Reporting. SonicWALL Reporting 1

Reporting SonicWALL Reporting 1

Table of Contents OVERVIEW OF SONICWALL REPORTING 3 CATEGORIES OF REPORTS 4 OVERVIEW OF SONICWALL SUMMARY REPORTS 6 AUTHENTICATION SUMMARY REPORTS 6 STATUS SUMMARY REPORT 6 BANDWIDTH SUMMARY REPORT 6 ROI SUMMARY REPORT 6 SERVICES SUMMARY REPORT 7 VPN USAGE SUMMARY REPORT 7 WEB USAGE SUMMARY REPORT 7 BROWSE TIME SUMMARY REPORT 7 WEB FILTER SUMMARY REPORT 8 FTP SUMMARY REPORT 8 MAIL SUMMARY REPORT 8 ATTACK SUMMARY REPORT 8 VIRUS ATTACK SUMMARY REPORT 9 INTRUSION PREVENTION SUMMARY REPORT 9 EXECUTIVE SUMMARY OF REPORTS 10 FOR JANUARY 15, 2007 10 Authentication Summary 10 Status Summary 10 Bandwidth Summary 10 ROI Summary 11 Services Summary 11 VPN Summary 11 Web Usage Summary 11 Browse Time Summary 11 FTP Summary 12 Mail Summary 12 Attack Summary 12 Virus Attack Summary 12 Intrusion Prevention Summary 12 SAMPLE SONICWALL REPORT 13-43 SonicWALL Reporting 2

Overview of SonicWALL Reporting Monitoring critical network events and activities, such as security threats, inappropriate Web usages and bandwidth levels are essential components for any network. SonicWALL s Reporting Solutions complement SonicWALL's Internet Security offerings by providing detailed and comprehensive reports of network activity. SonicWALL GMS and ViewPoint make up a family of products built to deliver an advancement in network reporting. Both GMS and ViewPoint offer dynamic, real-time and historical network summaries that take advantage of SonicWALL s robust reporting module, thus offering a unique view into any network. With customizable compliance reports that can be delivered in a variety of exportable formats, organizations and service providers can use the power of SonicWALL Reporting to maintain a pulse on network patterns, track thwarted security events and report usage trends. Furthermore, administrators can monitor network access, enhance security and anticipate future bandwidth needs. SonicWALL s Reporting Solutions: Display bandwidth use by IP address and service Identify inappropriate Web use Provide detailed reports of attacks Collect and aggregate system and network errors Show VPN events and problems Present visitor traffic to a Web site Provide detailed daily firewall logs to analyze specific events SonicWALL s Reporting Solutions offer a simple view into a complex world of digital activity powered by SonicWALL Internet security appliances. This document identifies key SonicWALL summary reports and a complete sample report. Now take a Deeper Look into what SonicWALL Reporting has to offer. SonicWALL Reporting 3

Categories of Reports Below is a list of report categories available in SonicWALL s Reporting environment: Login Reports o User Login o Admin Login o Failed Login Status Reports o Status Summary Bandwidth Reports o Bandwidth Summary o Bandwidth Top Users ROI Reports o ROI Summary o ROI Top Users Service Reports o Services Summary VPN Reports o VPN Summary o VPN Top Users o VPN By Policy o VPN By Policy Hourly o VPN By Service Web Usage Reports o Web Usage Summary o Web Usage Top Sites o Web Usage Top Users o Web Usage By User o Web Usage By Category o Web Usage By Site Browse Time Reports o Browse Time Summary o Browse Time Top Users o Browse Time By User Web Filter Reports o Web Filter Summary o Web Filter Top Sites o Web Filter Top Users o Web Filter By User, By Site o Web Filter By Category FTP Reports o FTP Usage Summary o FTP Usage Top Users SonicWALL Reporting 4

Mail Reports o Mail Usage Summary o Mail Usage Top Users Attacks Reports o Attacks Summary o Attacks By Category o Attacks Errors Virus Attacks Reports o Virus Attacks Summary o Virus Attacks Top Viruses Spyware Reports o Spyware Summary o Spyware By Category Intrusions Reports Intrusions Summary Intrusions By Category SonicWALL Reporting 5

Overview of SonicWALL Summary Reports Authentication Summary Reports The Authentication Login reports show user logins, administrator logins and failed login attempts for users and administrators. For example, the user login report shows users that have logged into the SonicWALL appliance (e.g. during a specified day) to bypass content filtering or to access local network resources remotely. The administrator login report shows successful administrator logins during the specified day. This report is useful for identifying misuse and unauthorized management of a SonicWALL appliance. Status Summary Report Status reports display the number of hours that one or more SonicWALL appliances were online and functional during the specified time period. From this information, an administrator can find trouble spots within their network. For example, this report could reveal a SonicWALL appliance that is having network connectivity issues caused by either the internal network or by the ISP. For a managed service provider, this report is extremely useful in illustrating the commitment in delivering a Service Level Agreement (SLA) to a managed customer. Bandwidth Summary Report Bandwidth reports display the amount of data transferred through one or more selected SonicWALL appliances. Bandwidth reports are an ideal starting point for viewing overall bandwidth usage. Administrators can view bandwidth usage view by the hour, day or over a period of days. Additionally, companies can view the top users of their bandwidth. From this information, the organization can determine network strategies. For instance, if the company needs more bandwidth, they might decide to upgrade network equipment, opt to upgrade the bandwidth for their Internet access or they may simply decide to curtail their bandwidth usage for select employees. ROI Summary Report Return on Investment (ROI) reports display the total cost of consumed network bandwidth (measured in Mbytes) transferred through one or more selected SonicWALL appliances. ROI reports are an ideal starting point for viewing the overall cost of consumed network bandwidth usage. Administrators can view ROI usage view by the hour, day or over a period of days. Additionally, they can view the top users who consume the most network bandwidth and the percentage of the total cost attributed to each top user. SonicWALL Reporting 6

