Log Types: SidewinderFirewallLog
Overview
The Sidewinder firewall is a stateful packet filtering engine, that includes encrypted traffic inspection, anti-virus, content filtering, and intrusion prevention capabilities.
Collection
Sidewinder devices can be configured to send logs via syslog to the Snare Central collection subsystem. Logs can be sent from both the firewall components and the general service components (eg: LDAP). This log type is specific to the firewall component.
Sample Events
Apr 22 10:50:03 auditd: date="Apr 22 00:50:03 2008 UTC",fac=f_http_proxy,area=a_proxy,type=t_attack,pri=p_major,pid=41335,ruid=0,euid=0,pgid=41335,logid=0,cmd=httpp,domain=htpp,edomain=htpp,hostname=sidewinder.myorg.gov.au,category=policy_violation,event=ACL deny,attackip=172.16.8.4,attackburb=internal,srcip=172.16.8.4,srcport=55860,srcburb=internal,dstip=202.147.3.8,dstport=80,dstburb=external,protocol=6,service_name=http,user_name=(null),auth_method=(null),acl_id="Deny All",cache_hit=1,reason="Traffic denied by policy.”
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | SidewinderFirewallLog |
ACTION | The action taken by the firewall in response to a packet - eg: ACL deny |
PROTO | Protocol |
SRCINT | Source inteface - eg: internal |
SRCADDR | Source IP address |
SRCPORT | Source port |
DSTINT | Destination interface |
DSTADDR | Destination address |
DSTPORT | Destination port |
FAC | eg: f_http_proxy |
AREA | Area of notification - eg: a_proxy |
TYPE | Type of notification - eg: t_attack |
PRIORITY | Priority - eg: p_major |
PID | Process ID |
RUID | Real UID |
EUID | Effective UID |
PGID | Process Group ID |
LOGID | Login ID |
COMMAND | Command that caused the log message to be generated - eg: httpp |
DOMAIN | Command domain - eg: http |
EDOMAIN |
|
CATEGORY | Category of log - eg: policy_violation |
ATTACKADDR | Attack IP address |
ATTACKINT | Attack interface |
SERVICENAME | Service name - eg: http |
USERNAME | User name |
AUTHMETHOD | Authentication method |
ACLID | Access control ID - eg: Deny all |
CACHEHIT |
|
REASON | Human readable reason for the log message - eg: “Traffic denied by policy” |
Notes
-