Log Types: SidewinderLog
- Leigh Purdie (Unlicensed)
Overview
The Sidewinder firewall is a stateful packet filtering engine, that includes encrypted traffic inspection, anti-virus, content filtering, and intrusion prevention capabilities.
Collection
Older versions of Sidewinder devices, could not send data to a collection system over syslog, but instead relied on locally stored log files. These files could be transferred to the Snare Central server via ftp, to the path /data/SnareCollect/SidewinderLog using the user ‘snarexfer’. Data found in this directory would be processed and integrated into the Snare Central collection subsystem on a scheduled overnight run. The Sidewinder logs would be CSV files with key=value components.
Sample Events
For batch Sidewinder data, the batch collection system will look for the following fields:
date
hostname
user_name
reason
srcip
srcport
dstip
dstport
type
event
protocol
auth_method
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | SidewinderFirewallLog |
USERNAME | User name, if available |
AUTHMETHOD | Authentication method |
SRCADDR | Source IP address |
SRCPORT | Source port |
DSTADDR | Destination IP address |
DSTPORT | Destination port |
PROTO | Protocol |
EVENT | Event |
TYPE | Type |
REASON | Reason |
STRINGS | Any event content that does not fit into an existing field - comma delimited |
Notes
-