Reporting. SonicWALL Reporting 1

(1)

SonicWALL Reporting 1

(2)

EXECUTIVE SUMMARY OF REPORTS ______________________________10 FOR JANUARY 15,2007 _______________________________________________10 Authentication Summary___________________________________________10 Status Summary _________________________________________________10 Bandwidth Summary______________________________________________10 ROI Summary ___________________________________________________11 Services Summary _______________________________________________11 VPN Summary ___________________________________________________11 Web Usage Summary _____________________________________________11 Browse Time Summary ____________________________________________11 FTP Summary ___________________________________________________12 Mail Summary ___________________________________________________12 Attack Summary _________________________________________________12 Virus Attack Summary ____________________________________________12 Intrusion Prevention Summary ______________________________________12

(3)

Overview of SonicWALL Reporting

Monitoring critical network events and activities, such as security threats, inappropriate Web usages and bandwidth levels are essential components for any network. SonicWALL’s Reporting Solutions complement SonicWALL's Internet Security offerings by providing detailed and comprehensive reports of network activity. SonicWALL GMS™ and ViewPoint™ make up a family of products built to deliver an advancement in network reporting.

Both GMS and ViewPoint offer dynamic, real-time and historical network summaries that take advantage of SonicWALL’s robust reporting module, thus offering a unique view into any network. With customizable compliance reports that can be delivered in a variety of exportable formats, organizations and service providers can use the power of SonicWALL Reporting to maintain a pulse on network patterns, track thwarted security events and report usage trends. Furthermore, administrators can monitor network access, enhance security and anticipate future bandwidth needs. SonicWALL’s Reporting Solutions:

Display bandwidth use by IP address and service

Identify inappropriate Web use

Provide detailed reports of attacks

Collect and aggregate system and network errors

Show VPN events and problems

Present visitor traffic to a Web site

Provide detailed daily firewall logs to analyze specific events

SonicWALL’s Reporting Solutions offer a simple view into a complex world of digital activity powered by SonicWALL Internet security appliances. This document identifies key SonicWALL summary reports and a complete sample report.

(4)

Categories of Reports

Below is a list of report categories available in SonicWALL’s Reporting environment:

Login Reports o User Login o Admin Login o Failed Login

Status Reports o Status Summary

Bandwidth Reports o Bandwidth Summary o Bandwidth Top Users

ROI Reports

o ROI Summary o ROI Top Users

Service Reports o Services Summary

VPN Reports o VPN Summary o VPN Top Users o VPN By Policy o VPN By Policy Hourly o VPN By Service

Web Usage Reports

o Web Usage Summary o Web Usage Top Sites o Web Usage Top Users o Web Usage By User o Web Usage By Category o Web Usage By Site

Browse Time Reports

o Browse Time Summary o Browse Time Top Users o Browse Time By User

Web Filter Reports

o Web Filter Summary o Web Filter Top Sites o Web Filter Top Users o Web Filter By User, By Site o Web Filter By Category

FTP Reports

o FTP Usage Summary o FTP Usage Top Users

(5)

Mail Reports

o Mail Usage Summary o Mail Usage Top Users

Attacks Reports

o Attacks Summary o Attacks By Category o Attacks Errors

Virus Attacks Reports

o Virus Attacks Summary o Virus Attacks Top Viruses

Spyware Reports o Spyware Summary o Spyware By Category

Intrusions Reports Intrusions Summary Intrusions By Category

(6)

Overview of SonicWALL Summary Reports

Authentication Summary Reports

The Authentication Login reports show user logins, administrator logins and failed login attempts for users and administrators. For example, the user login report shows users that have logged into the SonicWALL appliance (e.g. during a specified day) to bypass content filtering or to access local network resources remotely. The administrator login report shows successful administrator logins during the specified day. This report is useful for identifying misuse and unauthorized management of a SonicWALL appliance.

Status Summary Report

Status reports display the number of hours that one or more SonicWALL appliances were online and functional during the specified time period. From this information, an administrator can find trouble spots within their network. For example, this report could reveal a SonicWALL appliance that is having network connectivity issues caused by either the internal network or by the ISP. For a managed service provider, this report is extremely useful in illustrating the commitment in delivering a Service Level Agreement (SLA) to a managed customer.

Bandwidth Summary Report

Bandwidth reports display the amount of data transferred through one or more selected SonicWALL appliances. Bandwidth reports are an ideal starting point for viewing overall bandwidth usage. Administrators can view bandwidth usage view by the hour, day or over a period of days. Additionally, companies can view the top users of their bandwidth. From this information, the organization can determine network strategies. For instance, if the company needs more bandwidth, they might decide to upgrade network equipment, opt to upgrade the bandwidth for their Internet access or they may simply decide to curtail their bandwidth usage for select employees.

ROI Summary Report

Return on Investment (ROI) reports display the total cost of consumed network bandwidth (measured in Mbytes) transferred through one or more selected SonicWALL appliances. ROI reports are an ideal starting point for viewing the overall cost of consumed network bandwidth usage. Administrators can view ROI usage view by the hour, day or over a period of days. Additionally, they can view the top users who consume the most network bandwidth and the percentage of the total cost attributed to each top user.

(7)

SonicWALL Reporting 7 Similar to Bandwidth Summary Reports, this information be used to determine

network strategies, which include increased bandwidth, upgrade in equipment, WAN optimization technology, or limit network bandwidth access through the use of throttling tools.

Services Summary Report

Service reports provide information on the amount of data transmitted through selected SonicWALL appliance by each service. Service reports are useful for revealing inappropriate usage of bandwidth and can help determine network policies. For example, if there is a large spike of bandwidth usage, a network administrator can determine whether this is caused by regular Web access, someone using FTP to transfer large files, an attempted Denial of Service (DoS) attack, or a variety of other services.

