Fields specific to the “l_sandboxing” log

The fields described below are shown in the firewall's web administration interface in the Sandboxing module in the Audit logs > Logs menu and in the All logs and Sandboxing views in the Audit logs > Views menu.

hash

Results of the file content hash (SHA2 method)

String of characters in UTF-8 format.

Example: "f4d1be410a6102b9ae7d1c32612bed4f12158df3cd1ab6440a9ac0cad417446d"

Hash

sandboxinglevel

Indicates the level of the file's infection on a scale of 0 to 100.

Value: "0" (clean) to "100" (malicious).

Sandboxing score

sandboxing

Classification of the file according to the sandboxing option.

Value: "clean", "suspicious", "malicious", "unknown", «forward", "failed".

 

The sandboxing option indicates a "clean", "suspicious" or "malicious" status if the file has already been scanned and classified. The "unknown" status is returned if sandboxing does not know the file concerned. In this case, the whole file will be sent to the firewall to be scanned.

Sandboxing
msg

Message associated with the results of the sandboxing scan.

String of characters in UTF-8 format. Example: "Virus name: thisvirus".

Message
dstcontinent

Continent to which the destination IP address of the connection belongs.

Value: continent's ISO code

Example: dstcontinent="eu"

Destination continent
dstcountry

Country to which the destination IP address of the connection belongs.

Format: country's ISO code

Example: dstcountry="fr"

Destination country
dsthostrep

Reputation of the connection's target host. Available only if reputation management has been enabled for the relevant host.

Format: unrestricted integer.

Example: dsthostrep=506

Destination host reputation
dstiprep

Reputation of the destination IP address. Available only if this IP address is public and listed in the IP address reputation base.

Value: "anonymizer", "botnet", "malware", "phishing", "tor", "scanner" or "spam".

Example: dstiprep="spam"

Reputation of the dest.
risk

Risk relating to the connection. This value contributes to the reputation score of the connection's source host.

Value: between 1 (low risk) and 100 (very high risk).

Example: risk=20

Risk
srccontinent

Continent to which the source IP address of the connection belongs.

Value: continent's ISO code

Example: srccontinent="eu"

Source continent
srccountry

Country to which the source IP address of the connection belongs.

Format: country's ISO code

Example: srccountry="fr"

Source country
srchostrep

Reputation of the connection's source host. Available only if reputation management has been enabled for the relevant host.

Format: unrestricted integer.

Example: srchostrep=26123

Source host reputation
srciprep

Reputation of the source IP address. Available only if this IP address is public and listed in the IP address reputation base.

Value: "anonymizer", "botnet", "malware", "phishing", "tor", "scanner" or "spam".

Example: srciprep="anonymizer,tor"

Reputation of the src.

proto

Name of the associated plugin. If this is not available, the name of the standard service corresponding to the destination port. String of characters in UTF-8 format. Example: “http”, “ssh

Protocol

service

Service (product with a dedicated port) on which the vulnerability was detected.

String of characters in UTF-8 format. Example: “OpenSSH_5.4”

Vulnerability management / Service