time and bandwidth impact of Web browsing on your IT operations Identify Web-based services that reduce the effectiveness of or circumvent installed security measures Help understand how your organization is using and consuming its Internet resources Below is a summary of the key findings in this daily report for ACME, Inc.: Authentication Summary Five or more repeated attempts within a 15-minute time period are highlighted in your report. There were ten (10) recorded user logins for this particular report day. Tommy Nguyen made 6 attempts into the network and Art King made 2. The rest of the user logins were single attempts. Further investigation should be made into identifying any misuse and/or unauthorized management of your SonicWALL appliance. Status Summary We have recorded that your SonicWALL unit has been up 100% of the time and there have been no service disruptions for this report date. This is in alignment your Service Level Agreement (SLA) set forth with your managed services contract. Bandwidth Summary This report shows your company has exchanged Mbytes of data between the local network and the Internet for the given report period. The hourly consumption graph shows the times that the network is under the least, average, and maximum load. SonicWALL Reporting 10

11 ROI Summary Your Return on Investment (ROI) report illustrates that Mbytes of bandwidth was consumed through your SonicWALL appliance resulting in a net cost of $0.246 (factoring the cost of your monthly Internet charges) for the given report period. Also, between the hours of 01:00 02:00 and 13:00 14:00 your SonicWALL appliance recorded a surge of Internet traffic. Your top bandwidth user on this particular day was Sanjay Sawney with % of they day s total Internet traffic. Further investigation may be required in order to make sure there are no spyware/adware applications on this user s machine and if this employee is adhering to your company s Internet usage policy. Services Summary Your Services Summary Report shows that % of your Internet traffic comes from TCP/HTTP traffic for this particular daily report. This amounts to Mbytes and 10,952 events. VPN Summary VPN usage accounted for Mbytes of Internet traffic resulting in 4,247 events. A peak surge of VPN traffic occurred between 21:00-22:00, which accounted for 9.292% of the daily VPN traffic. Services running over TCP port 1886 accounted for % of the overall daily traffic resulting in Mbytes and 92 Events. Dolph Smith accounted for % of the overall VPN traffic. This amount of VPN traffic was normal given the typical Internet traffic on your network. Web Usage Summary Web usage accounted for Mbytes of traffic resulting in 11,291 events. A peak surge of Web Usage occurred between 07:00 08:00, which accounted for 7.178% of Web usage traffic. The most frequently visited Web usage category was Information Technology/Computers and accounted for %. The top visited website was and accounted for % of traffic. The top user of the Web is Sanjay Sawney who accounted for %. Further investigation may be required to investigate appropriate usage of the company s internet services. Browse Time Summary Browse Time accounted for 00:09:27 of time spent browsing the Internet. A peak surge of browse time occurred between 11:00 12:00, which accounted for 5.820% of total Browse Time traffic. The user spending the most time browsing on this day was Sanjay Sawney who accounted for % of all browse time. Further investigation may be required to investigate appropriate usage of the company s internet services. SonicWALL Reporting 11

12 FTP Summary FTP usage amounted to Mbytes of traffic. A peak surge of FTP services occurred between 14:00 15:00, which accounted for % of the day s FTP traffic. The top FTP user was Sanjay Sawney who used % of the total FTP bandwidth. Since the aggregate amount of FTP traffic is small, further investigation is not warranted. Mail Summary Mail usage for SMTP, POP3 and IMAP traffic accounted for Mbytes of traffic. A peak surge of mail usage occurred between 19:00 20:00, which accounted for % of all mail traffic. The top mail user was Greg Etemad who accounted for % of all mail traffic. Further investigation may be required to investigate appropriate usage of the company s mail services. Attack Summary The account summary report shows that 157 attacks were attempted on your company s network on this particular report day % of these attacks occurred between the hours of 11:00 12: % of attacks were IP Spoof attacks coming from source IP addresses and Your SonicWALL appliance is dynamically updated with new signatures everyday to thwart such attacks. However, further investigation of these attacks may be warranted. Virus Attack Summary The Virus Attack report shows that 211 attacks were launched against your company s network on this particular report day % of the attacks occurred between the hours of 14:00 15: % of virus attacks were Nesky.Gen- 2(Worm) attacks coming from source IP address Your SonicWALL appliance is dynamically updated with new signatures everyday to thwart such attacks. However, further investigation of these attacks may be warranted. Intrusion Prevention Summary The Intrusion Prevention Service (IPS) report shows 548 IPS attacks were launched against your company s network on this particular report day % of the attacks occurred between the hours of 14:00 15: % of the attacks were coming from an internal rogue machine with IP address Further investigation is required to identify this machine and uncover the nature of these IPS probes. Your SonicWALL appliance is dynamically updated with new signatures everyday to thwart such attacks. However, further investigation of these attacks may be warranted. SonicWALL Reporting 12