Similar to Bandwidth Summary Reports, this information be used to determine network strategies, which include increased bandwidth, upgrade in equipment, WAN optimization technology, or limit network bandwidth access through the use of throttling tools. Services Summary Report Service reports provide information on the amount of data transmitted through selected SonicWALL appliance by each service. Service reports are useful for revealing inappropriate usage of bandwidth and can help determine network policies. For example, if there is a large spike of bandwidth usage, a network administrator can determine whether this is caused by regular Web access, someone using FTP to transfer large files, an attempted Denial of Service (DoS) attack, or a variety of other services. VPN Usage Summary Report VPN Usage reports provide information on the amount of VPN usage that occurs through the selected SonicWALL appliance(s). VPN Usage reports can be used to view VPN usage by the hour, day, or over a period of days. Additionally, administrators can view the top users of their VPN tunnels. General bandwidth reports do not always provide a comprehensive view of the network bandwidth consumption. If a large amount of VPN traffic occurs, a company may need to increase their Internet connection, add WAN optimization equipment, or reconfigure the VPN network for site-to-site tunnels to efficiently route traffic. Web Usage Summary Report The Web Usage Summary report contains information on the amount of HTTP bandwidth handled by a SonicWALL device during each hour of the specified day. Web usage reports can be used to view Web bandwidth usage by the hour, day, or over a period of days. Administrators can monitor the top users of Web bandwidth and most viewed/visited sites for their company. These types of reports help companies gauge the productivity of their employees. Browse Time Summary Report Browse Time reports display the amount of time consumed browsing the Internet through one or more selected SonicWALL appliances. Administrators can view Browse Time usage views by the hour, day or over a period of days. Additionally, they can view users who browse the Internet the most and the percentage of the browse time accrued by each top user. From this information, a company can identify targeted network and behavioral strategies. For example, if the company needs to lower costs attributed to consumed network bandwidth, they will have the ability to generate Browse Time reports to identify the total amount of time used to browse to Web site sites that are not related to the employee s job function. SonicWALL Reporting 7

Web Filter Summary Report The Web Filter Summary Report contains information on the number of times users attempted to access blocked sites on a particular day through selected SonicWALL appliance(s). These reports include Web sites blocked by the Content Filter List or service, customized keyword filtering, and domain name filtering services. Web filter reports can be used to view blocked site access attempts by the hour, day or over a period of days. Additionally, administrators can view the users that most frequently attempt to access blocked sites and the most popular blocked sites. FTP Summary Report FTP usage reports provide information on the amount of FTP usage that occurs through the selected SonicWALL appliance(s). FTP usage reports can be used to view FTP bandwidth usage by the hour, day, or over a period of days. Additionally, administrators can view the top users of FTP bandwidth. General bandwidth reports do not always provide a complete picture of network bandwidth usage. If a large amount of FTP traffic occurs during peak times, a company may need more bandwidth, an upgrade in network equipment, a practice to avoid peak network times, or ask employees to use compression tools for large file transfers. Mail Summary Report Mail usage reports provide information on the amount of mail usage that occurs through the selected SonicWALL appliance(s). Mail usage reports can be used to view mail bandwidth usage by the hour, day, or even over a period of days. This report allows an administrator to view the top users of mail bandwidth. Mail usage reports include SMTP, POP3, and IMAP traffic. General bandwidth reports do not always provide a complete picture of network bandwidth usage. If a large amount of mail traffic occurs during peak times, a company may want to increase their bandwidth capacity, use Web-mail services more often in a hosted environment, or limit the size of attachments for SMTP email traffic. Attack Summary Report Attacks reports show the number of attacks that were directed at or through the selected SonicWALL appliance(s). These include denial of service attacks, intrusions, probes, and all other malicious activity directed at the SonicWALL appliance or computers on the LAN or DMZ. As with any network deployment, SonicWALL recommends taking a multi-layer approach to network security. Through the aid of Attack Summary Reports, network administrators can see evidence of the attacks that have been thwarted using SonicWALL appliances. This will help gauge the effectiveness of the company s perimeter security device. SonicWALL Reporting 8

Virus Attack Summary Report Virus Attacks reports show the number of virus attacks that were directed at or through the selected SonicWALL appliance(s). Similar to the attack summary report, the Virus Attack report illustrates the effectiveness of the SonicWALL appliance to capture virus attacks before they penetrate the company s network. Intrusion Prevention Summary Report The Intrusion Prevention Service (IPS) reports show the number of attempted intrusions that occurred during the specified time period. These reports provide further evidence of SonicWALL s deep packet inspection signature technology. SonicWALL Reporting 9

Executive Summary of Reports For January 15, 2007 This Executive Summary of Reports highlights key findings in various network, usage, services and security reports. Use this report to help do the following: Evaluate the effectiveness of and compliance of your Internet usage policy Document the time and bandwidth impact of Web browsing on your IT operations Identify Web-based services that reduce the effectiveness of or circumvent installed security measures Help understand how your organization is using and consuming its Internet resources Below is a summary of the key findings in this daily report for ACME, Inc.: Authentication Summary Five or more repeated attempts within a 15-minute time period are highlighted in your report. There were ten (10) recorded user logins for this particular report day. Tommy Nguyen made 6 attempts into the network and Art King made 2. The rest of the user logins were single attempts. Further investigation should be made into identifying any misuse and/or unauthorized management of your SonicWALL appliance. Status Summary We have recorded that your SonicWALL unit has been up 100% of the time and there have been no service disruptions for this report date. This is in alignment your Service Level Agreement (SLA) set forth with your managed services contract. Bandwidth Summary This report shows your company has exchanged 82.917 Mbytes of data between the local network and the Internet for the given report period. The hourly consumption graph shows the times that the network is under the least, average, and maximum load. SonicWALL Reporting 10

