Netgear DG834G logging...

After coming up with some techniques at work to monitor the progres of the
sasser worm through the internal corporate network (like acl's on routers,
and montoring/logging matches to port 5554, etc.), I thought that I would
set up my home DG834G to syslog to a local PC, and see just how much sasser
activity was getting through to my router. Two things:

1 - didn't see ANY (probing) activity on ports 135, 445, 5554 or 9996 (i.e.
those associated with sasser).
2 - but also didn't see much else. Some activity from my ISP, but not even
an event like me logging onto the router for admin purposes was logged....
(which I had seen before, e.g. under V1.03.00 firware).

Am on V1.04.01 firware. Got all logging options checked on the relevant
router config page. The web-interface logfile window seems to reflect what's
being (and what's NOT being) logged via syslog....

Anyone else notice a lack of logged events on this device? (Just want to
check before raising a call with Netgear).

Thanks,

Simon B wrote:
> After coming up with some techniques at work to monitor the progres
> of the sasser worm through the internal corporate network (like acl's
> on routers, and montoring/logging matches to port 5554, etc.), I
> thought that I would set up my home DG834G to syslog to a local PC,
> and see just how much sasser activity was getting through to my
> router. Two things:
>
> 1 - didn't see ANY (probing) activity on ports 135, 445, 5554 or 9996
> (i.e. those associated with sasser).
> 2 - but also didn't see much else. Some activity from my ISP, but not
> even an event like me logging onto the router for admin purposes was
> logged.... (which I had seen before, e.g. under V1.03.00 firware).
>
> Am on V1.04.01 firware. Got all logging options checked on the
> relevant router config page. The web-interface logfile window seems
> to reflect what's being (and what's NOT being) logged via syslog....
>
> Anyone else notice a lack of logged events on this device? (Just want
> to check before raising a call with Netgear).
>
> Thanks,

Yes, Mine is the same. Not logging access to the router. I have the same
software version.

On Mon, 10 May 2004 19:54:52 +0100, "bikeulike"
<(E-Mail Removed)> wrote:

>Simon B wrote:
[...]
>> thought that I would set up my home DG834G to syslog to a local PC,
>> and see just how much sasser activity was getting through to my
>> router. Two things:
>>
>> 1 - didn't see ANY (probing) activity on ports 135, 445, 5554 or 9996
>> (i.e. those associated with sasser).
>> 2 - but also didn't see much else. Some activity from my ISP, but not
>> even an event like me logging onto the router for admin purposes was
>> logged.... (which I had seen before, e.g. under V1.03.00 firware).
[...]
>> Anyone else notice a lack of logged events on this device? (Just want
>> to check before raising a call with Netgear).

>Yes, Mine is the same. Not logging access to the router. I have the same
>software version.

I set up logging when I got mine, but it didn't mail me anything when
I pinged it from work. Then lo! my Pipex connection died during a
lightening storm, I rebooted it to re-establish the connection and it
began to spam me with port ping reports. Didcha reboot yours? I must
check the firmware version - didn't upgrade it from purchase.

The box did stay connected for > 333 hours until the time of the
(unrelated?) storm. It doesn't reconnect without a prod - reboot or
click [Test] on the settings page. A good little number but not 100%.



Headers spam-proofed. Use cmylod at bigfoot . com

"Colum Mylod" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Mon, 10 May 2004 19:54:52 +0100, "bikeulike"
> <(E-Mail Removed)> wrote:
>
> >Simon B wrote:
> [...]
> >> router. Two things:
> >>
> >> 1 - didn't see ANY (probing) activity on ports 135, 445, 5554 or 9996
> >> (i.e. those associated with sasser).
> >> 2 - but also didn't see much else. Some activity from my ISP, but not
> >> even an event like me logging onto the router for admin purposes was
> >> logged.... (which I had seen before, e.g. under V1.03.00 firware).
> [...]
> >> Anyone else notice a lack of logged events on this device? (Just want
> >> to check before raising a call with Netgear).
>
> >Yes, Mine is the same. Not logging access to the router. I have the same
> >software version.
>
> began to spam me with port ping reports. Didcha reboot yours? I must
> check the firmware version - didn't upgrade it from purchase.
>

Pretty sure it's been rebooted at least once after the last firmware upgrade
(which would have included a reboot). I'll try one more, and if that fails,
see what Netgear make of it....
Ta.

