• No results found

LogLogic Support for Sidewinder Events

The following list describes the contents of each of the columns in the table below.

ID #—Event Item Number

Event Name—Value of event field in 7.x Version or status field in 6.2 or 6.1 Version is displayed otherwise it is Not Applicable (N/A)

Agile Reports—Defines if the Sidewinder event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic’s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data.

Title/Comments—Sidewinder version number and comments if available. Comments are displayed if particular type in a version as more than one format supported.

Event Category—Audit or Operational

Event Type—Type of event such as t_iptraffic or t_attack

Reports Appears In—LogLogic-provided reports that the event appears in

Sample Log Message—Sample Sidewinder log messages converted into text (.txt) format. The Collector captures invaluable log data to track actions such as modifications to files, account changes, machine access, and other actions that can represent fraudulent activity. The LogLogic appliance can be configured to provide administrators with real-time alerts whenever data integrity and confidentiality is compromised. In addition, LogLogic’s Agile Reports and search capabilities can be used to analyze the captured log data.

Table 1 Sidewinder Events

Title Event Category

Event Type Reports Appears In

Sample Log Message

1 ACL allow Agile 7.x Audit t_aclallow Accepted

Connections <131>Jan 15 14:51:23 auditd: date="Mar 15 15:55:21 2007 hod=Password,acl_id="Secure Shell

Server",cache_hit=0,reason="Traffic allowed by policy."

2 ACL deny Agile 7.x Audit t_attack Denied

Connections <131>Jan 15 14:48:01 auditd: date="Jan 15 22:48:01 2008 acl_id="Deny All",cache_hit=0,reason="Traffic denied by policy."

3 auth deny Agile 7.x Audit t_attack User Last

Activity /User Authentication

<179>Jun 24 05:07:27 auditd: date="Aug 11 12:51:09 2008 son="Authentication failed.",information="cobra login authentication failed for user `admin', method Password, from 10.60.0.7"

4 auth allow Agile 7.x Audit t_auth_attempt User Last Activity /User Authentication

<179>Jun 24 05:07:27 auditd: date="Aug 11 08:25:23 2008

succeeded.",information="authentication Accepted for user `spippari', method Password from 10.60.0.7 port 1037"

5 authentication

failure lockout Agile 7.x Audit t_auth_lockout User Last

Activity <179>Jun 6 18:32:37 auditd: date="Aug 25 22:29:34 2008

PDT",fac=f_acld,area=a_server,type=t_auth_lockout, pri=p_major,pid=2012,ruid=0,euid=0,pgid=2012,logid

=0,cmd=acld,domain=Acld,edomain=Acld,hostname=

sidewinder1.loglabs.com,event=authentication failure lockout,user_name=spippari,reason="Authentication failure limit exceeded."

McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 23 6 authentication

failure clear Agile 7.x Audit t_auth_lockout User Last

Activity <179>Jun 6 18:32:37 auditd: date="Aug 25 22:25:28 2008

PDT",fac=f_acld,area=a_server,type=t_auth_lockout, pri=p_major,pid=2012,ruid=0,euid=0,pgid=2012,logid

=0,cmd=acld,domain=Acld,edomain=Acld,hostname=

sidewinder1.loglabs.com,event=authentication failure clear,user_name=rathna,admin=Rathna

7 config Modify Agile 7.x/

format 1 Audit t_cfg_change User Last

Activity <139>Sep 10 07:54:25 auditd: date="Sep 10 21:52:12 2008

modify,user_name=Rathna,config_area="admin user database",config_item=admins:testuser,information="

Changed Firewall administrator testuser: office='Wipro Technologies'"

8 config Modify Agile 7.x/

format 2 Audit t_cfg_change User Last Activity ,User Created/

Deleted

<139>Sep 10 07:54:25 auditd: date="Sep 10 14:54:25 2008

modify,user_name=spippari,config_area="admin user database",config_item=admins:cwee,information="Ad ded Firewall administrator cwee:

crypt_password='_v...03/FZ4a0ycYz/YU', directory='/

home/cwee', full_name='Chris Wee', home_phone='510-576-4891', office='Home', office_phone='510-781-9671', roles=[], shell='nologin'"