ROI Summary Your Return on Investment (ROI) report illustrates that 24.596 Mbytes of bandwidth was consumed through your SonicWALL appliance resulting in a net cost of $0.246 (factoring the cost of your monthly Internet charges) for the given report period. Also, between the hours of 01:00 02:00 and 13:00 14:00 your SonicWALL appliance recorded a surge of Internet traffic. Your top bandwidth user on this particular day was Sanjay Sawney with 46.587% of they day s total Internet traffic. Further investigation may be required in order to make sure there are no spyware/adware applications on this user s machine and if this employee is adhering to your company s Internet usage policy. Services Summary Your Services Summary Report shows that 76.632% of your Internet traffic comes from TCP/HTTP traffic for this particular daily report. This amounts to 59.769 Mbytes and 10,952 events. VPN Summary VPN usage accounted for 2.914 Mbytes of Internet traffic resulting in 4,247 events. A peak surge of VPN traffic occurred between 21:00-22:00, which accounted for 9.292% of the daily VPN traffic. Services running over TCP port 1886 accounted for 33.117% of the overall daily traffic resulting in 0.855 Mbytes and 92 Events. Dolph Smith accounted for 39.405% of the overall VPN traffic. This amount of VPN traffic was normal given the typical Internet traffic on your network. Web Usage Summary Web usage accounted for 61.296 Mbytes of traffic resulting in 11,291 events. A peak surge of Web Usage occurred between 07:00 08:00, which accounted for 7.178% of Web usage traffic. The most frequently visited Web usage category was Information Technology/Computers and accounted for 39.751%. The top visited website was www.hotmail.com and accounted for 45.736% of traffic. The top user of the Web is Sanjay Sawney who accounted for 45.080%. Further investigation may be required to investigate appropriate usage of the company s internet services. Browse Time Summary Browse Time accounted for 00:09:27 of time spent browsing the Internet. A peak surge of browse time occurred between 11:00 12:00, which accounted for 5.820% of total Browse Time traffic. The user spending the most time browsing on this day was Sanjay Sawney who accounted for 53.673% of all browse time. Further investigation may be required to investigate appropriate usage of the company s internet services. SonicWALL Reporting 11

FTP Summary FTP usage amounted to 2.790 Mbytes of traffic. A peak surge of FTP services occurred between 14:00 15:00, which accounted for 92.542% of the day s FTP traffic. The top FTP user was Sanjay Sawney who used 68.131% of the total FTP bandwidth. Since the aggregate amount of FTP traffic is small, further investigation is not warranted. Mail Summary Mail usage for SMTP, POP3 and IMAP traffic accounted for 0.281 Mbytes of traffic. A peak surge of mail usage occurred between 19:00 20:00, which accounted for 18.002% of all mail traffic. The top mail user was Greg Etemad who accounted for 45.151% of all mail traffic. Further investigation may be required to investigate appropriate usage of the company s mail services. Attack Summary The account summary report shows that 157 attacks were attempted on your company s network on this particular report day. 6.369% of these attacks occurred between the hours of 11:00 12:00. 88.535% of attacks were IP Spoof attacks coming from source IP addresses 64.220.173.243 and 7.1.1.10. Your SonicWALL appliance is dynamically updated with new signatures everyday to thwart such attacks. However, further investigation of these attacks may be warranted. Virus Attack Summary The Virus Attack report shows that 211 attacks were launched against your company s network on this particular report day. 65.403% of the attacks occurred between the hours of 14:00 15:00. 26.066% of virus attacks were Nesky.Gen- 2(Worm) attacks coming from source IP address 63.198.213.253. Your SonicWALL appliance is dynamically updated with new signatures everyday to thwart such attacks. However, further investigation of these attacks may be warranted. Intrusion Prevention Summary The Intrusion Prevention Service (IPS) report shows 548 IPS attacks were launched against your company s network on this particular report day. 61.314% of the attacks occurred between the hours of 14:00 15:00. 23.443% of the attacks were coming from an internal rogue machine with IP address 192.168.169.180. Further investigation is required to identify this machine and uncover the nature of these IPS probes. Your SonicWALL appliance is dynamically updated with new signatures everyday to thwart such attacks. However, further investigation of these attacks may be warranted. SonicWALL Reporting 12

ACME Company Report Detailed Daily Report Report Date for: 01/15/2007 Created on: Jan 16, 2007 04:59 PM Powered By

Summary Web Usage Summary Report for 2007-1-15 The Web Usage Summary report contains information on the amount of HTTP bandwidth handled by your SonicWALL device during each hour of the specified day. Total Usage: Max Usage: Average Usage: 61.296 MBytes 4.4 MBytes 2.554 MBytes Bandwidth Summary Report for 2007-1-15 Bandwidth reports display the amount of data transferred through one or more selected SonicWALL appliances. Bandwidth reports are an ideal starting point for viewing overall bandwidth usage. Total Utilization: Max Utilization: Average Utilization: 82.917 MBytes 5.332 MBytes 3.455 MBytes 14 Powered By

Detail User Logins for 2007-1-15 Time Source 1 14:22:18 Tommy Nguyen 2 14:22:34 Tommy Nguyen 3 14:23:11 Tommy Nguyen 4 14:24:38 Tommy Nguyen 5 14:24:41 Tommy Nguyen 6 14:24:53 Tommy Nguyen 7 14:25:08 Art King 8 14:25:18 Art King 9 14:25:25 Greg Etemad 10 14:25:49 Robert Chowmentowski Total: 15 Powered By

