Log Types: NetScreenFirewall

Overview

NetScreen Technologies developed ASIC-based Internet security systems and appliances that delivered firewall, VPN and traffic shaping functionality to Internet data centres, e-business sites, broadband service providers and application service providers. Netscreen has been acquired by Juniper networks.

Collection

The Netscreen firewall can be configured to send event data via syslog.

The WebUI instructions for configuring syslog are provided in the Administration section (Part 3 - Chapter 11) of  Concepts & Examples ScreenOS Reference Guide Administration, Release 6.3.0, Rev. 02 pps 367 - 368.

The firewall can also be configured via the command line (where 192.168.1.2 is the destination address of the Snare Central server)

  • set syslog config 192.168.1.2

  • set syslog config 192.168.1.2 facilities local0 local0

  • set syslog config 192.168.1.2 log traffic

  • set syslog src-interface <<interface name>>

  • set syslog enable

Sample Events

Dec 31 23:20:34 [192.168.0.1.9.32] Taipan: NetScreen device_id=Taipan system-notification-00257(traffic): start_time="2007-12-31 22:20:11" duration=0 policy_id=22 service=tcp/port:54775 proto=6 direction=incoming action=Deny sent=0 rcvd=0 src=193.226.18.131 dst=172.186.32.103 src_port=6627 dst_port=54775
Jun 1 22:02:12 [192.168.0.1.9.32] Taipan: NetScreen device_id=Taipan [Root]system-notification-00002: Admin user "myadmin" logged in for Web(http) management (port 8080) from 10.2.3.4:2150 (2007-06-01 22:09:40)
Dec 31 23:20:24 [192.168.0.1.9.32] Taipan: NetScreen device_id=Taipan system-notification-00257(traffic): start_time="2007-12-31 22:20:01" duration=0 policy_id=22 service=icmp proto=1 direction=incoming action=Deny sent=0 rcvd=0 src=208.5.183.250 dst=172.168.11.29 icmp type=8
Dec 31 23:20:20 [192.168.0.1.9.32] Taipan: NetScreen device_id=Taipan system-alert-00008: IP Spoof, From 172.188.0.2/138 to 172.188.0.255/138, using protocol UDP. (on interface untrust) occurred 2 times (2007-12-31 22:19:56)

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

NetScreenFirewall

ACTION

Disposition of the network event (eg: Deny)

PROTO

Protocol

SRCADDR

Source IP address

SRCPORT

Source port

DSTADDR

Destination IP address

DSTPORT

Destination port

DURATION

Connection duration

SENT

Bytes sent

RECEIVED

Bytes received

DIRECTION

Incoming or Outgoing

DETAILS

Components of the event not included in the other fields

Notes

-

Â