Google

Superservice">Prev Chapter 6. Schemas Reference Next

Schemas for the firewall Superservice

DLF Schema for Firewall service

Schema ID: firewall

Timestamp Field: time

The firewall schema can be used for three types of logs: packet filtering firewall, intrusion detection system events and packet accounting devices.

Fields in the Schema

time

Type: timestamp

Defaults: 0

The time of the event.

action

Type: string

Defaults: -

What action was associated with that packet. Either denied or permitted.

protocol

Type: string

Defaults: -

The procotol of the packet. Common protocols are TCP, UDP or ICMP. This should be the IP protocol not higer-level application protocol.

from_ip

Type: ip

Defaults: -

The source ip address on the packet.

from_port

Type: port

Defaults: -

The source port (in the case of the TCP or UDP) protocol. This should be the ICMP type when the protocol is ICMP.

from_host

Type: hostname

Defaults: -

The hostname associated with the source IP.

rcv_intf

Type: string

Defaults: -

The receiving interface. That should be the network interface on which the packet was received. That field should contains the logical name or type of the interface.

rcv_hwaddr

Type: string

Defaults: -

The hardware address of the receiving interface. That's the MAC address in the case of an ethernet device.

to_ip

Type: ip

Defaults: -

The destination ip address on the packet.

to_port

Type: port

Defaults: -

The destination port (in the case of the TCP or UDP) protocol. This should be the ICMP code when the protocol is ICMP.

to_host

Type: hostname

Defaults: -

The hostname associated with the destination IP.

snt_intf

Type: string

Defaults: -

The sending interface. That should be the network interface on which the packet was sent (i.e. the outgoing interface).

length

Type: bytes

Defaults: 0

The packet length (that is the header and payload length). This should be the total length of the stream when the event represent multiple packets, for example, in the case of packet accounting done on streams.

rule

Type: string

Defaults: -

The rule that triggered that packet to be logged, denied, permitted, etc.

msg

Type: string

Defaults: -

A message associated with that packet. This could be an attack signature detected by a Network Intrusion Detection System or anything of similar nature.

count

Type: int

Defaults: 1

The number of packets described by this event. This will be 1 in the case of a single packet. It can be higher in the case where multiple packets are compressed into one event. Remember that the length values should reflect the length of all those packets.

Prev Up Next
Schemas for the email Superservice Home Schemas for the ftp