Firewall Up Status Summary for 2007-1-15 Hour Up Time (Mins.) % of Up Time 1 00:00-01:00 60 100.000% 2 01:00-02:00 60 100.000% 3 02:00-03:00 60 100.000% 4 03:00-04:00 60 100.000% 5 04:00-05:00 60 100.000% 6 05:00-06:00 60 100.000% 7 06:00-07:00 60 100.000% 8 07:00-08:00 60 100.000% 9 08:00-09:00 60 100.000% 10 09:00-10:00 60 100.000% 11 10:00-11:00 60 100.000% 12 11:00-12:00 60 100.000% 13 12:00-13:00 60 100.000% 14 13:00-14:00 60 100.000% 15 14:00-15:00 60 100.000% 16 15:00-16:00 60 100.000% 17 16:00-17:00 60 100.000% 18 17:00-18:00 60 100.000% 19 18:00-19:00 60 100.000% 20 19:00-20:00 60 100.000% 21 20:00-21:00 60 100.000% 22 21:00-22:00 60 100.000% 23 22:00-23:00 60 100.000% 24 23:00-24:00 60 100.000% Total: 1440 100.000% 16 Powered By

Bandwidth Summary for 2007-1-15 Hour Events MBytes % of MBytes 1 00:00-01:00 1908 2.862 3.452% 2 01:00-02:00 1791 2.750 3.316% 3 02:00-03:00 1907 3.847 4.639% 4 03:00-04:00 2106 3.010 3.630% 5 04:00-05:00 2184 3.160 3.812% 6 05:00-06:00 2101 3.580 4.317% 7 06:00-07:00 2096 3.013 3.634% 8 07:00-08:00 2132 5.221 6.296% 9 08:00-09:00 2155 5.332 6.430% 10 09:00-10:00 2119 3.518 4.242% 11 10:00-11:00 2107 3.878 4.677% 12 11:00-12:00 2136 4.785 5.770% 13 12:00-13:00 2166 3.355 4.046% 14 13:00-14:00 2008 4.261 5.139% 15 14:00-15:00 1645 4.019 4.847% 16 15:00-16:00 1016 1.123 1.355% 17 16:00-17:00 1776 2.829 3.411% 18 17:00-18:00 1757 3.138 3.784% 19 18:00-19:00 1834 3.607 4.350% 20 19:00-20:00 1777 2.940 3.546% 21 20:00-21:00 1868 3.157 3.808% 22 21:00-22:00 1890 2.994 3.611% 23 22:00-23:00 1836 3.604 4.346% 24 23:00-24:00 1802 2.934 3.539% Total: 46117 82.917 100.000% 17 Powered By

ROI Summary for 2007-1-15 Hour MBytes Cost ($) % of Cost 1 00:00-01:00 0.800 0.008 3.252% 2 01:00-02:00 3.587 0.036 14.583% 3 02:00-03:00 0.295 0.003 1.199% 4 03:00-04:00 0.771 0.008 3.136% 5 04:00-05:00 0.808 0.008 3.284% 6 05:00-06:00 0.802 0.008 3.260% 7 06:00-07:00 0.841 0.008 3.418% 8 07:00-08:00 0.785 0.008 3.192% 9 08:00-09:00 0.872 0.009 3.543% 10 09:00-10:00 0.770 0.008 3.132% 11 10:00-11:00 0.843 0.008 3.428% 12 11:00-12:00 0.824 0.008 3.350% 13 12:00-13:00 0.813 0.008 3.305% 14 13:00-14:00 3.557 0.036 14.460% 15 14:00-15:00 0.800 0.008 3.253% 16 15:00-16:00 0.915 0.009 3.720% 17 16:00-17:00 0.878 0.009 3.571% 18 17:00-18:00 0.858 0.009 3.490% 19 18:00-19:00 0.807 0.008 3.279% 20 19:00-20:00 0.803 0.008 3.267% 21 20:00-21:00 0.772 0.008 3.138% 22 21:00-22:00 0.773 0.008 3.144% 23 22:00-23:00 0.772 0.008 3.138% 24 23:00-24:00 0.850 0.009 3.457% Total: 24.596 0.246 100.000% 18 Powered By

Top Users of Bandwidth for 2007-1-15 Users Connections MBytes % of MBytes 1 Sanjay Sawney 385 11.446 46.587% 2 Kari Shadbolt 16 5.605 22.812% 3 Eric Souza 3407 5.274 21.467% 4 Jacqueline Nellson 4841 2.184 8.888% 5 Chuck Miller 141 0.060 0.246% Total: 8790 24.569 100.000% 19 Powered By

Top Users of ROI for 2007-1-15 Users MBytes Cost ($) % of Cost 1 Sanjay Sawney 11.446 0.114 46.587% 2 Kari Shadbolt 5.605 0.056 22.812% 3 Eric Souza 5.274 0.053 21.467% 4 Jacqueline Nellson 2.184 0.022 8.888% 5 Chuck Miller 0.060 0.001 0.246% Total: 24.569 0.246 100.000% 20 Powered By

Summary of Services for 2007-1-15 Protocol Events (For 24Hrs) MBytes % of MBytes 1 TCP/HTTP 10952 59.769 76.632% 2 UDP/DNS 21002 7.687 9.856% 3 TCP/443 973 6.485 8.315% 4 TCP/HTTPS 339 1.528 1.959% 5 TCP/1886 92 0.885 1.135% 6 TCP/445 67 0.510 0.654% 7 UDP/500 644 0.316 0.406% 8 TCP/NETBIOS-SSN 30 0.295 0.379% 9 TCP/POP3 38 0.278 0.357% 10 UDP/10001 44 0.241 0.309% Total: 34181 77.994 100.000% 21 Powered By

VPN Usage Summary for 2007-1-15 Hour Events MBytes % of MBytes 1 00:00-01:00 174 0.069 2.362% 2 01:00-02:00 161 0.101 3.471% 3 02:00-03:00 181 0.072 2.459% 4 03:00-04:00 196 0.197 6.745% 5 04:00-05:00 195 0.101 3.476% 6 05:00-06:00 199 0.135 4.639% 7 06:00-07:00 179 0.093 3.181% 8 07:00-08:00 195 0.056 1.933% 9 08:00-09:00 189 0.102 3.510% 10 09:00-10:00 185 0.089 3.068% 11 10:00-11:00 184 0.084 2.869% 12 11:00-12:00 196 0.129 4.415% 13 12:00-13:00 180 0.180 6.168% 14 13:00-14:00 173 0.098 3.362% 15 14:00-15:00 166 0.216 7.400% 16 15:00-16:00 113 0.018 0.615% 17 16:00-17:00 175 0.203 6.976% 18 17:00-18:00 169 0.157 5.378% 19 18:00-19:00 162 0.049 1.667% 20 19:00-20:00 174 0.109 3.740% 21 20:00-21:00 190 0.084 2.899% 22 21:00-22:00 180 0.271 9.292% 23 22:00-23:00 169 0.185 6.337% 24 23:00-24:00 162 0.118 4.034% Total: 4247 2.914 100.000% 22 Powered By

