Scanning attack logs

This help contains the following topics:

Introduction
vSystem support information
Restrictions and guidelines
Manage scanning attack logs
- Import logs
- Export logs

Introduction

Scanning is a preintrusion activity used to prepare for intrusion into a network. The scanning allows the attacker to find a way into the target network and to disguise the attacker's identity.

Attackers use scanning tools to probe a network, find vulnerable hosts, and discover services that are running on the hosts. Attackers can use the information to launch attacks.

The device can detect and prevent the IP sweep (address scanning) and port scanning attacks. For more information about scanning attacks, see the help for attack defense.

To configure the device to output a log when it detects that the connection initiation rate of an IP address reaches or exceeds the threshold, perform the following operations:

Enable logging for scanning attack events when you configure an attack defense policy on the Network > Active Defense > Attack Defense Policies page.
Enable log collection for the Attack defense | Scan attack log service on the System > Log Settings > Storage Space Settings page.

If IP sweep and port scan attacks reach the scanning thresholds at the same time, the device output a log only for the IP sweep attack.

vSystem support information

Support of non-default vSystems for this feature depends on the device model. This feature is available on the Web interface only if it is supported.

Restrictions and guidelines

Only one log operation (import, export, or clear) is allowed at a time.
Only one user can perform a log operation at a time. When you import, export, or clear logs, make sure no one else is performing a log operation.

Manage scanning attack logs

Import logs

Click the Monitor tab.
In the navigation pane, select Security Logs > Scanning Attack Logs.
Click Import.
In the dialog box that opens, click OK.
Select a log file, and enter the password for the log file. The password was set when the file was exported.

Export logs

Click the Monitor tab.
In the navigation pane, select Security Logs > Scanning Attack Logs.
Click on a column header, specify the search criteria to display the logs to be exported, and then click Apply.
Click Export.

On the page that opens, configure the log export settings.

Table-1 Log export configuration items

Item	Description
Set password	Enter a password for encrypting the log files. This password is required when you view or import the exported log files.
Logs per file	Specify the maximum number of logs allowed in a single log file. If the number of logs to be exported is smaller than or equal to the specified number, the device exports the logs to one file. If the number of logs to be exported is greater than the specified number, the device exports the logs to multiple files.

Item

Description

Set password

Enter a password for encrypting the log files. This password is required when you view or import the exported log files.

Logs per file

Specify the maximum number of logs allowed in a single log file.

If the number of logs to be exported is smaller than or equal to the specified number, the device exports the logs to one file.
If the number of logs to be exported is greater than the specified number, the device exports the logs to multiple files.

Click Export to export the log files to your PC.