VPN Usage Summary Report

VPN Usage reports provide information on the amount of VPN usage that occurs through the selected SonicWALL appliance(s). VPN Usage reports can be used to view VPN usage by the hour, day, or over a period of days. Additionally, administrators can view the top users of their VPN tunnels. General bandwidth reports do not always provide a comprehensive view of the network bandwidth consumption. If a large amount of VPN traffic occurs, a company may need to increase their Internet connection, add WAN optimization equipment, or reconfigure the VPN network for site-to-site tunnels to efficiently route traffic.

Web Usage Summary Report

The Web Usage Summary report contains information on the amount of HTTP bandwidth handled by a SonicWALL device during each hour of the specified day. Web usage reports can be used to view Web bandwidth usage by the hour, day, or over a period of days. Administrators can monitor the top users of Web bandwidth and most viewed/visited sites for their company. These types of reports help companies gauge the productivity of their employees.

Browse Time Summary Report

Browse Time reports display the amount of time consumed browsing the Internet through one or more selected SonicWALL appliances. Administrators can view Browse Time usage views by the hour, day or over a period of days. Additionally, they can view users who browse the Internet the most and the percentage of the browse time accrued by each top user. From this information, a company can identify targeted network and behavioral strategies. For example, if the company needs to lower costs attributed to consumed network bandwidth, they will have the ability to generate Browse Time reports to identify the total amount of time used to browse to Web site sites that are not related to the employee’s job function.

(8)

Web Filter Summary Report

The Web Filter Summary Report contains information on the number of times users attempted to access blocked sites on a particular day through selected SonicWALL appliance(s). These reports include Web sites blocked by the Content Filter List or service, customized keyword filtering, and domain name filtering services. Web filter reports can be used to view blocked site access attempts by the hour, day or over a period of days. Additionally, administrators can view the users that most frequently attempt to access blocked sites and the most popular blocked sites.

FTP Summary Report

FTP usage reports provide information on the amount of FTP usage that occurs through the selected SonicWALL appliance(s). FTP usage reports can be used to view FTP bandwidth usage by the hour, day, or over a period of days. Additionally, administrators can view the top users of FTP bandwidth.

General bandwidth reports do not always provide a complete picture of network bandwidth usage. If a large amount of FTP traffic occurs during peak times, a company may need more bandwidth, an upgrade in network equipment, a practice to avoid peak network times, or ask employees to use compression tools for large file transfers.

Mail Summary Report

Mail usage reports provide information on the amount of mail usage that occurs through the selected SonicWALL appliance(s). Mail usage reports can be used to view mail bandwidth usage by the hour, day, or even over a period of days. This report allows an administrator to view the top users of mail bandwidth. Mail usage reports include SMTP, POP3, and IMAP traffic. General bandwidth reports do not always provide a complete picture of network bandwidth usage. If a large amount of mail traffic occurs during peak times, a company may want to increase their bandwidth capacity, use Web-mail services more often in a hosted environment, or limit the size of attachments for SMTP email traffic.

Attack Summary Report

Attacks reports show the number of attacks that were directed at or through the selected SonicWALL appliance(s). These include denial of service attacks, intrusions, probes, and all other malicious activity directed at the SonicWALL appliance or computers on the LAN or DMZ. As with any network deployment, SonicWALL recommends taking a multi-layer approach to network security. Through the aid of Attack Summary Reports, network administrators can see evidence of the attacks that have been thwarted using SonicWALL appliances. This will help gauge the effectiveness of the company’s perimeter security device.

(9)

Virus Attack Summary Report

Virus Attacks reports show the number of virus attacks that were directed at or through the selected SonicWALL appliance(s). Similar to the attack summary report, the Virus Attack report illustrates the effectiveness of the SonicWALL appliance to capture virus attacks before they penetrate the company’s network.

Intrusion Prevention Summary Report

The Intrusion Prevention Service (IPS) reports show the number of attempted intrusions that occurred during the specified time period. These reports provide further evidence of SonicWALL’s deep packet inspection signature technology.

(10)

Executive Summary of Reports

For January 15, 2007

This Executive Summary of Reports highlights key findings in various network, usage, services and security reports.

Use this report to help do the following:

Evaluate the effectiveness of and compliance of your Internet usage policy

Document the time and bandwidth impact of Web browsing on your IT

operations

Identify Web-based services that reduce the effectiveness of or circumvent installed security measures

Help understand how your organization is using and consuming its Internet resources

Below is a summary of the key findings in this daily report for ACME, Inc.:

Authentication Summary

Five or more repeated attempts within a 15-minute time period are highlighted in your report. There were ten (10) recorded user logins for this particular report day. Tommy Nguyen made 6 attempts into the network and Art King made 2. The rest of the user logins were single attempts. Further investigation should be made into identifying any misuse and/or unauthorized management of your SonicWALL appliance.

Status Summary

We have recorded that your SonicWALL unit has been up 100% of the time and there have been no service disruptions for this report date. This is in alignment your Service Level Agreement (SLA) set forth with your managed services contract.

Bandwidth Summary

This report shows your company has exchanged 82.917 Mbytes of data between the local network and the Internet for the given report period. The hourly consumption graph shows the times that the network is under the least, average, and maximum load.

(11)

ROI Summary

Your Return on Investment (ROI) report illustrates that 24.596 Mbytes of bandwidth was consumed through your SonicWALL appliance resulting in a net cost of $0.246 (factoring the cost of your monthly Internet charges) for the given report period. Also, between the hours of 01:00 – 02:00 and 13:00 – 14:00 your SonicWALL appliance recorded a surge of Internet traffic. Your top bandwidth user on this particular day was Sanjay Sawney with 46.587% of they day’s total Internet traffic. Further investigation may be required in order to make sure there are no spyware/adware applications on this user’s machine and if this employee is adhering to your company’s Internet usage policy.

Services Summary

Your Services Summary Report shows that 76.632% of your Internet traffic comes from TCP/HTTP traffic for this particular daily report. This amounts to 59.769 Mbytes and 10,952 events.

