Downloads   Registration   Customer Service    Service Offerings    Discussion Forums    Support Home    NETGEAR Home    
Using NETGEAR Router Logs

Using NETGEAR Router Logs

Router log features vary by model. Advanced, business-oriented routers such as the FVS328 have extensive logging features, such as monitoring for specific types of attack, and reporting to a security monitoring program.

Home routers such as the WGR614 and WGT624 only have only basic features such as router reboots, and reporting when people go to sites that you blocked.

NETGEAR router logs can be used to:

  • Alert you when someone on your LAN has tried to access a blocked WAN address.
  • Alert you when someone on the Internet has tried to access a blocked address in your LAN.
  • Identify port scans, attacks, and administrative logins.
  • Collect statistics on outgoing traffic for administration purposes.
  • Assess whether your keyword block rules are excluding the IP addresses you intend.

NETGEAR routers with the basic features do not report:

  • If keyword blocking is not enabled
  • Access by the router's Trusted User
  • Blocking by time-of-day

Important Log Features

  • On many NETGEAR routers, the main purpose of logging is to collect information about traffic coming into your LAN.
  • On models where the stored log is limited to 128 entries, to get a complete record of activity, you must use the feature that sends you the log by email when the log is full. If that feature is not available, then to get a complete record, you must turn on the feature to give you an email alert as soon as there is access to a blocked site.
  • If you use logging with firewall rules, and many entries are logged, it can reduce the router's regular traffic throughput.
  • Routers can send up to 120 email notification an hour. Half this many is already causing a performance degradation.
  • In a rule, the domain name can be blocked, but not subdivisions. For example, www.netgear.com is fine, but www.netgear.com/products/ will not work.
  • In some NETGEAR routers, certain logging is always turned on (NTP for example).

Example 1 of Log Entries Indicating an Attack

If you see multiple entries in the logs indicating suspicious data being dropped, then suspect an attack. In most cases the same ports or source IP addresses are indicated in each log entry.

Example 2 of Log Entries Indicating an Attack

NETGEAR *Security Alert* [15:c9:11]
TCP Packet - Source:84.92.8.225,1261 Destination:84.92.37.165,3127 - [DOS]

A single such message (ending with DOS — Denial of Service) may just be a random packet, however several messages indicate a probable attack.

 

If you think there is an attack, then uncheck Respond to Ping on Internet WAN Port, if it's available for your router — consult your manual.

Many attacks on networks do not succeed. If there is a successful attack, your next steps are probably to disconnect your network from the Internet, and to contact your ISP.


Doc: n101413.asp Oct. 22, 2004

 
   


Support Knowledgebase
Manuals
Sales and Company Information

                © 1998-2006 NETGEAR | Contact Us | Configure Your Network | Home