9 config Modify Agile 7.x/

format 3 Audit t_cfg_change User Last Activity ,User Created/

Deleted

<139>Sep 10 07:54:25 auditd: date="Sep 10 21:48:11 2008 ed User testuser: crypt='_x...mUCBgLf3lH4uf7Q', placeholder='not used',

swede_crypt_last_mod_time=1221108484.4916401, swede_expire_last_mod_time=0.0"

10 config Modify Agile 7.x/

format 4 Audit t_cfg_change User Last Activity ,User Created/

Deleted

<139>Sep 10 07:54:25 auditd: date="Sep 10 21:54:35 2008

modify,user_name=Rathna,config_area="admin user database",config_item=admins:testuser,information="

Deleted Firewall administrator testuser"

ID 

Title Event Category

Event Type Reports Appears In

Sample Log Message

11 config Modify Agile 7.x/

format 5 Audit t_cfg_change User Last Activity ,User Created/

Deleted

<139>Sep 10 07:54:25 auditd: date="Sep 10 21:54:35 2008 eted User testuser"

12 IP Filter

session open Agile 7.x Audit t_ipftraffic Accepted

Connections <131>Jan 15 14:51:23 auditd: date="Mar 5 01:18:07 2007

EST",fac=f_kernel_ipfilter,area=a_general_area,type=

t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,lo gid=0,cmd=kernel,domain=,edomain=,hostname=xxx xxxx.xxxx.com,event=IP Filter session

open,rule_name=scobra_out_filter,srcip=80.80.80.80,

Connections <131>Jan 15 14:51:23 auditd: date="Mar 5 01:18:07 2007

EST",fac=f_kernel_ipfilter,area=a_general_area,type=

t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,lo gid=0,cmd=kernel,domain=,edomain=,hostname=xxx xxxx.xxxx.com,event=IP Filter session

timeout,rule_name=scobra_out_filter,srcip=70.70.70.

70,srcport=1662,dstip=80.80.80.80,dstport=9003,byte s_written_to_client=1446281,bytes_written_to_server

=122272,protocol=6,netsessid=45eba8ff00060315 14 IP Filter

session close Agile 7.x Audit t_ipftraffic Accepted

Connections <131>Jan 15 14:51:23 auditd: date="Mar 5 01:18:07 2007

EST",fac=f_kernel_ipfilter,area=a_general_area,type=

t_ipftraffic,pri=p_major,pid=0,ruid=0,euid=0,pgid=0,lo gid=0,cmd=kernel,domain=,edomain=,hostname=xxx xxxx.xxxx.com,event=IP Filter session

close,rule_name=scobra_out_filter,srcip=10.10.10.10, srcport=1662,dstip=10.10.10.10,dstport=9003,bytes_

written_to_client=800,bytes_written_to_server=80,pro tocol=6,netsessid=45eba8ff00060315

15 proxy traffic

begin Agile 7.x Audit t_nettraffic Accepted

Connections <131>Jan 15 14:51:23 auditd: date="Mar 15 02:00:01 2007

EDT",fac=f_http_proxy,area=a_libproxycommon,type

=t_nettraffic,pri=p_major,pid=32152,ruid=0,euid=0,pgi d=32152,logid=0,cmd=httpp,domain=htpp,edomain=h tpp,hostname=xxxxxxx.xxxx.com,event=proxy traffic begin,service_name=http-all,netsessid=45f8e0e1000 ea505,srcip=60.60.60.60,srcport=57961,srcburb=inter nal,protocol=6,dstip=50.50.50.50,dstport=80,dstburb=

external,acl_id=nt_http_out-nt_http_servicesproxy-aut h-internal,cache_hit=0,request_status=0,start_time="

Thu Mar 15 02:00:01 2007"

ID 

Title Event Category

Event Type Reports Appears In

Sample Log Message

McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 25 16 proxy traffic

continue Agile 7.x Audit t_nettraffic Accepted

Connections <131>Jan 15 14:51:23 auditd: date="Mar 15 02:00:02 2007

EDT",fac=f_http_proxy,area=a_libproxycommon,type

=t_nettraffic,pri=p_major,pid=32152,ruid=0,euid=0,pgi d=32152,logid=0,cmd=httpp,domain=htpp,edomain=h tpp,hostname=xxxxxxx.xxxx.com,event=proxy traffic continue,service_name=http-all,netsessid=45f8e0e10

time="Thu Mar 15 02:00:01 2007"