VPN Summary

VPN usage accounted for 2.914 Mbytes of Internet traffic resulting in 4,247 events. A peak surge of VPN traffic occurred between 21:00 - 22:00, which accounted for 9.292% of the daily VPN traffic. Services running over TCP port 1886 accounted for 33.117% of the overall daily traffic resulting in 0.855 Mbytes and 92 Events. Dolph Smith accounted for 39.405% of the overall VPN traffic. This amount of VPN traffic was normal given the typical Internet traffic on your network.

Web Usage Summary

Web usage accounted for 61.296 Mbytes of traffic resulting in 11,291 events. A peak surge of Web Usage occurred between 07:00 – 08:00, which accounted for 7.178% of Web usage traffic. The most frequently visited Web usage category was “Information Technology/Computers” and accounted for 39.751%. The top visited website was www.hotmail.com and accounted for 45.736% of traffic. The top user of the Web is Sanjay Sawney who accounted for 45.080%. Further investigation may be required to investigate appropriate usage of the company’s internet services.

Browse Time Summary

Browse Time accounted for 00:09:27 of time spent browsing the Internet. A peak surge of browse time occurred between 11:00 – 12:00, which accounted for 5.820% of total Browse Time traffic. The user spending the most time browsing on this day was Sanjay Sawney who accounted for 53.673% of all browse time. Further investigation may be required to investigate appropriate usage of the company’s internet services.

(12)

FTP Summary

FTP usage amounted to 2.790 Mbytes of traffic. A peak surge of FTP services occurred between 14:00 – 15:00, which accounted for 92.542% of the day’s FTP traffic. The top FTP user was Sanjay Sawney who used 68.131% of the total FTP bandwidth. Since the aggregate amount of FTP traffic is small, further investigation is not warranted.

Mail Summary

Mail usage for SMTP, POP3 and IMAP traffic accounted for 0.281 Mbytes of traffic. A peak surge of mail usage occurred between 19:00 – 20:00, which accounted for 18.002% of all mail traffic. The top mail user was Greg Etemad who accounted for 45.151% of all mail traffic. Further investigation may be required to investigate appropriate usage of the company’s mail services.

Attack Summary

The account summary report shows that 157 attacks were attempted on your company’s network on this particular report day. 6.369% of these attacks occurred between the hours of 11:00 – 12:00. 88.535% of attacks were IP Spoof attacks coming from source IP addresses 64.220.173.243 and 7.1.1.10. Your SonicWALL appliance is dynamically updated with new signatures everyday to thwart such attacks. However, further investigation of these attacks may be warranted.

Virus Attack Summary

The Virus Attack report shows that 211 attacks were launched against your company’s network on this particular report day. 65.403% of the attacks occurred between the hours of 14:00 – 15:00. 26.066% of virus attacks were “Nesky.Gen-2(Worm)” attacks coming from source IP address 63.198.213.253. Your SonicWALL appliance is dynamically updated with new signatures everyday to thwart such attacks. However, further investigation of these attacks may be warranted.

Intrusion Prevention Summary

The Intrusion Prevention Service (IPS) report shows 548 IPS attacks were launched against your company’s network on this particular report day. 61.314% of the attacks occurred between the hours of 14:00 – 15:00. 23.443% of the attacks were coming from an internal rogue machine with IP address 192.168.169.180. Further investigation is required to identify this machine and uncover the nature of these IPS probes. Your SonicWALL appliance is dynamically updated with new signatures everyday to thwart such attacks. However, further investigation of these attacks may be warranted.

(13)

ACME Company Report

Detailed Daily Report

Report Date for: 01/1

5 /2007

(14)

Summary

Web Usage Summary Report for 2007-1-1

5

The Web Usage Summary report contains information on the amount of HTTP bandwidth handled by your SonicWALL device during each hour of the specified day.

Total Usage: 61.296 MBytes

Max Usage: 4.4 MBytes

Average Usage: 2.554 MBytes

Bandwidth Summary Report for 2007-1-1

5

Bandwidth reports display the amount of data transferred through one or more selected SonicWALL appliances. Bandwidth reports are an ideal starting point for viewing overall bandwidth usage.

Total Utilization: 82.917 MBytes

Max Utilization: 5.332 MBytes

Average Utilization: 3.455 MBytes

(15)

Detail

User Logins for

2007-1-15

Time Source 1 14:22:18 Tommy Nguyen 2 14:22:34 Tommy Nguyen 3 14:23:11 Tommy Nguyen 4 14:24:38 Tommy Nguyen 5 14:24:41 Tommy Nguyen 6 14:24:53 Tommy Nguyen 7 14:25:08 Art King 8 14:25:18 Art King 9 14:25:25 Greg Etemad 10 14:25:49 Robert Chowmentowski Total: 15 Powered By

(16)

Firewall Up Status Summary for 2007-1-1

5

Hour Up Time (Mins.) % of Up Time

1 00:00 - 01:00 60 100.000% 2 01:00 - 02:00 60 100.000% 3 02:00 - 03:00 60 100.000% 4 03:00 - 04:00 60 100.000% 5 04:00 - 05:00 60 100.000% 6 05:00 - 06:00 60 100.000% 7 06:00 - 07:00 60 100.000% 8 07:00 - 08:00 60 100.000% 9 08:00 - 09:00 60 100.000% 10 09:00 - 10:00 60 100.000% 11 10:00 - 11:00 60 100.000% 12 11:00 - 12:00 60 100.000% 13 12:00 - 13:00 60 100.000% 14 13:00 - 14:00 60 100.000% 15 14:00 - 15:00 60 100.000% 16 15:00 - 16:00 60 100.000% 17 16:00 - 17:00 60 100.000% 18 17:00 - 18:00 60 100.000% 19 18:00 - 19:00 60 100.000% 20 19:00 - 20:00 60 100.000% 21 20:00 - 21:00 60 100.000% 22 21:00 - 22:00 60 100.000% 23 22:00 - 23:00 60 100.000% 24 23:00 - 24:00 60 100.000% Total: 1440 100.000% 16 Powered By