13 ACME Company Report Detailed Daily Report Report Date for: 01/15/2007 Created on: Jan 16, :59 PM Powered By

14 Summary Web Usage Summary Report for The Web Usage Summary report contains information on the amount of HTTP bandwidth handled by your SonicWALL device during each hour of the specified day. Total Usage: Max Usage: Average Usage: MBytes 4.4 MBytes MBytes Bandwidth Summary Report for Bandwidth reports display the amount of data transferred through one or more selected SonicWALL appliances. Bandwidth reports are an ideal starting point for viewing overall bandwidth usage. Total Utilization: Max Utilization: Average Utilization: MBytes MBytes MBytes 14 Powered By

15 Detail User Logins for Time Source 1 14:22:18 Tommy Nguyen 2 14:22:34 Tommy Nguyen 3 14:23:11 Tommy Nguyen 4 14:24:38 Tommy Nguyen 5 14:24:41 Tommy Nguyen 6 14:24:53 Tommy Nguyen 7 14:25:08 Art King 8 14:25:18 Art King 9 14:25:25 Greg Etemad 10 14:25:49 Robert Chowmentowski Total: 15 Powered By

16 Firewall Up Status Summary for Hour Up Time (Mins.) % of Up Time 1 00:00-01: % 2 01:00-02: % 3 02:00-03: % 4 03:00-04: % 5 04:00-05: % 6 05:00-06: % 7 06:00-07: % 8 07:00-08: % 9 08:00-09: % 10 09:00-10: % 11 10:00-11: % 12 11:00-12: % 13 12:00-13: % 14 13:00-14: % 15 14:00-15: % 16 15:00-16: % 17 16:00-17: % 18 17:00-18: % 19 18:00-19: % 20 19:00-20: % 21 20:00-21: % 22 21:00-22: % 23 22:00-23: % 24 23:00-24: % Total: % 16 Powered By

17 Bandwidth Summary for Hour Events MBytes % of MBytes 1 00:00-01: % 2 01:00-02: % 3 02:00-03: % 4 03:00-04: % 5 04:00-05: % 6 05:00-06: % 7 06:00-07: % 8 07:00-08: % 9 08:00-09: % 10 09:00-10: % 11 10:00-11: % 12 11:00-12: % 13 12:00-13: % 14 13:00-14: % 15 14:00-15: % 16 15:00-16: % 17 16:00-17: % 18 17:00-18: % 19 18:00-19: % 20 19:00-20: % 21 20:00-21: % 22 21:00-22: % 23 22:00-23: % 24 23:00-24: % Total: % 17 Powered By

18 ROI Summary for Hour MBytes Cost ($) % of Cost 1 00:00-01: % 2 01:00-02: % 3 02:00-03: % 4 03:00-04: % 5 04:00-05: % 6 05:00-06: % 7 06:00-07: % 8 07:00-08: % 9 08:00-09: % 10 09:00-10: % 11 10:00-11: % 12 11:00-12: % 13 12:00-13: % 14 13:00-14: % 15 14:00-15: % 16 15:00-16: % 17 16:00-17: % 18 17:00-18: % 19 18:00-19: % 20 19:00-20: % 21 20:00-21: % 22 21:00-22: % 23 22:00-23: % 24 23:00-24: % Total: % 18 Powered By