"Simon B" <(E-Mail Removed)> wrote in message
news:1z3oc.12$(E-Mail Removed)...
>
> "Colum Mylod" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > On Mon, 10 May 2004 19:54:52 +0100, "bikeulike"
> > <(E-Mail Removed)> wrote:
> >
> > >Simon B wrote:
> > [...]
> > >> router. Two things:
> > >>
> > >> 1 - didn't see ANY (probing) activity on ports 135, 445, 5554 or 9996
> > >> (i.e. those associated with sasser).
> > >> 2 - but also didn't see much else. Some activity from my ISP, but not
> > >> even an event like me logging onto the router for admin purposes was
> > >> logged.... (which I had seen before, e.g. under V1.03.00 firware).
> > [...]
> > >> Anyone else notice a lack of logged events on this device? (Just want
> > >> to check before raising a call with Netgear).
> >
> > >Yes, Mine is the same. Not logging access to the router. I have the
same
> > >software version.
> >
> > began to spam me with port ping reports. Didcha reboot yours? I must
> > check the firmware version - didn't upgrade it from purchase.
> >
>
> Pretty sure it's been rebooted at least once after the last firmware
upgrade
> (which would have included a reboot). I'll try one more, and if that
fails,
> see what Netgear make of it....
> Ta.

I have my DG834 (not wireless) with same firmware version and it is logging
via email ok.
I haven't tested out the syslog reporting, but will do soon when I get
another server configured for network monitoring.

Graham

"Graham Tavener" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Simon B" <(E-Mail Removed)> wrote in message
> news:1z3oc.12$(E-Mail Removed)...
> >
> > "Colum Mylod" <(E-Mail Removed)> wrote in message
> > news:(E-Mail Removed)...
> > > On Mon, 10 May 2004 19:54:52 +0100, "bikeulike"
> > > <(E-Mail Removed)> wrote:
> > >
> > > >Simon B wrote:
> > > [...]
> > > >> router. Two things:
> > > >>
> > > >> 1 - didn't see ANY (probing) activity on ports 135, 445, 5554 or
9996
> > > >> (i.e. those associated with sasser).
> > > >> 2 - but also didn't see much else. Some activity from my ISP, but
not
> > > >> even an event like me logging onto the router for admin purposes
was
> > > >> logged.... (which I had seen before, e.g. under V1.03.00 firware).
> > > [...]
> > > >> Anyone else notice a lack of logged events on this device? (Just
want
> > > >> to check before raising a call with Netgear).
> > >
> > > >Yes, Mine is the same. Not logging access to the router. I have the
> same
> > > >software version.
> > >
>
> I have my DG834 (not wireless) with same firmware version and it is
logging
> via email ok.
> I haven't tested out the syslog reporting, but will do soon when I get
> another server configured for network monitoring.
>
> Graham
>

Well, I'd say that syslog as a function is working fine (haven't tried
email), in that it is syslogging every event that you can view if simply
logged into the the admin console web-interface, and refreshing the "logs"
config window screen. The problem seems to be more that it appears that not
all required events are being logged - anywhere (admin interface, syslog -
possibly email). The obvious one is the "router admin login" not being
logged (I know this, because I had seen that one before). The more worrying
thing is what is it NOT logging, that I have asked it to log?.....

S.