(17)

Bandwidth Summary for 2007-1-1

5

Hour Events MBytes % of MBytes

1 00:00 - 01:00 1908 2.862 3.452% 2 01:00 - 02:00 1791 2.750 3.316% 3 02:00 - 03:00 1907 3.847 4.639% 4 03:00 - 04:00 2106 3.010 3.630% 5 04:00 - 05:00 2184 3.160 3.812% 6 05:00 - 06:00 2101 3.580 4.317% 7 06:00 - 07:00 2096 3.013 3.634% 8 07:00 - 08:00 2132 5.221 6.296% 9 08:00 - 09:00 2155 5.332 6.430% 10 09:00 - 10:00 2119 3.518 4.242% 11 10:00 - 11:00 2107 3.878 4.677% 12 11:00 - 12:00 2136 4.785 5.770% 13 12:00 - 13:00 2166 3.355 4.046% 14 13:00 - 14:00 2008 4.261 5.139% 15 14:00 - 15:00 1645 4.019 4.847% 16 15:00 - 16:00 1016 1.123 1.355% 17 16:00 - 17:00 1776 2.829 3.411% 18 17:00 - 18:00 1757 3.138 3.784% 19 18:00 - 19:00 1834 3.607 4.350% 20 19:00 - 20:00 1777 2.940 3.546% 21 20:00 - 21:00 1868 3.157 3.808% 22 21:00 - 22:00 1890 2.994 3.611% 23 22:00 - 23:00 1836 3.604 4.346% 24 23:00 - 24:00 1802 2.934 3.539% Total: 46117 82.917 100.000% 17 Powered By

(18)

ROI Summary for 2007-1-1

5

Hour MBytes Cost ($) % of Cost

1 00:00 - 01:00 0.800 0.008 3.252% 2 01:00 - 02:00 3.587 0.036 14.583% 3 02:00 - 03:00 0.295 0.003 1.199% 4 03:00 - 04:00 0.771 0.008 3.136% 5 04:00 - 05:00 0.808 0.008 3.284% 6 05:00 - 06:00 0.802 0.008 3.260% 7 06:00 - 07:00 0.841 0.008 3.418% 8 07:00 - 08:00 0.785 0.008 3.192% 9 08:00 - 09:00 0.872 0.009 3.543% 10 09:00 - 10:00 0.770 0.008 3.132% 11 10:00 - 11:00 0.843 0.008 3.428% 12 11:00 - 12:00 0.824 0.008 3.350% 13 12:00 - 13:00 0.813 0.008 3.305% 14 13:00 - 14:00 3.557 0.036 14.460% 15 14:00 - 15:00 0.800 0.008 3.253% 16 15:00 - 16:00 0.915 0.009 3.720% 17 16:00 - 17:00 0.878 0.009 3.571% 18 17:00 - 18:00 0.858 0.009 3.490% 19 18:00 - 19:00 0.807 0.008 3.279% 20 19:00 - 20:00 0.803 0.008 3.267% 21 20:00 - 21:00 0.772 0.008 3.138% 22 21:00 - 22:00 0.773 0.008 3.144% 23 22:00 - 23:00 0.772 0.008 3.138% 24 23:00 - 24:00 0.850 0.009 3.457% Total: 24.596 0.246 100.000% 18 Powered By

(19)

Top Users of Bandwidth for 2007-1-1

5

Users Connections MBytes % of MBytes

1 Sanjay Sawney 385 11.446 46.587% 2 Kari Shadbolt 16 5.605 22.812% 3 Eric Souza 3407 5.274 21.467% 4 Jacqueline Nellson 4841 2.184 8.888% 5 Chuck Miller 141 0.060 0.246% Total: 8790 24.569 100.000% 19 Powered By

(20)

Top Users of ROI for 2007-1-1

5

Users MBytes Cost ($) % of Cost

1 Sanjay Sawney 11.446 0.114 46.587% 2 Kari Shadbolt 5.605 0.056 22.812% 3 Eric Souza 5.274 0.053 21.467% 4 Jacqueline Nellson 2.184 0.022 8.888% 5 Chuck Miller 0.060 0.001 0.246% Total: 24.569 0.246 100.000% 20 Powered By

(21)

Summary of Services for 2007-1-1

5

Protocol Events (For 24Hrs) MBytes % of MBytes

1 TCP/HTTP 10952 59.769 76.632% 2 UDP/DNS 21002 7.687 9.856% 3 TCP/443 973 6.485 8.315% 4 TCP/HTTPS 339 1.528 1.959% 5 TCP/1886 92 0.885 1.135% 6 TCP/445 67 0.510 0.654% 7 UDP/500 644 0.316 0.406% 8 TCP/NETBIOS-SSN 30 0.295 0.379% 9 TCP/POP3 38 0.278 0.357% 10 UDP/10001 44 0.241 0.309% Total: 34181 77.994 100.000% 21 Powered By

(22)