19 Top Users of Bandwidth for Users Connections MBytes % of MBytes 1 Sanjay Sawney % 2 Kari Shadbolt % 3 Eric Souza % 4 Jacqueline Nellson % 5 Chuck Miller % Total: % 19 Powered By

20 Top Users of ROI for Users MBytes Cost ($) % of Cost 1 Sanjay Sawney % 2 Kari Shadbolt % 3 Eric Souza % 4 Jacqueline Nellson % 5 Chuck Miller % Total: % 20 Powered By

21 Summary of Services for Protocol Events (For 24Hrs) MBytes % of MBytes 1 TCP/HTTP % 2 UDP/DNS % 3 TCP/ % 4 TCP/HTTPS % 5 TCP/ % 6 TCP/ % 7 UDP/ % 8 TCP/NETBIOS-SSN % 9 TCP/POP % 10 UDP/ % Total: % 21 Powered By

22 VPN Usage Summary for Hour Events MBytes % of MBytes 1 00:00-01: % 2 01:00-02: % 3 02:00-03: % 4 03:00-04: % 5 04:00-05: % 6 05:00-06: % 7 06:00-07: % 8 07:00-08: % 9 08:00-09: % 10 09:00-10: % 11 10:00-11: % 12 11:00-12: % 13 12:00-13: % 14 13:00-14: % 15 14:00-15: % 16 15:00-16: % 17 16:00-17: % 18 17:00-18: % 19 18:00-19: % 20 19:00-20: % 21 20:00-21: % 22 21:00-22: % 23 22:00-23: % 24 23:00-24: % Total: % 22 Powered By

23 Summary of Services Over VPN for Protocol Events MBytes % of MBytes 1 TCP/ % 2 TCP/ % 3 TCP/NETBIOS-SSN % 4 TCP/ % 5 TCP/ % 6 TCP/ % 7 TCP/ % 8 TCP/ % 9 UDP/DNS % 10 UDP/ % Total: % 23 Powered By

24 Top Users of VPN for Users Connections MBytes % of MBytes 1 Dolph Smith % 2 Paul Tveit % 3 Tom Drill % 4 Shilpa % 5 Mike Wickizer % 6 George Hlebak % 7 Adam Towle % 8 Prasad Bevra % 9 Steve Cornell % 10 Cameron Bigler % Total: % 24 Powered By

25 Summary of Services Over VPN for Protocol Events MBytes % of MBytes 1 TCP/ % 2 TCP/ % 3 TCP/NETBIOS-SSN % 4 TCP/ % 5 TCP/ % 6 TCP/ % 7 TCP/ % 8 TCP/ % 9 UDP/DNS % 10 UDP/ % Total: % 25 Powered By

26 Web Usage Summary for Hour Events MBytes % of MBytes 1 00:00-01: % 2 01:00-02: % 3 02:00-03: % 4 03:00-04: % 5 04:00-05: % 6 05:00-06: % 7 06:00-07: % 8 07:00-08: % 9 08:00-09: % 10 09:00-10: % 11 10:00-11: % 12 11:00-12: % 13 12:00-13: % 14 13:00-14: % 15 14:00-15: % 16 15:00-16: % 17 16:00-17: % 18 17:00-18: % 19 18:00-19: % 20 19:00-20: % 21 20:00-21: % 22 21:00-22: % 23 22:00-23: % 24 23:00-24: % Total: % 26 Powered By

