+ Logging, Syslog and Log Anaylsys Forums » Forums » Log Data and Analysis
|-+ 

IDP log message
Username:
Password:
Home Help Search ^ Login Register
News:

Pages: [1]
0 Members and 1 Guest are viewing this topic. Topic Tools  
Read July 09, 2007, 05:08:03 am #0
spocke

  • *
  • Newbie
  • Posts: 2
IDP log message
Hi ,

Below is the sample log generated by the Netscreen IDP device,

Jan 24 23:40:30 10.xx.xx.xx 127.0.0.1 20040507-5 2004/05/02 22:44:31 10.xx.xx.30 0.0.0.0:0 10.xx.xx.23:0 0.0.0.0:0 0.0.0.0:0  ethX  4F60-20CC-4BC5-8F20 s0  :0 NONE 0 0 0 0 IP TRAFFIC-ARP_INVALID_SENDER_IP DROP_PACKET 0,0 no no no NONE no no no no

Was unable to figure out each and every attributes in the log message. Searched juniper site, but in-vain  Sad . Can, someone point to me some documents which will help me to understand the same.

Thanks in advance ...
-S-
Offline  
Read July 09, 2007, 07:16:33 pm #1
mutex

  • *****
  • Administrator
  • Newbie
  • Posts: 782
Re: IDP log message
It seems like some of the fields are pretty obvious.  Like you, I haven't found any kind of documentation on what the other fields are.  I'll keep looking.
Offline  
Read July 09, 2007, 11:25:47 pm #2
spocke

  • *
  • Newbie
  • Posts: 2
Re: IDP log message
Thanks in advance.
Offline  
Read October 03, 2007, 05:22:27 am #3
achua2

  • *
  • Newbie
  • Posts: 2
Re: IDP log message
There are format changes between IDP v2.1/3.x to 4.0 (via NSM) vs 4.1 Direct.
The format is described in their users manual. I cut-n-pasted some text from their user manuals
(please verify the format from their manual)

for IDP 3.x/2.1
===========
<day id>-<record id> <timestamp> <sensor addr> <src addr>:<src port> <dst
addr>:<dst port> <nat src addr>:<nat src port> <nat dst addr>:<nat dst port>
<user> <in nic> <out nic> <sensor vin> <virtual dev> <attack> <policy
name>:<policy ver> <rulebase> <rule number> <bytes> <packets> <elapsed>
<protocol> <category>-<subcategory> <action> <session id1>-<session id2> <is
hidden> <is duplicate> <is alert> <severity> <run script> <send email> <send
snmp> <send syslog>

for 4.1
=====
Syslog Message Format
The format of the syslog message sent by the IDP Sensor is as follows:
<day id>, <record id>, <timeReceived>, <timeGenerated>, <domain>,
<domainVersion>, <deviceName>, <deviceIpAddress>, <category>, <subcategory>,
<src zone>, <src intface>, <src addr>, <src port>, <nat src addr>, <nat src port>, <dst
zone>, <dst intface>, <dst addr>, <dst port>, <nat dst addr>, <nat dst port>,
<protocol>, <rule domain>, <rule domainVersion>, <policyname>, <rulebase>, <rule
number>, <action>, <severity>, <is alert>, <elapsed>, <bytes in>, <bytes out>, <bytes
total>, <packet in>, <packet out>, <packet total>, <repeatCount>, <hasPacketData>,
<varData Enum>, <misc-str>, <user str>, <application str>, <uri str>
Example:
[syslog@juniper.net dayId="20061012" recordId="0" timeRecv="2006/10/12
21:52:21" timeGen="2006/10/12 21:52:21" domain="" devDomVer2="0"
device_ip="10.209.83.4" cat="Predefined" attack="TROJAN:SUBSEVEN:SCAN"
srcZn="NULL" srcIntf="NULL" srcAddr="192.168.170.20" srcPort="63396"
natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL"
dstAddr="192.168.170.10" dstPort="27374" natDstAddr="NULL" natDstPort="0"
protocol="TCP" ruleDomain="" ruleVer="5" policy="Policy2" rulebase="IDS"
ruleNo="4" action="NONE" severity="LOW" alert="no" elaspedTime="0" inbytes="0"
outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0"
packetData="no" varEnum="31" misc="<017>'interface=eth2" user="NULL"
app="NULL" uri="NULL"]
Offline  
Read October 03, 2007, 05:25:34 am #4
achua2

  • *
  • Newbie
  • Posts: 2
Re: IDP log message
Online manuals:
http://www.juniper.net/techpubs/software/management/idp/
Offline  
Read October 03, 2007, 06:51:23 am #5
mutex

  • *****
  • Administrator
  • Newbie
  • Posts: 782
Re: IDP log message
outstanding!  thank you!
Offline  
Read March 26, 2008, 09:27:20 am #6
citegrene

  • *
  • Newbie
  • Posts: 15
Re: IDP log message
What is the 4F60-20CC-4BC5-8F20  for an adress? i don't really reconize that as something..

And are the xx.xx. in the message , masked by the poster or is that how it is really sended?
Offline  
Pages: [1]
« previous next »
Jump to:  


Information Security News | Jerry Bell's blog | Enterprise IT | Tropical Fish Information | Tropical Fish Forums

Powered by SMF 1.1.7 | SMF © 2006-2008, Simple Machines LLC