Fields specific to the "l_sandboxing" log

The fields described below are shown in the firewall's web administration interface in the Sandboxing module in the Audit logs > Logs menu and in the All logs and Sandboxing views in the Audit logs > Views menu.

hash

Results of the file content hash (SHA2 method)

String of characters in UTF-8 format.

Example: “f4d1be410a6102b9ae7d1c32612bed4f12158df3cd1ab6440a9ac0cad417446d

Hash

sandboxinglevel

Indicates the level of the file's infection on a scale of 0 to 100.

Value: "0" (clean) to "100" (malicious).

Sandboxing score

sandboxing

Classification of the file according to the sandboxing option.

Value: "clean", "suspicious", "malicious", "unknown", «forward", "failed".

 

The sandboxing option indicates a "clean", "suspicious" or "malicious" status if the file has already been scanned and classified. The "unknown" status is returned if sandboxing does not know the file concerned. In this case, the whole file will be sent to the firewall to be scanned.

Sandboxing
msg

Message associated with the results of the sandboxing scan.

String of characters in UTF-8 format. Example: "Virus name: thisvirus".

Message
dstcontinent

Continent to which the destination IP address of the connection belongs.

Value: continent's ISO code

Example: dstcontinent="eu"

Available from: SNS v3.0.0.

Destination continent
dstcountry

Country to which the destination IP address of the connection belongs.

Format: country's ISO code

Example: dstcountry="fr"

Available from: SNS v3.0.0.

Destination country
dsthostrep

Reputation of the connection's target host. Available only if reputation management has been enabled for the relevant host.

Format: unrestricted integer.

Example: dsthostrep=506

Available from: SNS v3.0.0.

Destination host reputation
dstiprep

Reputation of the destination IP address. Available only if this IP address is public and listed in the IP address reputation base.

Value: "anonymizer", "botnet", "malware", "phishing", "tor", "scanner" or "spam".

Example: dstiprep="spam"

Available from: SNS v3.0.0.

Reputation of the dest.
risk

Risk relating to the connection. This value contributes to the reputation score of the connection's source host.

Value: between 1 (low risk) and 100 (very high risk).

Example: risk=20

Available from: SNS v3.0.0.

Risk
srccontinent

Continent to which the source IP address of the connection belongs.

Value: continent's ISO code

Example: srccontinent="eu"

Available from: SNS v3.0.0.

Source continent
srccountry

Country to which the source IP address of the connection belongs.

Format: country's ISO code

Example: srccountry="fr"

Available from: SNS v3.0.0.

Source country
srchostrep

Reputation of the connection's source host. Available only if reputation management has been enabled for the relevant host.

Format: unrestricted integer.

Example: srchostrep=26123

Available from: SNS v3.0.0.

Source host reputation
srciprep

Reputation of the source IP address. Available only if this IP address is public and listed in the IP address reputation base.

Value: "anonymizer", "botnet", "malware", "phishing", "tor", "scanner" or "spam".

Example: srciprep="anonymizer,tor"

Available from: SNS v3.0.0.

Reputation of the src.

proto

Name of the associated plugin. If this is not available, the name of the standard service corresponding to the destination port. String of characters in UTF-8 format. Example: “http”, “ssh

Available from: SNS v1.0.0.

Protocol

service

Service (product with a dedicated port) on which the vulnerability was detected.

String of characters in UTF-8 format. Example: “OpenSSH_5.4”

Vulnerability management / Service