"Simon B" <(E-Mail Removed)> wrote in message
news:Eu6oc.17$(E-Mail Removed)...
>
> "Graham Tavener" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> >
> > "Simon B" <(E-Mail Removed)> wrote in message
> > news:1z3oc.12$(E-Mail Removed)...
> > >
> > > "Colum Mylod" <(E-Mail Removed)> wrote in message
> > > news:(E-Mail Removed)...
> > > > On Mon, 10 May 2004 19:54:52 +0100, "bikeulike"
> > > > <(E-Mail Removed)> wrote:
> > > >
> > > > >Simon B wrote:
> > > > [...]
> > > > >> router. Two things:
> > > > >>
> > > > >> 1 - didn't see ANY (probing) activity on ports 135, 445, 5554 or
> 9996
> > > > >> (i.e. those associated with sasser).
> > > > >> 2 - but also didn't see much else. Some activity from my ISP, but
> not
> > > > >> even an event like me logging onto the router for admin purposes
> was
> > > > >> logged.... (which I had seen before, e.g. under V1.03.00
firware).
> > > > [...]
> > > > >> Anyone else notice a lack of logged events on this device? (Just
> want
> > > > >> to check before raising a call with Netgear).
> > > >
> > > > >Yes, Mine is the same. Not logging access to the router. I have the
> > same
> > > > >software version.
> > > >
> >
> > I have my DG834 (not wireless) with same firmware version and it is
> logging
> > via email ok.
> > I haven't tested out the syslog reporting, but will do soon when I get
> > another server configured for network monitoring.
> >
> > Graham
> >
>
> Well, I'd say that syslog as a function is working fine (haven't tried
> email), in that it is syslogging every event that you can view if simply
> logged into the the admin console web-interface, and refreshing the "logs"
> config window screen. The problem seems to be more that it appears that
not
> all required events are being logged - anywhere (admin interface, syslog -
> possibly email). The obvious one is the "router admin login" not being
> logged (I know this, because I had seen that one before). The more
worrying
> thing is what is it NOT logging, that I have asked it to log?.....
>
> S.
>
A quick check of my email logs shows that admin logins are being logged.
Graham

Hi Simon,

I'm running firmware v1.03 (been OK for me and, with no need for VPN, I
decided to heed the groups warnings about v.1.04.01) so mine is logging
admin log-ins fine.

It's also logging inbound activity as far as I can tell. I don't have
anything on the sasser ports you mention but I do get the regular NETBIOS
(port 137) probes and some other common trojans.

Have you set up an inbound firewall rule with logging enabled? The default
inbound rule (which, afaik cannot be altered) has logging set to "Never". If
you add a new inbound rule (actually the same rule, block all services from
all IPs) but with logging set to "Always" any probes should appear in the
log (or at least they seem to on firmware v1.03).

The only thing I don't understand (my lack of knowledge) is that the source
ip for the probe is reported but the destination ip is always (or at least
seems to be always) 1.0.0.0 rather than my real IP (I've a static ip from my
ISP) which is what I would have expected - not that it matters much.

Many thanks, David


"Simon B" <(E-Mail Removed)> wrote in message
news:PUGnc.11$(E-Mail Removed)...
> After coming up with some techniques at work to monitor the progres of the
> sasser worm through the internal corporate network (like acl's on routers,
> and montoring/logging matches to port 5554, etc.), I thought that I would
> set up my home DG834G to syslog to a local PC, and see just how much
sasser
> activity was getting through to my router. Two things:
>
> 1 - didn't see ANY (probing) activity on ports 135, 445, 5554 or 9996
(i.e.
> those associated with sasser).
> 2 - but also didn't see much else. Some activity from my ISP, but not even
> an event like me logging onto the router for admin purposes was logged....
> (which I had seen before, e.g. under V1.03.00 firware).
>
> Am on V1.04.01 firware. Got all logging options checked on the relevant
> router config page. The web-interface logfile window seems to reflect
what's
> being (and what's NOT being) logged via syslog....
>
> Anyone else notice a lack of logged events on this device? (Just want to
> check before raising a call with Netgear).
>
> Thanks,
>
>