VPN Usage Summary for 2007-1-1

5

1 00:00 - 01:00 174 0.069 2.362% 2 01:00 - 02:00 161 0.101 3.471% 3 02:00 - 03:00 181 0.072 2.459% 4 03:00 - 04:00 196 0.197 6.745% 5 04:00 - 05:00 195 0.101 3.476% 6 05:00 - 06:00 199 0.135 4.639% 7 06:00 - 07:00 179 0.093 3.181% 8 07:00 - 08:00 195 0.056 1.933% 9 08:00 - 09:00 189 0.102 3.510% 10 09:00 - 10:00 185 0.089 3.068% 11 10:00 - 11:00 184 0.084 2.869% 12 11:00 - 12:00 196 0.129 4.415% 13 12:00 - 13:00 180 0.180 6.168% 14 13:00 - 14:00 173 0.098 3.362% 15 14:00 - 15:00 166 0.216 7.400% 16 15:00 - 16:00 113 0.018 0.615% 17 16:00 - 17:00 175 0.203 6.976% 18 17:00 - 18:00 169 0.157 5.378% 19 18:00 - 19:00 162 0.049 1.667% 20 19:00 - 20:00 174 0.109 3.740% 21 20:00 - 21:00 190 0.084 2.899% 22 21:00 - 22:00 180 0.271 9.292% 23 22:00 - 23:00 169 0.185 6.337% 24 23:00 - 24:00 162 0.118 4.034% Total: 4247 2.914 100.000% 22 Powered By

(23)

Summary of Services Over VPN for 2007-1-1

5

Protocol Events MBytes % of MBytes

1 TCP/1886 92 0.885 33.117% 2 TCP/445 67 0.510 19.073% 3 TCP/NETBIOS-SSN 30 0.295 11.049% 4 TCP/33672 1959 0.235 8.794% 5 TCP/1026 117 0.214 8.007% 6 TCP/389 17 0.164 6.147% 7 TCP/1832 39 0.116 4.358% 8 TCP/40708 25 0.099 3.703% 9 UDP/DNS 241 0.090 3.351% 10 UDP/88 25 0.064 2.401% Total: 2612 2.673 100.000% 23 Powered By

(24)

Top Users of VPN for 2007-1-1

5

Users Connections MBytes % of MBytes

1 Dolph Smith 131 1.002 39.405% 2 Paul Tveit 33 0.270 10.622% 3 Tom Drill 1959 0.235 9.247% 4 Shilpa 63 0.235 9.234% 5 Mike Wickizer 90 0.214 8.409% 6 George Hlebak 76 0.155 6.094% 7 Adam Towle 35 0.142 5.575% 8 Prasad Bevra 13 0.101 3.957% 9 Steve Cornell 25 0.099 3.894% 10 Cameron Bigler 108 0.091 3.563% Total: 2533 2.542 100.000% 24 Powered By

(25)

Summary of Services Over VPN for 2007-1-1

5

Protocol Events MBytes % of MBytes

1 TCP/1886 92 0.885 33.117% 2 TCP/445 67 0.510 19.073% 3 TCP/NETBIOS-SSN 30 0.295 11.049% 4 TCP/33672 1959 0.235 8.794% 5 TCP/1026 117 0.214 8.007% 6 TCP/389 17 0.164 6.147% 7 TCP/1832 39 0.116 4.358% 8 TCP/40708 25 0.099 3.703% 9 UDP/DNS 241 0.090 3.351% 10 UDP/88 25 0.064 2.401% Total: 2612 2.673 100.000% 25 Powered By

(26)

Web Usage Summary for 2007-1-1

5

1 00:00 - 01:00 459 2.061 3.363% 2 01:00 - 02:00 427 1.898 3.097% 3 02:00 - 03:00 490 3.051 4.978% 4 03:00 - 04:00 527 1.923 3.137% 5 04:00 - 05:00 510 2.286 3.730% 6 05:00 - 06:00 504 2.469 4.029% 7 06:00 - 07:00 531 2.058 3.358% 8 07:00 - 08:00 530 4.400 7.178% 9 08:00 - 09:00 516 4.267 6.961% 10 09:00 - 10:00 545 2.634 4.298% 11 10:00 - 11:00 555 3.097 5.052% 12 11:00 - 12:00 522 3.814 6.221% 13 12:00 - 13:00 540 2.240 3.655% 14 13:00 - 14:00 520 3.395 5.538% 15 14:00 - 15:00 381 2.959 4.827% 16 15:00 - 16:00 252 0.737 1.203% 17 16:00 - 17:00 381 1.848 3.014% 18 17:00 - 18:00 420 2.266 3.697% 19 18:00 - 19:00 454 2.850 4.649% 20 19:00 - 20:00 430 2.070 3.376% 21 20:00 - 21:00 434 2.421 3.949% 22 21:00 - 22:00 467 1.824 2.976% 23 22:00 - 23:00 486 2.636 4.300% 24 23:00 - 24:00 410 2.092 3.413% Total: 11291 61.296 100.000% 26 Powered By

(27)

Summary of Web Usage by Category for 2007-1-1

5

Category Hits MBytes % of MBytes

1 Information Technology/Computers 258 0.581 39.751%

Site User Hits MBytes % of MBytes

rss.slashdot.org 23 0.222 15.180%

vs.mcafeeasap.com 207 0.221 15.102%

www.channelweb.com 24 0.120 8.231%

download.windowsupdate.com 3 0.017 1.196%

update.microsoft.com 1 0.001 0.041%

2 Business and Economy 23 0.418 28.632%

news.com.com 23 0.418 28.632%

3 Search Engines and Portals 29 0.406 27.822%

sb.google.com 28 0.405 27.726%

www.google.com 1 0.001 0.096%

4 Not Rated 22 0.030 2.043%

sync.foxcloud.com 22 0.030 2.043%

5 News and Media 23 0.026 1.753%

rss.cnn.com 23 0.026 1.753%

Total: 355 1.461 100.000%

(28)

Top Visited Web Sites for

2007-1-15

Site Hits MBytes Category % of MBytes

1 www.hotmail.com 13 5.119 E-Mail 45.736%

2 www.astrology.com 32 1.407 Arts/Entertainment 12.573%

3 www.monster.com 676 1.106 Job Search 9.877%

4 us.a1.yimg.com 10 0.468 Advertisement 4.178%

5 us.f302.mail.yahoo.com 4 0.406 E-Mail 3.627%

6 www.priceline.com 122 0.383 Travel 3.423%

7 www.hotjobs.com 5 0.304 Job Search 2.719%

8 www.1800flowers.com 46 0.301 Shopping 2.690%

9 www.sjsu.edu 4 0.251 Education 2.247% 10 www.mlslistings.com 7 0.243 Real Estate 2.167% 11 www.yahoo.com 57 0.208 Search Engines and P ortals 1.858%