17 proxy traffic

end Agile 7.x Audit t_nettraffic Accepted

Connections <131>Jan 15 14:51:23 auditd: date="Mar 15 02:00:02 2007

EDT",fac=f_http_proxy,area=a_libproxycommon,type

=t_nettraffic,pri=p_major,pid=32152,ruid=0,euid=0,pgi d=32152,logid=0,cmd=httpp,domain=htpp,edomain=h tpp,hostname=xxxxxxx.xxxx.com,event=proxy traffic end,service_name=http-all,netsessid=45f8e0e1000ea

"Thu Mar 15 02:00:01 2007"

18 proxy

authentication failure

Agile 7.x Audit t_proxyauth Denied

Connections <131>Jan 15 14:51:23 auditd: date="Mar 16 16:33:55 2007 mail determined that this session is not allowed."

19 remote server authentication failure

Agile 7.x Audit t_proxyauth Denied

Connections <131>Jan 15 14:51:23 auditd: date="Mar 16 16:33:55 2007

CDT",fac=f_sendmail_daemon,area=a_server,type=t _proxyauth,pri=p_major,pid=2076,ruid=0,euid=0,pgid

=2071,logid=0,cmd=sendmail,domain=mta1,edomain

=mta1,hostname=carp.b.com,event=remote server authentication

failure,srcip=10.10.10.10,srcport=3578,srcburb=exter nal,protocol=6,dstip=10.10.10.10,dstport=456,dstburb

=dmz,interface=eth3,acl_id=acl_rul_1,reason="Send mail determined that this session is not allowed."

20 server traffic

begin Agile 7.x Audit t_servtraffic Accepted

Connections <131>Jan 15 14:51:23 auditd: date="Mar 15 02:00:01 2007

Thu Mar 15 02:00:01 2007"

ID 

Title Event Category

Event Type Reports Appears In

Sample Log Message

21 server traffic

continue Agile 7.x Audit t_servtraffic Accepted

Connections <131>Jan 15 14:51:23 auditd: date="Mar 15 02:00:02 2007

time="Thu Mar 15 02:00:01 2007"

22 server traffic

end Agile 7.x Audit t_servtraffic Accepted

Connections <131>Jan 15 14:51:23 auditd: date="Mar 15 02:00:02 2007

"Thu Mar 15 02:00:01 2007"

23 N/A Agile 6.2. Audit t_aclallow Accepted

Connections <179>May 22 17:16:52 auditd: date="May 22 17:16:52 2007

GMT",fac=f_wwwproxy,area=a_server,type=t_aclallo

Connections <131>Jan 15 14:51:23 auditd: date="May 14 17:02:56 2001

Activity /User Authentication

<179>Jun 24 05:07:27 auditd: date="May 16 13:18:51 2001

CDT",fac=f_ftpproxy,area=a_server,type=t_auth_atte mpt,pri=p_major,pid=464,ruid=0,euid=0,pgid=464,logi d=0,cmd=pftp,domain=PFTx,edomain=PFTx,user_aut h_name=a,auth_method=password,result=1,info="aut hentication Accepted for user `a:password', method password"

26 ipf_open Agile 6.2 Audit t_ipftraffic Accepted

Connections <131>Jan 15 14:51:23 auditd: date="Oct 30 11:17:49 2006

Title Event Category

Event Type Reports Appears In

Sample Log Message

McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 27

27 ipf_close Agile 6.2 Audit t_ipftraffic Accepted

Connections <131>Jan 15 14:51:23 auditd: date="Mar 5 01:18:07 2007 otocol=6,netsessid=45eba8ff00060315

28 conn_open Agile 6.2 Audit t_nettraffic Accepted

Connections <179>Jan 1 00:00:00 auditd: date="Apr 19 12:25:42 2002

Connections <179>Jan 1 00:00:00 auditd: date="Apr 19 12:25:42 2002 e="Fri Apr 19 12:25:42

