Log Types: SOCKSLog

Overview

SOCKS is an Internet protocol that exchanges network packets between a client and server through a proxy server.
SOCKS5 optionally provides authentication so only authorized users may access a server.
This log type module understands and processes IBM SOCKS server, though logs from other SOCKS servers of similar format may also be processed.

Collection

The IBM SOCKS server can send data to the Snare Central collection subsystem using the syslog protocol.

Sample Events

d23sock1.au.ibm.com SOCKSLog 0 Sep 23 10:36:35 d23sock1 Socks5[47988]: Proxy: Received request with incompatible version number: 13
d23sock1.au.ibm.com SOCKSLog 0 Sep 23 10:36:35 d23sock1 Socks5[47988]: Auth Failed: (129.39.109.193:35769)
d23sock1.au.ibm.com SOCKSLog 0 Sep 23 13:50:37 d23sock1 Socks5[10470]: Flow Recv: client closed connection.
d23sock1.au.ibm.com SOCKSLog 0 Sep 23 13:50:37 d23sock1 Socks5[10470]: TCP Connection Terminated: Normal (9.190.250.13:37622 to 202.81.21.147:22) for user ajsmith: 31965 bytes out, 40929 bytes in.
d23sock1.au.ibm.com SOCKSLog 0 Sep 23 13:50:44 d23sock1 Socks5[10254]: TCP Connection Request : Connect (9.190.250.13:54581 to 202.81.21.147:22) for user ajsmith.
d23sock1.au.ibm.com SOCKSLog 0 Sep 23 13:50:44 d23sock1 Socks5[10254]: TCP Connection Established: Connect (9.190.250.13:54581 to 202.81.21.147:22) for user ajsmith.

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

SOCKSLog

ACTION

If provided, the content delimited by a colon, before the main string message - eg: Auth Failed, Flow Recv, Proxy

MESSAGE

The main body of the SOCKS log message

Notes

-