12 mail.gogle.com 7 0.128 Email 1.146%

13 www.msn.com 27 0.127 Search Engines and P ortals 1.138% 14 pictures.studentcenter.org 30 0.126 Web Communications 1.126% 15 www.amazon.com 24 0.114 Shopping 1.017%

16 news.bbc.co.uk 3 0.113 News and Media 1.009%

17 www.metallica.com 45 0.106 Arts/Entertainment 0.946%

18 www.megadeth.com 27 0.103 Arts/Entertainment 0.917%

19 www.sjmercury.com 5 0.094 News and Media 0.840%

20 www.sfchronicle.com 5 0.086 News and Media 0.766%

Total: 1149 11.192 100.000%

(29)

Top Users of Web for

2007-1-15

Users Hits MBytes % of MBytes

1 Sanjay Sawney 23 5.161 45.080% 2 Kari Shadbolt 811 1.519 13.269% 3 Eric Souza 38 1.289 11.261% 4 Jacqueline Nellson 38 0.452 3.945% 5 Chuck Miller 30 0.399 3.488% 6 Rachel Lau 11 0.390 3.404% 7 George Hicks 9 0.390 3.402% 8 Patrick Leaden 48 0.254 2.222% 9 Dan Parsons 23 0.246 2.145% 10 Eric Stafford 29 0.239 2.085% 11 George Mena 77 0.171 1.494% 12 Greg Etemad 20 0.160 1.401% 13 Andy Walker 16 0.114 0.997% 14 Juan Martinez 9 0.107 0.935% 15 Valerie Leader 17 0.103 0.903% 16 Art King 9 0.100 0.875% 17 Tommy Nguyen 5 0.094 0.821% 18 John Aronson 14 0.092 0.807% 19 Wendy Ackerman 13 0.086 0.752% 20 Robert Chowmentowski 29 0.082 0.713% Total: 1269 11.449 100.000% 29 Powered By

(30)

Browse Time Summary for 2007-1-1

5

Hour Browse Time (hh:mm:ss) % of Browse Time

1 00:00 - 01:00 00:00:24 4.233% 2 01:00 - 02:00 00:00:21 3.704% 3 02:00 - 03:00 00:00:21 3.704% 4 03:00 - 04:00 00:00:21 3.704% 5 04:00 - 05:00 00:00:24 4.233% 6 05:00 - 06:00 00:00:24 4.233% 7 06:00 - 07:00 00:00:27 4.762% 8 07:00 - 08:00 00:00:22 3.968% 9 08:00 - 09:00 00:00:22 3.968% 10 09:00 - 10:00 00:00:22 3.968% 11 10:00 - 11:00 00:00:24 4.233% 12 11:00 - 12:00 00:00:33 5.820% 13 12:00 - 13:00 00:00:21 3.704% 14 13:00 - 14:00 00:00:24 4.233% 15 14:00 - 15:00 00:00:21 3.704% 16 15:00 - 16:00 00:00:34 6.085% 17 16:00 - 17:00 00:00:26 4.497% 18 17:00 - 18:00 00:00:22 3.968% 19 18:00 - 19:00 00:00:20 3.439% 20 19:00 - 20:00 00:00:22 3.968% 21 20:00 - 21:00 00:00:26 4.497% 22 21:00 - 22:00 00:00:20 3.439% 23 22:00 - 23:00 00:00:21 3.704% 24 23:00 - 24:00 00:00:24 4.233% Total: 00:09:27 100.000% 30 Powered By

(31)

Browse Time Top Users for

2007-1-15

Users Browse Time (hh:mm:ss) % of Browse Time

1 Sanjay Sawney 00:20:16 53.673% 2 Kari Shadbolt 00:02:39 7.015% 3 Eric Souza 00:01:56 5.096% 4 Jacqueline Nellson 00:01:20 3.508% 5 Chuck Miller 00:01:18 3.441% 6 Rachel Lau 00:01:12 3.177% 7 George Hicks 00:00:57 2.515% 8 Patrick Leaden 00:00:57 2.515% 9 Dan Parsons 00:00:54 2.383% 10 Eric Stafford 00:00:45 1.985% 11 George Mena 00:00:44 1.919% 12 Greg Etemad 00:00:44 1.919% 13 Jessica Eschenbaum 00:00:36 1.588% 14 Juan Martinez 00:00:34 1.522% 15 Andy Walker 00:00:34 1.522% 16 Art King 00:00:34 1.522% 17 Tommy Nguyen 00:00:30 1.324% 18 John Aronson 00:00:27 1.191% 19 Wendy Ackerman 00:00:26 1.125% 20 Robert Chowmentowski 00:00:24 1.059% Total: 00:37:46 100.000% 31 Powered By

(32)

FTP Usage

Summary

for

2007-1-15

1 13:00 - 14:00 468 0.208 7.458%

2 14:00 - 15:00 810 2.582 92.542%

Total: 1278 2.790 100.000%

(33)

Top Users of FTP for 2007-1-1

5

Users Events MBytes % of MBytes

1 Sanjay Sawney S

29 0.003 68.131%

Destination Events MBytes % of MBytes

10.2.1.254 29 0.003 68.131%

2 Kari Shadbolt 26 0.001 31.869%

Destination Events MBytes % of MBytes

216.155.193.158 26 0.001 31.869%

Total: 55 0.004 100.000%

(34)