27 Summary of Web Usage by Category for Category Hits MBytes % of MBytes 1 Information Technology/Computers % Site User Hits MBytes % of MBytes rss.slashdot.org % vs.mcafeeasap.com % % download.windowsupdate.com % update.microsoft.com % 2 Business and Economy % Site User Hits MBytes % of MBytes news.com.com % 3 Search Engines and Portals % Site User Hits MBytes % of MBytes sb.google.com % % 4 Not Rated % Site User Hits MBytes % of MBytes sync.foxcloud.com % 5 News and Media % Site User Hits MBytes % of MBytes rss.cnn.com % Total: % 27 Powered By

28 Top Visited Web Sites for Site Hits MBytes Category % of MBytes % Arts/Entertainment % Job Search 9.877% 4 us.a1.yimg.com Advertisement 4.178% 5 us.f302.mail.yahoo.com % Travel 3.423% Job Search 2.719% Shopping 2.690% Education 2.247% Real Estate 2.167% Search Engines and P ortals 1.858% 12 mail.gogle.com % Search Engines and P ortals 14 pictures.studentcenter.org Web Communications 1.138% 1.126% Shopping 1.017% 16 news.bbc.co.uk News and Media 1.009% Arts/Entertainment 0.946% Arts/Entertainment 0.917% News and Media 0.840% News and Media 0.766% Total: % 28 Powered By

29 Top Users of Web for Users Hits MBytes % of MBytes 1 Sanjay Sawney % 2 Kari Shadbolt % 3 Eric Souza % 4 Jacqueline Nellson % 5 Chuck Miller % 6 Rachel Lau % 7 George Hicks % 8 Patrick Leaden % 9 Dan Parsons % 10 Eric Stafford % 11 George Mena % 12 Greg Etemad % 13 Andy Walker % 14 Juan Martinez % 15 Valerie Leader % 16 Art King % 17 Tommy Nguyen % 18 John Aronson % 19 Wendy Ackerman % 20 Robert Chowmentowski % Total: % 29 Powered By

30 Browse Time Summary for Hour Browse Time (hh:mm:ss) % of Browse Time 1 00:00-01:00 00:00: % 2 01:00-02:00 00:00: % 3 02:00-03:00 00:00: % 4 03:00-04:00 00:00: % 5 04:00-05:00 00:00: % 6 05:00-06:00 00:00: % 7 06:00-07:00 00:00: % 8 07:00-08:00 00:00: % 9 08:00-09:00 00:00: % 10 09:00-10:00 00:00: % 11 10:00-11:00 00:00: % 12 11:00-12:00 00:00: % 13 12:00-13:00 00:00: % 14 13:00-14:00 00:00: % 15 14:00-15:00 00:00: % 16 15:00-16:00 00:00: % 17 16:00-17:00 00:00: % 18 17:00-18:00 00:00: % 19 18:00-19:00 00:00: % 20 19:00-20:00 00:00: % 21 20:00-21:00 00:00: % 22 21:00-22:00 00:00: % 23 22:00-23:00 00:00: % 24 23:00-24:00 00:00: % Total: 00:09: % 30 Powered By

31 Browse Time Top Users for Users Browse Time (hh:mm:ss) % of Browse Time 1 Sanjay Sawney 00:20: % 2 Kari Shadbolt 00:02: % 3 Eric Souza 00:01: % 4 Jacqueline Nellson 00:01: % 5 Chuck Miller 00:01: % 6 Rachel Lau 00:01: % 7 George Hicks 00:00: % 8 Patrick Leaden 00:00: % 9 Dan Parsons 00:00: % 10 Eric Stafford 00:00: % 11 George Mena 00:00: % 12 Greg Etemad 00:00: % 13 Jessica Eschenbaum 00:00: % 14 Juan Martinez 00:00: % 15 Andy Walker 00:00: % 16 Art King 00:00: % 17 Tommy Nguyen 00:00: % 18 John Aronson 00:00: % 19 Wendy Ackerman 00:00: % 20 Robert Chowmentowski 00:00: % Total: 00:37: % 31 Powered By