2002",netsessid=3cc053160004222f

30 conn_close Agile 6.2 Audit t_nettraffic Accepted

Connections <179>Jan 1 00:00:00 auditd: date="Apr 19 12:25:42 2002 eason="proxy traffic

end",status=conn_close,auth_method=password,user _name=a,request_status=1,start_time="Fri Apr 19 12:25:42 2002",netsessid=3cc053160004222f

31 N/A Agile 6.2 Audit t_proxyauth Denied

Connections <135>Jan 1 00:00:03 sidewinder1 auditd: date="Jan 1 00:00:03 2008 Activity ,User Created/

Deleted

<179>Jun 6 18:32:37 auditd: date="May 14 17:27:29 2001

Title Event Category

Event Type Reports Appears In

Sample Log Message

33 N/A Agile 6.2/

<179>Jun 6 18:32:37 auditd: date="May 14 17:27:29 2001

Connections <179>May 22 17:16:52 auditd: date="May 22 17:16:52 2007

GMT",fac=f_wwwproxy,area=a_server,type=t_aclallo

Connections <179>Jun 24 05:15:57 auditd: date="Jun 24 05:15:57 2008

Activity /User Authentication

<179>Jun 24 05:07:57 auditd: date="Jun 24 05:07:57 2008

EDT",fac=f_login,area=a_general_area,type=t_auth_

attempt,pri=p_major,pid=1880,ruid=0,euid=0,pgid=18 80,fid=0,logid=0,cmd=login,domain=Logn,edomain=L ogn,hostname=xxx,user_name=abc,auth_method=-p assword,result=1,information="cobra login

authentication Accepted for user `abc, method -password, from 20.20.20.02"

37 ipf_open Agile 6.1 Audit t_ipftraffic Accepted

Connections <179>Aug 13 14:49:19 auditd: date="Aug 13 14:49:19 2008

Connections <179>Aug 13 14:50:47 auditd: date="Aug 13 14:50:47 2008

Title Event Category

Event Type Reports Appears In

Sample Log Message

McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 29

39 conn_open Agile 6.1 Audit t_nettraffic Accepted

Connections <179>Jan 1 00:00:00 auditd: date="Jan 1 00:00:00 2008

Connections <179>Aug 13 14:16:09 auditd: date="Aug 13 14:16:09 2008

41 conn_close Agile 6.1/

format 1 Audit t_nettraffic Accepted

Connections <179>May 22 17:16:52 auditd: date="May 22 17:16:52 2007

GMT",fac=f_wwwproxy,area=a_libproxycommon,type

42 conn_close Agile 6.1/

format 2 Audit t_nettraffic Accepted

Connections <179>Aug 13 14:28:31 auditd: date="Aug 13 14:28:31 2008 delivery of message

m7D5SP6Z020754",status=conn_close,acl_id=smtp_

all,cache_hit=0,queueid=m7D5SP6Z020754,mail_sen [email protected],[email protected],start_time=

"Wed Aug 13 14:28:31

2008",netsessid=48a270ff00019957

Title Event Category

Event Type Reports Appears In

Sample Log Message

43 conn_close Agile 6.1/

format 3 Audit t_nettraffic Accepted

Connections <179>Aug 13 14:16:09 auditd: date="Aug 13 14:16:09 2008 delivery of message

m7D5G4Pe020434",status=conn_close,acl_id=smtp_

all,cache_hit=0,queueid=m7D5G4Pe020434,mail_se [email protected],[email protected],subject=

"FW: THANK YOU NOTE ON BEHALF OF COMMODORE KEARNS",start_time="Wed Aug 13 14:16:10 2008",netsessid=48a26e190009ff25

44 conn_open Agile 6.1 Audit t_servtraffic Accepted

Connections <179>Jul 28 09:06:25 auditd: date="Jul 28 09:06:25 2008

45 conn_close Agile 6.1 Audit t_servtraffic Accepted

Connections <179>Jul 28 09:12:33 auditd: date="Jul 28 09:12:33 2008 Activity ,User Created/

