Log Types: NetScreenFirewall
Overview
NetScreen Technologies developed ASIC-based Internet security systems and appliances that delivered firewall, VPN and traffic shaping functionality to Internet data centres, e-business sites, broadband service providers and application service providers. Netscreen has been acquired by Juniper networks.
Collection
The Netscreen firewall can be configured to send event data via syslog.
The WebUI instructions for configuring syslog are provided in the Administration section (Part 3 - Chapter 11) of Concepts & Examples ScreenOS Reference Guide Administration, Release 6.3.0, Rev. 02 pps 367 - 368.
The firewall can also be configured via the command line (where 192.168.1.2 is the destination address of the Snare Central server)
set syslog config 192.168.1.2
set syslog config 192.168.1.2 facilities local0 local0
set syslog config 192.168.1.2 log traffic
set syslog src-interface <<interface name>>
set syslog enable
Sample Events
Dec 31 23:20:34 [192.168.0.1.9.32] Taipan: NetScreen device_id=Taipan system-notification-00257(traffic): start_time="2007-12-31 22:20:11" duration=0 policy_id=22 service=tcp/port:54775 proto=6 direction=incoming action=Deny sent=0 rcvd=0 src=193.226.18.131 dst=172.186.32.103 src_port=6627 dst_port=54775
Jun 1 22:02:12 [192.168.0.1.9.32] Taipan: NetScreen device_id=Taipan [Root]system-notification-00002: Admin user "myadmin" logged in for Web(http) management (port 8080) from 10.2.3.4:2150 (2007-06-01 22:09:40)
Dec 31 23:20:24 [192.168.0.1.9.32] Taipan: NetScreen device_id=Taipan system-notification-00257(traffic): start_time="2007-12-31 22:20:01" duration=0 policy_id=22 service=icmp proto=1 direction=incoming action=Deny sent=0 rcvd=0 src=208.5.183.250 dst=172.168.11.29 icmp type=8
Dec 31 23:20:20 [192.168.0.1.9.32] Taipan: NetScreen device_id=Taipan system-alert-00008: IP Spoof, From 172.188.0.2/138 to 172.188.0.255/138, using protocol UDP. (on interface untrust) occurred 2 times (2007-12-31 22:19:56)
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | NetScreenFirewall |
ACTION | Disposition of the network event (eg: Deny) |
PROTO | Protocol |
SRCADDR | Source IP address |
SRCPORT | Source port |
DSTADDR | Destination IP address |
DSTPORT | Destination port |
DURATION | Connection duration |
SENT | Bytes sent |
RECEIVED | Bytes received |
DIRECTION | Incoming or Outgoing |
DETAILS | Components of the event not included in the other fields |
Notes
-
Â