32 FTP Usage Summary for Hour Events MBytes % of MBytes 1 13:00-14: % 2 14:00-15: % Total: % 32 Powered By

33 Top Users of FTP for Users Events MBytes % of MBytes 1 Sanjay Sawney % S Destination Events MBytes % of MBytes % 2 Kari Shadbolt % Destination Events MBytes % of MBytes % Total: % 33 Powered By

34 Mail Usage Summary for Hour Events MBytes % of MBytes 1 01:00-02: % 2 02:00-03: % 3 03:00-04: % 4 04:00-05: % 5 05:00-06: % 6 06:00-07: % 7 07:00-08: % 8 08:00-09: % 9 09:00-10: % 10 11:00-12: % 11 12:00-13: % 12 13:00-14: % 13 14:00-15: % 14 16:00-17: % 15 17:00-18: % 16 18:00-19: % 17 19:00-20: % 18 20:00-21: % 19 21:00-22: % 20 22:00-23: % 21 23:00-24: % Total: % 34 Powered By

35 Top Mail Users for Users Events MBytes % of MBytes 1 Greg Etemad % 2 Robert Chowmentowski % 3 Stephen Pearson % 4 George Mena % 5 Wendy Ackerman % 6 Jessica Eschenbaum % Total: % 35 Powered By

36 Attack Summary for Hour Attacks % of Attacks 1 00:00-01: % 2 01:00-02: % 3 02:00-03: % 4 03:00-04: % 5 04:00-05: % 6 05:00-06: % 7 06:00-07: % 8 07:00-08: % 9 08:00-09: % 10 09:00-10: % 11 10:00-11: % 12 11:00-12: % 13 12:00-13: % 14 13:00-14: % 15 14:00-15: % 16 15:00-16: % 17 16:00-17: % 18 17:00-18: % 19 18:00-19: % 20 19:00-20: % 21 20:00-21: % 22 21:00-22: % 23 22:00-23: % 24 23:00-24: % Total: % 36 Powered By

37 Summary of Attacks by Category for Type Attacks % of Attacks 1 IP spoof dropped % Source Destination Attacks % of Attacks % % 2 Smurf Amplification attack dropped % Source Destination Attacks % of Attacks % Total: % 37 Powered By

38 Virus Attack Summary for Hour Attempts % of Attempts 1 13:00-14: % 2 14:00-15: % Total: % 38 Powered By

39 Top Viruses by Attack Attempts for Virus Attempts % of Attempts 1 Netsky.Gen-2 (Worm) disabled % Source Destination Attempts % of Attempts % 2 Password-protected ZIP file disabled % Source Destination Attempts % of Attempts % 3 Gibe.F (Worm) disabled % Source Destination Attempts % of Attempts % 4 Mydoom.F (Worm) disabled % Source Destination Attempts % of Attempts % Total: % 39 Powered By

40 Intrusion Summary for Hour Intrusions % of Intrusions 1 13:00-14: % 2 14:00-15: % Total: % 40 Powered By

41 Top Intrusions for Category Intrusions % of Intrusions 1 WEB-IIS % Priority Type Source Destination Intrusions % of Intrusions 1 IPS Prevention Alert: WEB-IIS cmd.exe access (SID=1309) 3 IPS Prevention Alert: WEB-IIS.htr access (SID=1297) 3 IPS Prevention Alert: WEB-IIS ISAPI.idqaccess (SID=1281) 1 IPS Prevention Alert: WEB-IIS iisadmpwd attempt (SID=1322) 1 IPS Prevention Alert: WEB-IIS +.htr codefragment attempt (SID=1296) 3 IPS Prevention Alert: WEB-IIS ISAPI.idaaccess (SID=1279) 3 IPS Prevention Alert: WEB-IIS webhits access (SID=1341) 3 IPS Prevention Alert: WEB-IIS ISAPI.printer access (SID=1277) 3 IPS Prevention Alert: WEB-IIS htimage.exe access (SID=1353) 1 IPS Prevention Alert: WEB-IIS /scripts/samples/ access (SID=1346) % % % % % % % % % % 2 SNMP % Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: SNMP request udp (SID=754) 3 IPS Prevention Alert: SNMP public accessudp (SID=748) 3 IPS Prevention Alert: SNMP private access udp (SID=750) % % % 3 WEB-CGI % Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: WEB-CGI htsearch access (SID=1039) % 3 IPS Prevention Alert: WEB-CGI % 41 Powered By