Summary of Services Over VPN for 2007-1-15 Protocol Events MBytes % of MBytes 1 TCP/1886 92 0.885 33.117% 2 TCP/445 67 0.510 19.073% 3 TCP/NETBIOS-SSN 30 0.295 11.049% 4 TCP/33672 1959 0.235 8.794% 5 TCP/1026 117 0.214 8.007% 6 TCP/389 17 0.164 6.147% 7 TCP/1832 39 0.116 4.358% 8 TCP/40708 25 0.099 3.703% 9 UDP/DNS 241 0.090 3.351% 10 UDP/88 25 0.064 2.401% Total: 2612 2.673 100.000% 23 Powered By

Top Users of VPN for 2007-1-15 Users Connections MBytes % of MBytes 1 Dolph Smith 131 1.002 39.405% 2 Paul Tveit 33 0.270 10.622% 3 Tom Drill 1959 0.235 9.247% 4 Shilpa 63 0.235 9.234% 5 Mike Wickizer 90 0.214 8.409% 6 George Hlebak 76 0.155 6.094% 7 Adam Towle 35 0.142 5.575% 8 Prasad Bevra 13 0.101 3.957% 9 Steve Cornell 25 0.099 3.894% 10 Cameron Bigler 108 0.091 3.563% Total: 2533 2.542 100.000% 24 Powered By

Summary of Services Over VPN for 2007-1-15 Protocol Events MBytes % of MBytes 1 TCP/1886 92 0.885 33.117% 2 TCP/445 67 0.510 19.073% 3 TCP/NETBIOS-SSN 30 0.295 11.049% 4 TCP/33672 1959 0.235 8.794% 5 TCP/1026 117 0.214 8.007% 6 TCP/389 17 0.164 6.147% 7 TCP/1832 39 0.116 4.358% 8 TCP/40708 25 0.099 3.703% 9 UDP/DNS 241 0.090 3.351% 10 UDP/88 25 0.064 2.401% Total: 2612 2.673 100.000% 25 Powered By

Web Usage Summary for 2007-1-15 Hour Events MBytes % of MBytes 1 00:00-01:00 459 2.061 3.363% 2 01:00-02:00 427 1.898 3.097% 3 02:00-03:00 490 3.051 4.978% 4 03:00-04:00 527 1.923 3.137% 5 04:00-05:00 510 2.286 3.730% 6 05:00-06:00 504 2.469 4.029% 7 06:00-07:00 531 2.058 3.358% 8 07:00-08:00 530 4.400 7.178% 9 08:00-09:00 516 4.267 6.961% 10 09:00-10:00 545 2.634 4.298% 11 10:00-11:00 555 3.097 5.052% 12 11:00-12:00 522 3.814 6.221% 13 12:00-13:00 540 2.240 3.655% 14 13:00-14:00 520 3.395 5.538% 15 14:00-15:00 381 2.959 4.827% 16 15:00-16:00 252 0.737 1.203% 17 16:00-17:00 381 1.848 3.014% 18 17:00-18:00 420 2.266 3.697% 19 18:00-19:00 454 2.850 4.649% 20 19:00-20:00 430 2.070 3.376% 21 20:00-21:00 434 2.421 3.949% 22 21:00-22:00 467 1.824 2.976% 23 22:00-23:00 486 2.636 4.300% 24 23:00-24:00 410 2.092 3.413% Total: 11291 61.296 100.000% 26 Powered By

Summary of Web Usage by Category for 2007-1-15 Category Hits MBytes % of MBytes 1 Information Technology/Computers 258 0.581 39.751% Site User Hits MBytes % of MBytes rss.slashdot.org 23 0.222 15.180% vs.mcafeeasap.com 207 0.221 15.102% www.channelweb.com 24 0.120 8.231% download.windowsupdate.com 3 0.017 1.196% update.microsoft.com 1 0.001 0.041% 2 Business and Economy 23 0.418 28.632% Site User Hits MBytes % of MBytes news.com.com 23 0.418 28.632% 3 Search Engines and Portals 29 0.406 27.822% Site User Hits MBytes % of MBytes sb.google.com 28 0.405 27.726% www.google.com 1 0.001 0.096% 4 Not Rated 22 0.030 2.043% Site User Hits MBytes % of MBytes sync.foxcloud.com 22 0.030 2.043% 5 News and Media 23 0.026 1.753% Site User Hits MBytes % of MBytes rss.cnn.com 23 0.026 1.753% Total: 355 1.461 100.000% 27 Powered By

