Log Types: SophosWeb
Overview
Sophos data loss protection (DLP) is designed to reduce the risk of accidental data transfer by employees. DLP produces Data Control events, and may be available in the following appliances/applications: Central Endpoint Advanced, Sophos Cloud Managed Server and Sophos Endpoint Security and Control
Collection
Sophos Web logs are generally sent to the Snare Central server via syslog.
Sample Events
<30>Nov 16 03:57:50 ws1100.abcd.local h=172.16.249.45: u="ABCD\playfs" s=200 X=+ t=1353038269 T=29107 Ts=0 act=1 cat="0x220000000c" rsn=- threat="-" type="image/jpeg" ctype="image/jpeg" sav-ev=- sav-dv=- uri-dv=- cache=- in=47 0 out=2380 meth=GET ref="http://www.theage.com.au/" ua="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; InfoPath.2)" req="GET http://images.triplem.com.au/2010/02/27/354246/3MMM-higgo-small-thumb.jpg HTTP/1.1" dom="triplem.com.au" filetype="-" rule="-" filesize=- axtime=0.000228 fttime=0.000020 scantime=- src_cat="0x3000000033" labs_cat="-" dcat_prox="-" target_ip="119.15.70.138" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=Windows authn=33 auth_by=sso_cache
<30>Nov 16 03:57:50 ws1100.abcd.local h=172.16.249.45: =bad u="ABCD\playfs" s=200 X=+ t=1353038269 T=29107 Ts=0 act=1 cat="0x220000000c" rsn=someRsn threat="someThreat" type="image/jpeg" ctype="image/jpeg" sav-ev=- sav-dv=- uri-dv=- cache=- in=47 0 out=2380 meth=GET ref="http://www.theage.com.au/" ua="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET CLR 1.1.4322; .NET4.0C; .NET4.0E; InfoPath.2)" req="GET http://images.triplem.com.au/2010/02/27/354246/3MMM-higgo-small-thumb.jpg HTTP/1.1" dom="triplem.com.au" filetype="-" rule="someRule" filesize=- axtime=0.000228 fttime=0.000020 scantime=- src_cat="0x3000000033" labs_cat="-" dcat_prox="-" target_ip="119.15.70.138" labs_rule_id="-" reqtime=- adtime=- ftbypass=- os=Windows authn=33 auth_by=sso_cache.
<30>Nov 16 03:57:50 ws1100.abcd.local h=192.168.5.16 u="-" s=200 X=+ t=1490946447 T=9747619 Ts=9 act=1 cat="-" app="-" rsn=- threat="-" type="application/octet-stream" ctype="application/octet-stream" sav-ev=5.35 sav-dv=2019.3.31.5350002 uri-dv=- cache=- in=324 out=12396216 meth=GET ref="-" ua="Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Firefox/38.0" req="GET http://getfetch.com/Fetch_4.5.6.dmg HTTP/1.1" dom="getfetch.com" filetype="-" rule="0" filesize=12345678 axtime=0.079191 fttime=0.000070 scantime=0.002 src_cat="-" labs_cat="-" dcat_prox="-" target_ip="66.77.150.1" labs_rule_id="0" reqtime=0.003 adtime=0.000000 ftbypass=- os=Linux authn=0 auth_by=- dnstime=0.147943 quotatime=- sandbox=-
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | SophosWeb |
USERNAME | The user who initiated the event |
CRITICALITY | Numeric criticality value |
CATEGORY | Hexadecimal category |
RULE | rule value, if supplied |
REASON | rsn value, if supplied |
THREAT | threat value, if supplied |
DOMAIN | dom value, if supplied |
METHOD | meth value, if supplied |
URL | URL supplied as part of the request (req) value |
PROTOCOL | Protocol supplied as part of the request (req) value |
SRCIP | Source IP address |
DESTIP | Destination IP address |
AGENT | User agent |
OS | Operating system |
BYTESIN | Bytes incoming |
BYTESOUT | Bytes outgoing |
REFERRER | Referrer URL |
STRINGS | Any other content within the event, that is not assigned to the fields above |
Notes
Â