"David" <(E-Mail Removed)> wrote in message
news:7HJoc.3022$(E-Mail Removed)...
> Hi Simon,
>
> I'm running firmware v1.03 (been OK for me and, with no need for VPN, I
> decided to heed the groups warnings about v.1.04.01) so mine is logging
> admin log-ins fine.
>
> It's also logging inbound activity as far as I can tell. I don't have
> anything on the sasser ports you mention but I do get the regular NETBIOS
> (port 137) probes and some other common trojans.
>
> Have you set up an inbound firewall rule with logging enabled? The default
> inbound rule (which, afaik cannot be altered) has logging set to "Never".
If
> you add a new inbound rule (actually the same rule, block all services
from
> all IPs) but with logging set to "Always" any probes should appear in the
> log (or at least they seem to on firmware v1.03).
>
> The only thing I don't understand (my lack of knowledge) is that the
source
> ip for the probe is reported but the destination ip is always (or at least
> seems to be always) 1.0.0.0 rather than my real IP (I've a static ip from
my
> ISP) which is what I would have expected - not that it matters much.
>
> Many thanks, David
>
>
> "Simon B" <(E-Mail Removed)> wrote in message
> news:PUGnc.11$(E-Mail Removed)...
> > After coming up with some techniques at work to monitor the progres of
the
> >
>
Thanks for the detailed reply. However, since the first post (which was
possibly a little premature on my part - i.e. before I'd completed more
homework myself), I have rebooted the router AGAIN (another posters
suggestion), and certainly the next admin logon was logged (as indeed was an
attempt to a configured blocked site - another log event that seemed to be
missing before the reboot). The last re-boot before this one would have been
the one following the upgrade to V1.04.01... I also noticed the fact that
the default rule was "not logging", and considered a new rule that blocks
and logs everything inbound - but haven't tried that yet (was also owndering
about order of rule application, etc.). Will give it a go and also take a
look at the source address issue you mentioned... thanks,

"David" <(E-Mail Removed)> wrote in message
news:7HJoc.3022$(E-Mail Removed)...
> Hi Simon,
>
> I'm running firmware v1.03 (been OK for me and, with no need for VPN, I
> decided to heed the groups warnings about v.1.04.01) so mine is logging
> admin log-ins fine.
>
> It's also logging inbound activity as far as I can tell. I don't have
> anything on the sasser ports you mention but I do get the regular NETBIOS
> (port 137) probes and some other common trojans.
>
> Have you set up an inbound firewall rule with logging enabled? The default
> inbound rule (which, afaik cannot be altered) has logging set to "Never".
If
> you add a new inbound rule (actually the same rule, block all services
from
> all IPs) but with logging set to "Always" any probes should appear in the
> log (or at least they seem to on firmware v1.03).
>
> The only thing I don't understand (my lack of knowledge) is that the
source
> ip for the probe is reported but the destination ip is always (or at least
> seems to be always) 1.0.0.0 rather than my real IP (I've a static ip from
my
> ISP) which is what I would have expected - not that it matters much.
>
> Many thanks, David

[snip]

Hi David,

I have observed exactly the same behaviour on v1.03 with the inbound
destination always logged as 1.0.0.0. I reported it to Netgear - they were
aware of the problem. IIRC, v1.04.01 does show the correct address for
inbound traffic. However, if I set a rule to log all inbound traffic, then
it seems consistently to prevent me from successfully downloading anything
by ftp. Goodness knows why. I have logged this with Netgear (weeks ago)
and not received any response. Has anyone else seen this behaviour?


While we're talking about NetGear, though I probably should start a new
thread, has anyone had success with the latest version of the drivers for
the WG511? On XP Pro, I cannot get the new driver to connect with a ME102
using the NetGear "Wizard". I can only connect if I let Windows manage the
adapter. (I could connect with the previous drivers and config. utility.)

Cheers,
Andy