Top Visited Web Sites for 2007-1-15 Site Hits MBytes Category % of MBytes 1 www.hotmail.com 13 5.119 E-Mail 45.736% 2 www.astrology.com 32 1.407 Arts/Entertainment 12.573% 3 www.monster.com 676 1.106 Job Search 9.877% 4 us.a1.yimg.com 10 0.468 Advertisement 4.178% 5 us.f302.mail.yahoo.com 4 0.406 E-Mail 3.627% 6 www.priceline.com 122 0.383 Travel 3.423% 7 www.hotjobs.com 5 0.304 Job Search 2.719% 8 www.1800flowers.com 46 0.301 Shopping 2.690% 9 www.sjsu.edu 4 0.251 Education 2.247% 10 www.mlslistings.com 7 0.243 Real Estate 2.167% 11 www.yahoo.com 57 0.208 Search Engines and P ortals 1.858% 12 mail.gogle.com 7 0.128 Email 1.146% 13 www.msn.com 27 0.127 Search Engines and P ortals 14 pictures.studentcenter.org 30 0.126 Web Communications 1.138% 1.126% 15 www.amazon.com 24 0.114 Shopping 1.017% 16 news.bbc.co.uk 3 0.113 News and Media 1.009% 17 www.metallica.com 45 0.106 Arts/Entertainment 0.946% 18 www.megadeth.com 27 0.103 Arts/Entertainment 0.917% 19 www.sjmercury.com 5 0.094 News and Media 0.840% 20 www.sfchronicle.com 5 0.086 News and Media 0.766% Total: 1149 11.192 100.000% 28 Powered By

Top Users of Web for 2007-1-15 Users Hits MBytes % of MBytes 1 Sanjay Sawney 23 5.161 45.080% 2 Kari Shadbolt 811 1.519 13.269% 3 Eric Souza 38 1.289 11.261% 4 Jacqueline Nellson 38 0.452 3.945% 5 Chuck Miller 30 0.399 3.488% 6 Rachel Lau 11 0.390 3.404% 7 George Hicks 9 0.390 3.402% 8 Patrick Leaden 48 0.254 2.222% 9 Dan Parsons 23 0.246 2.145% 10 Eric Stafford 29 0.239 2.085% 11 George Mena 77 0.171 1.494% 12 Greg Etemad 20 0.160 1.401% 13 Andy Walker 16 0.114 0.997% 14 Juan Martinez 9 0.107 0.935% 15 Valerie Leader 17 0.103 0.903% 16 Art King 9 0.100 0.875% 17 Tommy Nguyen 5 0.094 0.821% 18 John Aronson 14 0.092 0.807% 19 Wendy Ackerman 13 0.086 0.752% 20 Robert Chowmentowski 29 0.082 0.713% Total: 1269 11.449 100.000% 29 Powered By

Browse Time Summary for 2007-1-15 Hour Browse Time (hh:mm:ss) % of Browse Time 1 00:00-01:00 00:00:24 4.233% 2 01:00-02:00 00:00:21 3.704% 3 02:00-03:00 00:00:21 3.704% 4 03:00-04:00 00:00:21 3.704% 5 04:00-05:00 00:00:24 4.233% 6 05:00-06:00 00:00:24 4.233% 7 06:00-07:00 00:00:27 4.762% 8 07:00-08:00 00:00:22 3.968% 9 08:00-09:00 00:00:22 3.968% 10 09:00-10:00 00:00:22 3.968% 11 10:00-11:00 00:00:24 4.233% 12 11:00-12:00 00:00:33 5.820% 13 12:00-13:00 00:00:21 3.704% 14 13:00-14:00 00:00:24 4.233% 15 14:00-15:00 00:00:21 3.704% 16 15:00-16:00 00:00:34 6.085% 17 16:00-17:00 00:00:26 4.497% 18 17:00-18:00 00:00:22 3.968% 19 18:00-19:00 00:00:20 3.439% 20 19:00-20:00 00:00:22 3.968% 21 20:00-21:00 00:00:26 4.497% 22 21:00-22:00 00:00:20 3.439% 23 22:00-23:00 00:00:21 3.704% 24 23:00-24:00 00:00:24 4.233% Total: 00:09:27 100.000% 30 Powered By

Browse Time Top Users for 2007-1-15 Users Browse Time (hh:mm:ss) % of Browse Time 1 Sanjay Sawney 00:20:16 53.673% 2 Kari Shadbolt 00:02:39 7.015% 3 Eric Souza 00:01:56 5.096% 4 Jacqueline Nellson 00:01:20 3.508% 5 Chuck Miller 00:01:18 3.441% 6 Rachel Lau 00:01:12 3.177% 7 George Hicks 00:00:57 2.515% 8 Patrick Leaden 00:00:57 2.515% 9 Dan Parsons 00:00:54 2.383% 10 Eric Stafford 00:00:45 1.985% 11 George Mena 00:00:44 1.919% 12 Greg Etemad 00:00:44 1.919% 13 Jessica Eschenbaum 00:00:36 1.588% 14 Juan Martinez 00:00:34 1.522% 15 Andy Walker 00:00:34 1.522% 16 Art King 00:00:34 1.522% 17 Tommy Nguyen 00:00:30 1.324% 18 John Aronson 00:00:27 1.191% 19 Wendy Ackerman 00:00:26 1.125% 20 Robert Chowmentowski 00:00:24 1.059% Total: 00:37:46 100.000% 31 Powered By

FTP Usage Summary for 2007-1-15 Hour Events MBytes % of MBytes 1 13:00-14:00 468 0.208 7.458% 2 14:00-15:00 810 2.582 92.542% Total: 1278 2.790 100.000% 32 Powered By

Top Users of FTP for 2007-1-15 Users Events MBytes % of MBytes 1 Sanjay Sawney 29 0.003 68.131% S Destination Events MBytes % of MBytes 10.2.1.254 29 0.003 68.131% 2 Kari Shadbolt 26 0.001 31.869% Destination Events MBytes % of MBytes 216.155.193.158 26 0.001 31.869% Total: 55 0.004 100.000% 33 Powered By