Deleted

<179>Jun 6 18:32:37 auditd: date="Jun 6 18:32:37 2008

Activity <179>Jun 6 18:32:37 auditd: date="Jun 6 18:32:37 2008

Title Event Category

Event Type Reports Appears In

Sample Log Message

McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 31

48 N/A Search

Filter 6.2 Operational t_acl_change Sidewinder 6.2: ACL Modification

<179>Jun 6 18:32:37 auditd: date="May 11 10:17:01 2001

CDT",fac=f_cf,area=a_acladm,type=t_acl_change,pri

=p_major,pid=1958,ruid=0,euid=0,pgid=1958,logid=1 00,cmd=COBRAD,domain=Admn,edomain=Admn,acl _admin=a,acl_op=add,acl_table=acl,acl_data="{'actio n': 'allow', 'ignore': 0, 'nat_addr':('host', 'localhost'), 'name': 'ping', 'agents':['proxy'], 'table': 'acl', 'services':

[('service','ping')], 'last_changed_by': 'a on 05/09/01 10:17:31','alert': None, 'pos': 18, 'auth_needed':

0,'external_groups': None}"

49 N/A Search

Filter 6.2 Operational t_proxy_flooded Sidewinder 6.2: Proxy Flooded

<179>Jun 6 18:32:37 auditd: date="Oct 30 12:41:25 2002

CST",fac=f_nss,area=a_server,type=t_proxy_flooded, pri=p_major,pid=179,ruid=0,euid=0,pgid=179,logid=0, cmd='nss',domain=nss2,edomain=nss2,srcburb=2,src ip=192.168.181.3,srcport=51210,dstip=192.168.180.8 7,dstport=80,information="55|No buffer

spaceavailable Could not connect to the http proxy, probablyflooded, temporarily suspended network fd 9 for 1second"

50 N/A Search

Filter 6.2 Operational t_snmp_coldtrap Sidewinder 6.2: SNMP Coldstart Trap

<179>Jun 6 18:32:37 auditd: date="May 30 13:46:10 2001

Filter 6.2 Operational t_syn_attack Sidewinder 6.2: SYN Attack

<179>Jun 6 18:32:37 auditd: date="May 30 13:46:10 2001

Filter 6.2 Operational t_tacrad_acct Sidewinder 6.2: TACACS/

RADIUS Accounting

<179>Jun 6 18:32:37 auditd: date="May 4 06:02:42 2000

Filter 6.2 Operational t_protocol_error Sidewinder 6.2: Protocol Error

<179>Jun 6 18:32:37 auditd: date="Oct 30 12:41:25 2002

Filter 6.2 Operational t_ddtviolation Sidewinder 6.2: Type Enforcement

<179>Jun 6 18:32:37 auditd: date="May 4 06:13:18 2000 000041 perm wanted: 0x40<destroy>

permgranted:0x1<read>"

Title Event Category

Event Type Reports Appears In

Sample Log Message

55 N/A Search

Filter 6.2 Operational t_ditviolation Sidewinder 6.2: Type Enforcement

<179>Jun 6 18:32:37 auditd: date="May 4 06:13:18 2000 000041 perm wanted: 0x40<destroy>

permgranted:0x1<read>"

56 N/A Search

Filter 6.2 Operational t_dmnprivdenied Sidewinder 6.2: Type Enforcement

<179>Jun 6 18:32:37 auditd: date="May 4 06:13:18 2000 :0x2000041 perm wanted: 0x40<destroy>

permgranted:0x1<read>"

57 N/A Search

Filter 6.2 Operational t_chtype Sidewinder 6.2: Type Enforcement

<179>Jun 6 18:32:37 auditd: date="May 4 06:13:18 2000 0041 perm wanted: 0x40<destroy>

permgranted:0x1<read>"

58 N/A Search

Filter 6.2 Operational t_udb_sysac Sidewinder 6.2: User Database Modification

<179>Jun 6 18:32:37 auditd: date="May 14 17:27:29 2001

Filter 6.2 Operational t_udb_useract Sidewinder 6.2: User Database Modification

<179>Jun 6 18:32:37 auditd: date="May 14 17:27:29 2001

Operational t_attack Sidewinder 7.x:

Application Defense Violation

No Sample log available

61 N/A Search

Operational t_attack Sidewinder 7.x: Buffer Overflow Attack

No Sample log available

62 N/A Search

No Sample log available ID 

Title Event Category

Event Type Reports Appears In

Sample Log Message

McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 33

Operational t_attack Sidewinder 7.x: General Attack

No Sample log available

64 N/A Search

Operational t_attack Sidewinder 7.x: Policy Violation

No Sample log available

65 N/A Search

Operational t_attack Sidewinder 7.x: Protocol Violation

<179>Jun 6 18:32:37 auditd: date="Mar 15 02:28:54 2007 e=em1,reason="The Sidewinder received a RESET after the remote system connected, but no data was transferred. This could indicate a stealth connection attack."