Mail Usage

Summary

for 2007-1-1

5

1 01:00 - 02:00 4 0.015 5.198% 2 02:00 - 03:00 3 0.018 6.339% 3 03:00 - 04:00 2 0.018 6.289% 4 04:00 - 05:00 3 0.007 2.436% 5 05:00 - 06:00 2 0.013 4.550% 6 06:00 - 07:00 1 0.001 0.324% 7 07:00 - 08:00 5 0.031 10.889% 8 08:00 - 09:00 4 0.007 2.486% 9 09:00 - 10:00 4 0.026 9.101% 10 11:00 - 12:00 1 0.001 0.324% 11 12:00 - 13:00 2 0.014 4.824% 12 13:00 - 14:00 2 0.000 0.100% 13 14:00 - 15:00 3 0.019 6.613% 14 16:00 - 17:00 2 0.014 4.824% 15 17:00 - 18:00 1 0.005 1.788% 16 18:00 - 19:00 2 0.005 1.838% 17 19:00 - 20:00 4 0.051 18.002% 18 20:00 - 21:00 3 0.013 4.600% 19 21:00 - 22:00 2 0.000 0.100% 20 22:00 - 23:00 3 0.014 4.874% 21 23:00 - 24:00 1 0.013 4.500% Total: 54 0.281 100.000% 34 Powered By

(35)

Top Mail Users for

2007-1-15

Users Events MBytes % of MBytes

1 Greg Etemad 190 0.442 45.151% 2 Robert Chowmentowski 50 0.387 39.559% 3 Stephen Pearson 6 0.043 4.417% 4 George Mena 6 0.042 4.296% 5 Wendy Ackerman 4 0.034 3.471% 6 Jessica Eschenbaum 7 0.030 3.107% Total: 263 0.979 100.000% 35 Powered By

(36)

Attack Summary for 2007-1-1

5

Hour Attacks % of Attacks

1 00:00 - 01:00 7 4.459% 2 01:00 - 02:00 7 4.459% 3 02:00 - 03:00 4 2.548% 4 03:00 - 04:00 6 3.822% 5 04:00 - 05:00 9 5.732% 6 05:00 - 06:00 5 3.185% 7 06:00 - 07:00 3 1.911% 8 07:00 - 08:00 9 5.732% 9 08:00 - 09:00 11 7.006% 10 09:00 - 10:00 2 1.274% 11 10:00 - 11:00 8 5.096% 12 11:00 - 12:00 10 6.369% 13 12:00 - 13:00 9 5.732% 14 13:00 - 14:00 6 3.822% 15 14:00 - 15:00 5 3.185% 16 15:00 - 16:00 4 2.548% 17 16:00 - 17:00 5 3.185% 18 17:00 - 18:00 3 1.911% 19 18:00 - 19:00 5 3.185% 20 19:00 - 20:00 9 5.732% 21 20:00 - 21:00 6 3.822% 22 21:00 - 22:00 11 7.006% 23 22:00 - 23:00 8 5.096% 24 23:00 - 24:00 5 3.185% Total: 157 100.000% 36 Powered By

(37)

Summary of Attacks by Category for 2007-1-1

5

Type Attacks % of Attacks

1 IP spoof dropped 139 88.535%

Source Destination Attacks % of Attacks

64.220.173.243 10.208.10.11 108 68.790%

7.1.1.10 10.0.0.32 31 19.745%

2 Smurf Amplification attack dropped 18 11.465%

Source Destination Attacks % of Attacks

192.168.1.114 192.168.1.0 18 11.465%

Total: 157 100.000%

(38)

Virus Attack Summary for

2007-1-15

Hour Attempts % of Attempts

1 13:00 - 14:00 73 34.597%

2 14:00 - 15:00 138 65.403%

Total: 211 100.000%

(39)

Top Viruses by Attack Attempts for

2007-1-15

Virus Attempts % of Attempts

1 Netsky.Gen-2 (Worm) disabled 55 26.066%

Source Destination Attempts % of Attempts

63.198.213.253 192.168.168.15 55 26.066%

2 Password-protected ZIP file disabled 53 25.118%

10.0.15.135 192.168.141.243 53 25.118%

3 Gibe.F (Worm) disabled 53 25.118%

63.198.213.253 192.168.168.15 53 25.118%

4 Mydoom.F (Worm) disabled 50 23.697%

63.198.213.253 192.168.168.15 50 23.697%

Total: 211 100.000%

(40)

Intrusion Summary for

2007-1-15

Hour Intrusions % of Intrusions

1 13:00 - 14:00 212 38.686%

2 14:00 - 15:00 336 61.314%

Total: 548 100.000%

(41)

Top Intrusions for

2007-1-15

Category Intrusions % of Intrusions

1 WEB-IIS 128 23.443%

Priority Type Source Destination Intrusions % of Intrusions 1 IPS Prevention Alert: WEB-IIS

cmd.exe access (SID=1309)

192.168.169.180 172.16.1.11 40 8.448% 3 IPS Prevention Alert: WEB-IIS .htr

access (SID=1297)

192.168.169.180 172.16.1.11 13 2.746% 3 IPS Prevention Alert: WEB-IIS ISAPI

.idqaccess (SID=1281)

192.168.169.180 172.16.1.11 11 2.323% 1 IPS Prevention Alert: WEB-IIS

iisadmpwd attempt (SID=1322)

192.168.169.180 172.16.1.11 9 1.901% 1 IPS Prevention Alert: WEB-IIS +.htr

codefragment attempt (SID=1296)

.idaaccess (SID=1279)

192.168.169.180 172.16.1.11 7 1.478% 3 IPS Prevention Alert: WEB-IIS webhits

access (SID=1341)

.printer access (SID=1277)

htimage.exe access (SID=1353)

/scripts/samples/ access (SID=1346)

192.168.169.180 172.16.1.11 4 0.845%

2 SNMP 127 23.260%

Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: SNMP request

udp (SID=754)

192.168.169.180 172.16.1.11 121 22.161% 3 IPS Prevention Alert: SNMP public

accessudp (SID=748)

192.168.169.180 172.16.1.11 5 0.916% 3 IPS Prevention Alert: SNMP private

access udp (SID=750)

