Log Types: ISAFWSLog
- Leigh Purdie (Unlicensed)
Overview
Microsoft Forefront Threat Management Gateway, formerly known as Microsoft Internet Security and Acceleration Server (ISA), is a network router, firewall, antivirus program, VPN server and web cache from Microsoft Corporation. It runs on Windows Server and works by inspecting all network traffic that passes through it.
The FWS logs are generated by the packet inspection/filtering component.
Collection
The Snare Epilog agent can collect and forward ISA / Forefront log data.
Sample Events
MSISAMAILR1 2007-02-21 14:56:57 TCP 128.252.15.242:21415 128.252.17.209:80 Establish 0x0 - HTTP -MSISAMAILR1 2007-02-21 14:56:57 TCP 128.252.17.209:25 128.252.15.242:21390 Denied 0xc0040017 - Unidentified IP Traffic -MSISAMAILR1 2007-02-21 14:56:57 TCP 128.252.17.209:25 128.252.15.242:21390 GoodGrief 0xc0040017 - Unidentified IP Traffic -
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | ISAFWSLog |
PROTO | Protocol |
ACTION | Establish, Denied, or possibly a string indicating the cause of the notification |
SRCADDR | Source IP address |
SRCPORT | Source port |
DSTADDR | Destination IP address |
DSTPORT | Destination port |
STATUS | Hex code indicating the status |
RULE |
|
APPLICATION | An application identifier such as “HTTP”, though Microsoft may inject other strings here |
STRINGS | Any content that does not fit into an existing field |
Notes
-