Log Types: SophosWeb

Overview

Sophos data loss protection (DLP) is designed to reduce the risk of accidental data transfer by employees. DLP produces Data Control events, and may be available in the following appliances/applications: Central Endpoint Advanced, Sophos Cloud Managed Server and Sophos Endpoint Security and Control

Collection

Sophos Web logs are generally sent to the Snare Central server via syslog.

Sample Events

<30>Nov 16 03:57:50 ws1100.abcd.local h=172.16.249.45: u="ABCD\playfs" s=200 X=+ t=1353038269 T=29107 Ts=0 act=1 cat="0x220000000c" rsn=- threat="-" type="image/jpeg" ctype="image/jpeg" sav-ev=- sav-dv=- uri-dv=- cache=- in=47 0 out=2380 meth=GET ref="http://www.theage.com.au/" ua="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; InfoPath.2)" req="GET http://images.triplem.com.au/2010/02/27/354246/3MMM-higgo-small-thumb.jpg HTTP/1.1" dom="triplem.com.au" filetype="-" rule="-" filesize=- axtime=0.000228 fttime=0.000020 scantime=- src_cat="0x3000000033" labs_cat="-" dcat_prox="-" target_ip="119.15.70.138" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=Windows authn=33 auth_by=sso_cache

<30>Nov 16 03:57:50 ws1100.abcd.local h=172.16.249.45: =bad u="ABCD\playfs" s=200 X=+ t=1353038269 T=29107 Ts=0 act=1 cat="0x220000000c" rsn=someRsn threat="someThreat" type="image/jpeg" ctype="image/jpeg" sav-ev=- sav-dv=- uri-dv=- cache=- in=47 0 out=2380 meth=GET ref="http://www.theage.com.au/" ua="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; InfoPath.2)" req="GET http://images.triplem.com.au/2010/02/27/354246/3MMM-higgo-small-thumb.jpg HTTP/1.1" dom="triplem.com.au" filetype="-" rule="someRule" filesize=- axtime=0.000228 fttime=0.000020 scantime=- src_cat="0x3000000033" labs_cat="-" dcat_prox="-" target_ip="119.15.70.138" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=Windows authn=33 auth_by=sso_cache.

<30>Nov 16 03:57:50 ws1100.abcd.local h=192.168.5.16 u="-" s=200 X=+ t=1490946447 T=9747619 Ts=9 act=1 cat="-" app="-" rsn=- threat="-" type="application/octet-stream" ctype="application/octet-stream" sav-ev=5.35 sav-dv=2019.3.31.5350002 uri-dv=- cache=- in=324 out=12396216 meth=GET ref="-" ua="Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0" req="GET http://getfetch.com/Fetch_4.5.6.dmg HTTP/1.1" dom="getfetch.com" filetype="-" rule="0" filesize=12345678 axtime=0.079191 fttime=0.000070 scantime=0.002 src_cat="-" labs_cat="-" dcat_prox="-" target_ip="66.77.150.1" labs_rule_id="0" reqtime=0.003 adtime=0.000000 ftbypass=- os=Linux authn=0 auth_by=- dnstime=0.147943 quotatime=- sandbox=-

Fields

Field

Description

Field

Description

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

SophosWeb

USERNAME

The user who initiated the event

CRITICALITY

Numeric criticality value

CATEGORY

Hexadecimal category

RULE

rule value, if supplied

REASON

rsn value, if supplied

THREAT

threat value, if supplied

DOMAIN

dom value, if supplied

METHOD

meth value, if supplied

URL

URL supplied as part of the request (req) value

PROTOCOL

Protocol supplied as part of the request (req) value

SRCIP

Source IP address

DESTIP

Destination IP address

AGENT

User agent

OS

Operating system

BYTESIN

Bytes incoming

BYTESOUT

Bytes outgoing

REFERRER

Referrer URL

STRINGS

Any other content within the event, that is not assigned to the fields above

Notes

Â