Mail Usage Summary for 2007-1-15 Hour Events MBytes % of MBytes 1 01:00-02:00 4 0.015 5.198% 2 02:00-03:00 3 0.018 6.339% 3 03:00-04:00 2 0.018 6.289% 4 04:00-05:00 3 0.007 2.436% 5 05:00-06:00 2 0.013 4.550% 6 06:00-07:00 1 0.001 0.324% 7 07:00-08:00 5 0.031 10.889% 8 08:00-09:00 4 0.007 2.486% 9 09:00-10:00 4 0.026 9.101% 10 11:00-12:00 1 0.001 0.324% 11 12:00-13:00 2 0.014 4.824% 12 13:00-14:00 2 0.000 0.100% 13 14:00-15:00 3 0.019 6.613% 14 16:00-17:00 2 0.014 4.824% 15 17:00-18:00 1 0.005 1.788% 16 18:00-19:00 2 0.005 1.838% 17 19:00-20:00 4 0.051 18.002% 18 20:00-21:00 3 0.013 4.600% 19 21:00-22:00 2 0.000 0.100% 20 22:00-23:00 3 0.014 4.874% 21 23:00-24:00 1 0.013 4.500% Total: 54 0.281 100.000% 34 Powered By

Top Mail Users for 2007-1-15 Users Events MBytes % of MBytes 1 Greg Etemad 190 0.442 45.151% 2 Robert Chowmentowski 50 0.387 39.559% 3 Stephen Pearson 6 0.043 4.417% 4 George Mena 6 0.042 4.296% 5 Wendy Ackerman 4 0.034 3.471% 6 Jessica Eschenbaum 7 0.030 3.107% Total: 263 0.979 100.000% 35 Powered By

Attack Summary for 2007-1-15 Hour Attacks % of Attacks 1 00:00-01:00 7 4.459% 2 01:00-02:00 7 4.459% 3 02:00-03:00 4 2.548% 4 03:00-04:00 6 3.822% 5 04:00-05:00 9 5.732% 6 05:00-06:00 5 3.185% 7 06:00-07:00 3 1.911% 8 07:00-08:00 9 5.732% 9 08:00-09:00 11 7.006% 10 09:00-10:00 2 1.274% 11 10:00-11:00 8 5.096% 12 11:00-12:00 10 6.369% 13 12:00-13:00 9 5.732% 14 13:00-14:00 6 3.822% 15 14:00-15:00 5 3.185% 16 15:00-16:00 4 2.548% 17 16:00-17:00 5 3.185% 18 17:00-18:00 3 1.911% 19 18:00-19:00 5 3.185% 20 19:00-20:00 9 5.732% 21 20:00-21:00 6 3.822% 22 21:00-22:00 11 7.006% 23 22:00-23:00 8 5.096% 24 23:00-24:00 5 3.185% Total: 157 100.000% 36 Powered By

Summary of Attacks by Category for 2007-1-15 Type Attacks % of Attacks 1 IP spoof dropped 139 88.535% Source Destination Attacks % of Attacks 64.220.173.243 10.208.10.11 108 68.790% 7.1.1.10 10.0.0.32 31 19.745% 2 Smurf Amplification attack dropped 18 11.465% Source Destination Attacks % of Attacks 192.168.1.114 192.168.1.0 18 11.465% Total: 157 100.000% 37 Powered By

Virus Attack Summary for 2007-1-15 Hour Attempts % of Attempts 1 13:00-14:00 73 34.597% 2 14:00-15:00 138 65.403% Total: 211 100.000% 38 Powered By

Top Viruses by Attack Attempts for 2007-1-15 Virus Attempts % of Attempts 1 Netsky.Gen-2 (Worm) disabled 55 26.066% Source Destination Attempts % of Attempts 63.198.213.253 192.168.168.15 55 26.066% 2 Password-protected ZIP file disabled 53 25.118% Source Destination Attempts % of Attempts 10.0.15.135 192.168.141.243 53 25.118% 3 Gibe.F (Worm) disabled 53 25.118% Source Destination Attempts % of Attempts 63.198.213.253 192.168.168.15 53 25.118% 4 Mydoom.F (Worm) disabled 50 23.697% Source Destination Attempts % of Attempts 63.198.213.253 192.168.168.15 50 23.697% Total: 211 100.000% 39 Powered By

Intrusion Summary for 2007-1-15 Hour Intrusions % of Intrusions 1 13:00-14:00 212 38.686% 2 14:00-15:00 336 61.314% Total: 548 100.000% 40 Powered By

Top Intrusions for 2007-1-15 Category Intrusions % of Intrusions 1 WEB-IIS 128 23.443% Priority Type Source Destination Intrusions % of Intrusions 1 IPS Prevention Alert: WEB-IIS cmd.exe access (SID=1309) 3 IPS Prevention Alert: WEB-IIS.htr access (SID=1297) 3 IPS Prevention Alert: WEB-IIS ISAPI.idqaccess (SID=1281) 1 IPS Prevention Alert: WEB-IIS iisadmpwd attempt (SID=1322) 1 IPS Prevention Alert: WEB-IIS +.htr codefragment attempt (SID=1296) 3 IPS Prevention Alert: WEB-IIS ISAPI.idaaccess (SID=1279) 3 IPS Prevention Alert: WEB-IIS webhits access (SID=1341) 3 IPS Prevention Alert: WEB-IIS ISAPI.printer access (SID=1277) 3 IPS Prevention Alert: WEB-IIS htimage.exe access (SID=1353) 1 IPS Prevention Alert: WEB-IIS /scripts/samples/ access (SID=1346) 192.168.169.180 172.16.1.11 40 8.448% 192.168.169.180 172.16.1.11 13 2.746% 192.168.169.180 172.16.1.11 11 2.323% 192.168.169.180 172.16.1.11 9 1.901% 192.168.169.180 172.16.1.11 9 1.901% 192.168.169.180 172.16.1.11 7 1.478% 192.168.169.180 172.16.1.11 7 1.478% 192.168.169.180 172.16.1.11 6 1.267% 192.168.169.180 172.16.1.11 5 1.056% 192.168.169.180 172.16.1.11 4 0.845% 2 SNMP 127 23.260% Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: SNMP request udp (SID=754) 3 IPS Prevention Alert: SNMP public accessudp (SID=748) 3 IPS Prevention Alert: SNMP private access udp (SID=750) 192.168.169.180 172.16.1.11 121 22.161% 192.168.169.180 172.16.1.11 5 0.916% 192.168.169.180 172.16.1.11 1 0.183% 3 WEB-CGI 108 19.780% Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: WEB-CGI htsearch access (SID=1039) 192.168.169.180 172.16.1.11 5 2.536% 3 IPS Prevention Alert: WEB-CGI 192.168.169.180 172.16.1.11 4 2.029% 41 Powered By