42 Category Intrusions % of Intrusions Priority Type Source Destination Intrusions % of Intrusions loadpage.cgi access (SID=1075) 3 IPS Prevention Alert: WEB-CGI man.sh access (SID=939) 3 IPS Prevention Alert: WEB-CGI AnyForm2 access (SID=972) 3 IPS Prevention Alert: WEB-CGI test-cgi access (SID=909) 3 IPS Prevention Alert: WEB-CGI textcounter.pl access (SID=912) 3 IPS Prevention Alert: WEB-CGI ttawebtop.cgi access (SID=1030) 3 IPS Prevention Alert: WEB-CGI wrap access (SID=932) 3 IPS Prevention Alert: WEB-CGI perl.exe access (SID=1004) 3 IPS Prevention Alert: WEB-CGI uploader.exe access (SID=913) % % % % % % % % 4 WEB-MISC % Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: WEB-MISC DELETE attempt (SID=1567) 1 IPS Prevention Alert: WEB-MISC cross site scripting attempt (SID=1369) 3 IPS Prevention Alert: WEB-MISC?PageServices access (SID=1427) 3 IPS Prevention Alert: WEB-MISC WEB-INF access (SID=1588) 1 IPS Prevention Alert: WEB-MISC showcode access (SID=1535) 3 IPS Prevention Alert: WEB-MISC http directory traversal (SID=1529) 3 IPS Prevention Alert: WEB-MISC logicworks.ini access (SID=1641) 3 IPS Prevention Alert: WEB-MISC globals.pl access (SID=1637) 1 IPS Prevention Alert: WEB-MISC TRACE attempt (SID=1621) 1 IPS Prevention Alert: WEB-MISC viewcode access (SID=1534) % % % % % % % % % % 5 ICMP % Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: ICMP PING speedera(sid=379) 3 IPS Prevention Alert: ICMP PING (SID=293) % % 6 WEB-COLDFUSION % Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: WEB-COLDFUSION expeval access % 42 Powered By

43 Category Intrusions % of Intrusions Priority Type Source Destination Intrusions % of Intrusions (SID=1207) 3 IPS Prevention Alert: WEB-COLDFUSION exampleapp access (SID=1217) 3 IPS Prevention Alert: WEB-COLDFUSION snippets attempt (SID=1219) 3 IPS Prevention Alert: WEB-COLDFUSION parks access (SID=1201) 3 IPS Prevention Alert: WEB-COLDFUSION administrator access (SID=1197) 3 IPS Prevention Alert: WEB-COLDFUSION beaninfo access (SID=1203) % % % % % 7 WEB-FRONTPAGE % Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: WEB-FRONTPAGE /_vti_bin/ access (SID=1260) 3 IPS Prevention Alert: WEB-FRONTPAGE authors.pwd access (SID=1242) 3 IPS Prevention Alert: WEB-FRONTPAGE service.pwd (SID=1250) 3 IPS Prevention Alert: WEB-FRONTPAGE users.pwd access (SID=1255) % % % % 8 ATTACK-RESPONSES % Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: ATTACK-RESPONSES 403 Forbidden (SID=7) % 9 SMTP % Priority Type Source Destination Intrusions % of Intrusions 2 IPS Prevention Alert: SMTP ETRN overflowattempt (SID=741) 2 IPS Prevention Alert: SMTP HELO overflowattempt (SID=740) % % 10 WEB-PHP % Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: WEB-PHP read_body.php access attempt ( SID=1660) 3 IPS Prevention Alert: WEB-PHP admin.php access (SID=1671) % % Total: % 43 Powered By