0
()

Issue

Solution

You may encounter the following event names in the ESET Firewall log.

Access Firewall log Help:

For more information about the ESET Firewall log, press F1 on your keyboard to access Help; from the Contents tab, expand Working with ESET Smart Security Premium → Network protection → Logging. Or click here to visit the Logging topic.

Click here for instructions to find and submit log files to ESET Technical Support for analysis.

Rule definition file not loaded – EPFW module is not properly loaded.

No usable rule found – Incoming connections in automatic mode don’t match any rule, therefore they are denied by default.

Incorrect Ethernet packet – Too short of a packet was received. Packet is too short to contain valid Ethernet or IP/IPv6 header.

Incorrect IP packet length – Packet is shorter than indicated in its IPv4/IPv6 header, or the packet is ICMP and it is too short to contain ICMP header.

Incorrect IP packet checksum – Wrong checksum in IPv4 header. Checksum validation must be enabled in advanced options (separate for in and out).

Incorrect TCP packet length – TCP Packet is too short to contain TCP packet header.

Incorrect TCP packet checksum – Wrong checksum in TCP header. Checksum validation must be enabled in advanced options (separate for in and out).

Incorrect UDP packet length – UDP packet is too short to contain UDP header.

Suspicious IP packet fragment – Suspicious fragmentation according to RFC1858.

Discover More help  [CA7358] Modules Review, August 2019 (ESET)

Unknown IP packet version – Wrong IP version indicated in IPv4 packet.

Incorrect UDP packet checksum – Wrong checksum in UDP header. Checksum validation must be enabled in advanced options (separate for in and out).

No application listening on the port – Connection attempt to a port where no application listens. It does not matter if this connection will be allowed or denied if there was an application listening.

Communication denied by rule – Rule with LOG action was matched, or “Log all blocked” is selected in Troubleshooting section.

Communication allowed by rule – Rule with LOG action was matched.

Decision on allowing communication delegated to user – Rule with LOG action was matched.

Detected attack against security hole – Malicious data is being transferred in an application protocol (such as DCE/RPC, SMB).

Attempt to attack this computer by worm – Malicious data are being transferred in an application protocol (such as DCE/RPC, SMB).

Attempt to send worm from this computer– Malicious data are being transferred in an application protocol (such as DCE/RPC, SMB).

Detected Port Scanning attack – Someone is trying to connect to many different ports on your computer within a short period of time.

Detected ARP cache poisoning attack – Someone is trying to update your ARP cache with a different MAC address than is already cached.

Detected DNS cache poisoning attack– Received DNS reply not requested. (Usually contains different domain addresses).

Detected ICMP Flooding attack – Received many ICMP packets from one particular IP within a short time.

Detected TCP Flooding attack – Received many TCP SYN packets (connection requests) from one particular IP within a short time.

Discover More help  [KB6819] Upgrade ESET Remote Administrator (6.5) to ESET Security Management Center (7.2) using the Web Console

Identical IP addresses detected in network – Received two ARP replies for one particular IP with different MAC addresses (A standardized network address assigned to network interfaces for communications on the physical network) within a short period of time.

TCP packet not belonging to any open connection – TCP packet does not belong to any existing flow.

Detected covert channel exploit in ICMP packet – Unexpected data found in ICMP echo messages. User might have an application that implements PING or might be running Linux as a virtual computer. Allowing communication for bridged connections can help to avoid false positives from virtual computers.

Detected unexpected data in protocol – Improperly formatted ARP, DNS or ICMP echo packets. Or zero port in TCP/UDP/.

Address temporarily blocked by active defense (IDS) – IP address was previously blocked by Active defense. Blocking unsafe addresses after detection should be enabled.

Packet blocked by active defense (IDS) – Packet was blocked by IDS without specific reason. You should not see this log.

How useful was this post?

Click on a star to rate it!

Average rating / 5. Vote count:

No votes so far! Be the first to rate this post.

(Visited 12 times, 1 visits today)