Category Intrusions % of Intrusions Priority Type Source Destination Intrusions % of Intrusions loadpage.cgi access (SID=1075) 3 IPS Prevention Alert: WEB-CGI man.sh access (SID=939) 3 IPS Prevention Alert: WEB-CGI AnyForm2 access (SID=972) 3 IPS Prevention Alert: WEB-CGI test-cgi access (SID=909) 3 IPS Prevention Alert: WEB-CGI textcounter.pl access (SID=912) 3 IPS Prevention Alert: WEB-CGI ttawebtop.cgi access (SID=1030) 3 IPS Prevention Alert: WEB-CGI wrap access (SID=932) 3 IPS Prevention Alert: WEB-CGI perl.exe access (SID=1004) 3 IPS Prevention Alert: WEB-CGI uploader.exe access (SID=913) 192.168.169.180 172.16.1.11 4 2.029% 192.168.169.180 172.16.1.11 4 2.029% 192.168.169.180 172.16.1.11 4 2.029% 192.168.169.180 172.16.1.11 4 2.029% 192.168.169.180 172.16.1.11 4 2.029% 192.168.169.180 172.16.1.11 4 2.029% 192.168.169.180 172.16.1.11 3 1.522% 192.168.169.180 172.16.1.11 3 1.522% 4 WEB-MISC 58 10.623% Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: WEB-MISC DELETE attempt (SID=1567) 1 IPS Prevention Alert: WEB-MISC cross site scripting attempt (SID=1369) 3 IPS Prevention Alert: WEB-MISC?PageServices access (SID=1427) 3 IPS Prevention Alert: WEB-MISC WEB-INF access (SID=1588) 1 IPS Prevention Alert: WEB-MISC showcode access (SID=1535) 3 IPS Prevention Alert: WEB-MISC http directory traversal (SID=1529) 3 IPS Prevention Alert: WEB-MISC logicworks.ini access (SID=1641) 3 IPS Prevention Alert: WEB-MISC globals.pl access (SID=1637) 1 IPS Prevention Alert: WEB-MISC TRACE attempt (SID=1621) 1 IPS Prevention Alert: WEB-MISC viewcode access (SID=1534) 192.168.169.180 172.16.1.11 9 2.732% 192.168.169.180 172.16.1.11 4 1.214% 192.168.169.180 172.16.1.11 4 1.214% 192.168.169.180 172.16.1.11 4 1.214% 192.168.169.180 172.16.1.11 3 0.911% 192.168.169.180 172.16.1.11 3 0.911% 192.168.169.180 172.16.1.11 2 0.607% 192.168.169.180 172.16.1.11 2 0.607% 192.168.169.180 172.16.1.11 2 0.607% 192.168.169.180 172.16.1.11 2 0.607% 5 ICMP 38 6.960% Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: ICMP PING speedera(sid=379) 3 IPS Prevention Alert: ICMP PING (SID=293) 192.168.169.180 172.16.1.11 33 6.044% 192.168.169.180 172.16.1.11 5 0.916% 6 WEB-COLDFUSION 29 5.311% Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: WEB-COLDFUSION expeval access 192.168.169.180 172.16.1.11 12 2.198% 42 Powered By

Category Intrusions % of Intrusions Priority Type Source Destination Intrusions % of Intrusions (SID=1207) 3 IPS Prevention Alert: WEB-COLDFUSION exampleapp access (SID=1217) 3 IPS Prevention Alert: WEB-COLDFUSION snippets attempt (SID=1219) 3 IPS Prevention Alert: WEB-COLDFUSION parks access (SID=1201) 3 IPS Prevention Alert: WEB-COLDFUSION administrator access (SID=1197) 3 IPS Prevention Alert: WEB-COLDFUSION beaninfo access (SID=1203) 192.168.169.180 172.16.1.11 10 1.831% 192.168.169.180 172.16.1.11 4 0.733% 192.168.169.180 172.16.1.11 1 0.183% 192.168.169.180 172.16.1.11 1 0.183% 192.168.169.180 172.16.1.11 1 0.183% 7 WEB-FRONTPAGE 24 4.396% Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: WEB-FRONTPAGE /_vti_bin/ access (SID=1260) 3 IPS Prevention Alert: WEB-FRONTPAGE authors.pwd access (SID=1242) 3 IPS Prevention Alert: WEB-FRONTPAGE service.pwd (SID=1250) 3 IPS Prevention Alert: WEB-FRONTPAGE users.pwd access (SID=1255) 192.168.169.180 172.16.1.11 21 3.846% 192.168.169.180 172.16.1.11 1 0.183% 192.168.169.180 172.16.1.11 1 0.183% 192.168.169.180 172.16.1.11 1 0.183% 8 ATTACK-RESPONSES 15 2.747% Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: ATTACK-RESPONSES 403 Forbidden (SID=7) 172.16.1.11 192.168.169.180 15 2.747% 9 SMTP 10 1.832% Priority Type Source Destination Intrusions % of Intrusions 2 IPS Prevention Alert: SMTP ETRN overflowattempt (SID=741) 2 IPS Prevention Alert: SMTP HELO overflowattempt (SID=740) 192.168.169.180 172.16.1.11 8 1.466% 192.168.169.180 172.16.1.11 2 0.366% 10 WEB-PHP 9 1.648% Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: WEB-PHP read_body.php access attempt ( SID=1660) 3 IPS Prevention Alert: WEB-PHP admin.php access (SID=1671) 192.168.169.180 172.16.1.11 5 0.916% 192.168.169.180 172.16.1.11 4 0.732% Total: 546 100.000% 43 Powered By