Log Types: SidewinderFirewallLog

Overview

The Sidewinder firewall is a stateful packet filtering engine, that includes encrypted traffic inspection, anti-virus, content filtering, and intrusion prevention capabilities.

Collection

Sidewinder devices can be configured to send logs via syslog to the Snare Central collection subsystem. Logs can be sent from both the firewall components and the general service components (eg: LDAP). This log type is specific to the firewall component.

Sample Events

Apr 22 10:50:03 auditd: date="Apr 22 00:50:03 2008 UTC",fac=f_http_proxy,area=a_proxy,type=t_attack,pri=p_major,pid=41335,ruid=0,euid=0,pgid=41335,logid=0,cmd=httpp,domain=htpp,edomain=htpp,hostname=sidewinder.myorg.gov.au,category=policy_violation,event=ACL deny,attackip=172.16.8.4,attackburb=internal,srcip=172.16.8.4,srcport=55860,srcburb=internal,dstip=202.147.3.8,dstport=80,dstburb=external,protocol=6,service_name=http,user_name=(null),auth_method=(null),acl_id="Deny All",cache_hit=1,reason="Traffic denied by policy.”

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

SidewinderFirewallLog

ACTION

The action taken by the firewall in response to a packet - eg: ACL deny

PROTO

Protocol

SRCINT

Source inteface - eg: internal

SRCADDR

Source IP address

SRCPORT

Source port

DSTINT

Destination interface

DSTADDR

Destination address

DSTPORT

Destination port

FAC

eg: f_http_proxy

AREA

Area of notification - eg: a_proxy

TYPE

Type of notification - eg: t_attack

PRIORITY

Priority - eg: p_major

PID

Process ID

RUID

Real UID

EUID

Effective UID

PGID

Process Group ID

LOGID

Login ID

COMMAND

Command that caused the log message to be generated - eg: httpp

DOMAIN

Command domain - eg: http

EDOMAIN

 

CATEGORY

Category of log - eg: policy_violation

ATTACKADDR

Attack IP address

ATTACKINT

Attack interface

SERVICENAME

Service name - eg: http

USERNAME

User name

AUTHMETHOD

Authentication method

ACLID

Access control ID - eg: Deny all

CACHEHIT

 

REASON

Human readable reason for the log message - eg: “Traffic denied by policy”

Notes

-