Operational t_attack Sidewinder 7.x:

Signature-bas ed IPS Intrusion Attempt

No Sample log available

67 N/A Search

Filter 7.x/

Catoger y is spam

Operational t_attack Sidewinder

7.x: Spam <179>Jun 6 18:32:37 auditd: date="Mar 16 16:33:55 2007 76,reason="Sendmail determined that this session is not allowed.",information="550 5.7.1 TrustedSource determined this IP address is untrusted. Reputation value: xxx.x.x.xx"

68 N/A Search

Filter 7.x/

Catoger y is virus

Operational t_attack Sidewinder

7.x: Virus No Sample log available

69 N/A Search

Filter 7.x Operational t_auth_lockout Sidewinder 7.x:

Authentication Lockout

<179>Jun 6 18:32:37 auditd: date="Mar 15 22:50:02 2007

CDT",fac=f_acld,area=a_server,type=t_auth_lockout, pri=p_major,pid=12227,ruid=0,euid=0,pgid=12227,log id=0,cmd=acld,domain=Acld,edomain=Acld,hostname

=xxxx.x.com,event=authentication failure

lockout,user_name=x,reason="Authentication failure limit exceeded."

Title Event Category

Event Type Reports Appears In

Sample Log Message

70 connect failed Search

Filter 7.x Operational t_info Sidewinder 7.x:

Connection Failed

<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008

UTC",fac=f_daemond,area=a_server,type=t_info,pri=

p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,cm d=daemond,domain=Dmnd,edomain=Dmnd,hostnam e=sidewinder1.loglabs.com,event=connect failed,reason="Connection to server failed."

71 failed

connection Search

Filter 7.x Operational t_error Sidewinder 7.x:

Connection Failed

<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008

UTC",fac=f_daemond,area=a_server,type=t_error,pri

=p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=Dmnd,edomain=Dmnd,hostna me=sidewinder1.loglabs.com,event=failed

connection,reason="Could not connect to server. The session was terminated."

72 TCP old

duplicate Search

Filter 7.x Operational t_error Sidewinder 7.x: Invalid TCP packets

<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008

UTC",fac=f_daemond,area=a_server,type=t_error,pri

=p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=Dmnd,edomain=Dmnd,hostna me=sidewinder1.loglabs.com,event=TCP old duplicate,reason="The Sidewinder received packet that contains a timestamp from before this connection was established. It may be an old duplicate packet from a previous connection, or it may indicate a timestamp attack."

73 TCP data/

closed conn Search

Filter 7.x Operational t_error Sidewinder 7.x: Invalid TCP packets

<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008

UTC",fac=f_daemond,area=a_server,type=t_error,pri

=p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=Dmnd,edomain=Dmnd,hostna me=sidewinder1.loglabs.com,event=TCP data/ closed conn,reason="The Sidewinder received data for a connection that has been closed. This may indicate an attack." 7.x: Invalid TCP packets

<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008

UTC",fac=f_daemond,area=a_server,type=t_error,pri

=p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=Dmnd,edomain=Dmnd,hostna me=sidewinder1.loglabs.com,event=TCP RESET sequence error,reason="The Sidewinder received a RESET packet with an invalid sequence number. This may be a reset for an earlier connection, or it may indicate an attack."