192.168.169.180 172.16.1.11 1 0.183%

3 WEB-CGI 108 19.780%

Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: WEB-CGI

htsearch access (SID=1039)

192.168.169.180 172.16.1.11 5 2.536% 3 IPS Prevention Alert: WEB-CGI 192.168.169.180 172.16.1.11 4 2.029%

(42)

Priority Type Source Destination Intrusions % of Intrusions loadpage.cgi access (SID=1075)

3 IPS Prevention Alert: WEB-CGI man.sh access (SID=939)

192.168.169.180 172.16.1.11 4 2.029% 3 IPS Prevention Alert: WEB-CGI

AnyForm2 access (SID=972)

test-cgi access (SID=909)

textcounter.pl access (SID=912)

ttawebtop.cgi access (SID=1030)

192.168.169.180 172.16.1.11 4 2.029% 3 IPS Prevention Alert: WEB-CGI wrap

access (SID=932)

perl.exe access (SID=1004)

uploader.exe access (SID=913)

192.168.169.180 172.16.1.11 3 1.522%

4 WEB-MISC 58 10.623%

Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: WEB-MISC

DELETE attempt (SID=1567)

192.168.169.180 172.16.1.11 9 2.732% 1 IPS Prevention Alert: WEB-MISC

cross site scripting attempt (SID=1369)

192.168.169.180 172.16.1.11 4 1.214%

3 IPS Prevention Alert: WEB-MISC ?PageServices access (SID=1427)

WEB-INF access (SID=1588)

showcode access (SID=1535)

192.168.169.180 172.16.1.11 3 0.911% 3 IPS Prevention Alert: WEB-MISC http

directory traversal (SID=1529)

logicworks.ini access (SID=1641)

globals.pl access (SID=1637)

TRACE attempt (SID=1621)

viewcode access (SID=1534)

192.168.169.180 172.16.1.11 2 0.607%

5 ICMP 38 6.960%

Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: ICMP PING

speedera(SID=379)

192.168.169.180 172.16.1.11 33 6.044% 3 IPS Prevention Alert: ICMP PING

(SID=293)

192.168.169.180 172.16.1.11 5 0.916%

6 WEB-COLDFUSION 29 5.311%

Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert:

WEB-COLDFUSION expeval access

192.168.169.180 172.16.1.11 12 2.198%

(43)

Priority Type Source Destination Intrusions % of Intrusions (SID=1207)

3 IPS Prevention Alert:

WEB-COLDFUSION exampleapp access (SID=1217)

192.168.169.180 172.16.1.11 10 1.831%

WEB-COLDFUSION snippets attempt (SID=1219)

192.168.169.180 172.16.1.11 4 0.733%

WEB-COLDFUSION parks access (SID=1201)

192.168.169.180 172.16.1.11 1 0.183%

WEB-COLDFUSION administrator access (SID=1197)

192.168.169.180 172.16.1.11 1 0.183%

WEB-COLDFUSION beaninfo access (SID=1203)

192.168.169.180 172.16.1.11 1 0.183%

7 WEB-FRONTPAGE 24 4.396%

WEB-FRONTPAGE /_vti_bin/ access (SID=1260)

192.168.169.180 172.16.1.11 21 3.846%

WEB-FRONTPAGE authors.pwd access (SID=1242)

192.168.169.180 172.16.1.11 1 0.183%

WEB-FRONTPAGE service.pwd (SID=1250)

192.168.169.180 172.16.1.11 1 0.183%

WEB-FRONTPAGE users.pwd access (SID=1255)

192.168.169.180 172.16.1.11 1 0.183%

8 ATTACK-RESPONSES 15 2.747%

ATTACK-RESPONSES 403 Forbidden (SID=7)

172.16.1.11 192.168.169.180 15 2.747%

9 SMTP 10 1.832%

Priority Type Source Destination Intrusions % of Intrusions 2 IPS Prevention Alert: SMTP ETRN

overflowattempt (SID=741)

192.168.169.180 172.16.1.11 8 1.466% 2 IPS Prevention Alert: SMTP HELO

overflowattempt (SID=740)

192.168.169.180 172.16.1.11 2 0.366%

10 WEB-PHP 9 1.648%

Priority Type Source Destination Intrusions % of Intrusions 3 IPS Prevention Alert: WEB-PHP

read_body.php access attempt ( SID=1660)

192.168.169.180 172.16.1.11 5 0.916%

3 IPS Prevention Alert: WEB-PHP admin.php access (SID=1671)

192.168.169.180 172.16.1.11 4 0.732%

Total: 546 100.000%

Reporting. SonicWALL Reporting 1

Table of Contents

Overview of SonicWALL Reporting















Categories of Reports































Overview of SonicWALL Summary Reports

Authentication Summary Reports

Status Summary Report

Bandwidth Summary Report

ROI Summary Report

Services Summary Report

VPN Usage Summary Report

Web Usage Summary Report

Browse Time Summary Report

Web Filter Summary Report

FTP Summary Report

Mail Summary Report

Attack Summary Report

Virus Attack Summary Report

Intrusion Prevention Summary Report

Executive Summary of Reports

For January 15, 2007









Authentication Summary

Status Summary

Bandwidth Summary

ROI Summary

Services Summary

VPN Summary

Web Usage Summary

Browse Time Summary

FTP Summary

Mail Summary

Attack Summary

Virus Attack Summary

Intrusion Prevention Summary

ACME Company Report

Detailed Daily Report

Report Date for: 01/1

5

/2007

Summary

Web Usage Summary Report for 2007-1-1

5

Bandwidth Summary Report for 2007-1-1

5

Detail

User Logins for

2007-1-15

Firewall Up Status Summary for 2007-1-1

5

Bandwidth Summary for 2007-1-1

5

ROI Summary for 2007-1-1

5

Top Users of Bandwidth for 2007-1-1