75 license expire Search

Filter 7.x Operational t_license_expire Sidewinder 7.x: License Expiration

<179>Jun 6 18:32:37 auditd: date="Mar 15 21:59:33 2007

CDT",fac=f_license,area=a_server,type=t_lic_expire, pri=p_major,pid=12227,ruid=0,euid=0,pgid=12227,log id=0,cmd=acld,domain=Acld,edomain=Acld,hostname

=xxxx.x.com,event=license expire,reason="", information=""

Title Event Category

Event Type Reports Appears In

Sample Log Message

McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide 35 76 passport

addition Search

Filter 7.x Operational t_passport_chng Sidewinder

7.x: Passport <179>Jun 6 18:32:37 auditd: date="Mar 15 22:42:42 2007 Mar 1522:42:42 2007",access_time="Thu Mar 15 22:42:42 2007"

77 passport

deletion Search

Filter 7.x Operational t_passport_chng Sidewinder

7.x: Passport <179>Jun 6 18:32:37 auditd: date="Mar 15 22:42:42 2007 Mar 1522:42:42 2007",access_time="Thu Mar 15 22:42:42 2007"

78 passport

updated Search

Filter 7.x Operational t_passport_chng Sidewinder

7.x: Passport <179>Jun 6 18:32:37 auditd: date="Mar 15 22:42:42 2007 Mar 1522:42:42 2007",access_time="Thu Mar 15 22:42:42 2007"

79 all passports

revoked Search

Filter 7.x Operational t_passport_chng Sidewinder

7.x: Passport <179>Jun 6 18:32:37 auditd: date="Mar 15 22:42:42 2007

CDT",fac=f_acld,area=a_passport,type=t_passport_c hng,pri=p_major,pid=12227,ruid=0,euid=0,pgid=1222 7,logid=0,cmd=acld,domain=Acld,edomain=Acld,host name=xxxx.x.com,event=all passports

revoked,srcip=xx.xx.xxx.xx,user_name=x,external_gr oup=(null),auth_method=Password,cache_time="Thu Mar 1522:42:42 2007",access_time="Thu Mar 15 22:42:42 2007"

80 passport

expiration Search

Filter 7.x Operational t_passport_chng Sidewinder 7.x: Passport Expiration

<179>Jun 6 18:32:37 auditd: date="Mar 15 22:42:49 2007

CDT",fac=f_acld,area=a_passport,type=t_passport_c hng,pri=p_major,pid=12227,ruid=0,euid=0,pgid=1222 7,logid=0,cmd=acld,domain=Acld,edomain=Acld,host name=xxxx.x.com,event=passport

expiration,srcip=xx.xx.xxx.xx,access_time="Thu Mar 1522:42:49 2007"

<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008

UTC",fac=f_daemond,area=a_server,type=t_info,pri=

p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,cm d=daemond,domain=Dmnd,edomain=Dmnd,hostnam e=sidewinder1.loglabs.com,event=system backup success,reason="System backup from Operational System (F%d) to Alternate System (F%d) succeeded."

ID 

Title Event Category

Event Type Reports Appears In

Sample Log Message

82 system

backup failure Search

Filter 7.x Operational t_error Sidewinder 7.x: System Backup

<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008

UTC",fac=f_daemond,area=a_server,type=t_error,pri

=p_major,pid=161,ruid=0,euid=0,pgid=161,logid=0,c md=daemond,domain=Dmnd,edomain=Dmnd,hostna me=sidewinder1.loglabs.com,event=system backup failure,reason="System backup from Operational System (F%d) to Alternate System (F%d) failed."

83 license notice Search

Filter 7.x Operational t_important Sidewinder 7.x: License Notice

<179>Jun 6 18:32:37 auditd: date="Jul 9 23:51:00 2008

UTC",fac=f_daemond,area=a_server,type=t_importan t,pri=p_major,pid=161,ruid=0,euid=0,pgid=161,logid=

0,cmd=daemond,domain=Dmnd,edomain=Dmnd,host name=sidewinder1.loglabs.com,event=license notice,reason="Waiting to start '%s' because '%s' is

%s."

84 N/A Search

Filter 6.2 Operational t_cfg_change Sidewinder:

Configuration Change

<179>Jun 6 18:32:37 auditd: date="Nov 7 00:00:06 2002

CST",fac=f_system,area=a_general_area,type=t_cfg_

change,pri=p_major,pid=4517,ruid=0,euid=0,pgid=44 83,logid=0,cmd='cf',domain=CARW,edomain=CARW,

change,pri=p_major,pid=4517,ruid=0,euid=0,pgid=44 83,logid=0,cmd='cf',domain=CARW,edomain=CARW,

Related documents