S
|
sandboxing |
Classification of the file according to the sandboxing option. Value: "clean", "suspicious", "malicious", "unknown", «forward", "failed". Sandboxing indicates a "clean", "suspicious" or "malicious" status if the file has already been scanned and classified. The "unknown" status is returned if sandboxing does not know the file in question. In this case, the whole file will be sent to the firewall to be scanned. Example: sandboxing=forward. Affected logs: l_ftp, l_sandboxing, l_pop3, l_smtp and l_web. |
| Sandboxing | |
|
sandboxinglevel |
Indicates the level of the file's infection on a scale of 0 to 100. Value of "0" (clean) to "100" (malicious). Example: sandboxinglevel=20. Affected logs: l_ftp, l_sandboxing, l_pop3 and l_smtp. |
| Sandboxing score | |
|
SavedEvaluation |
Number of rule evaluations that did not use intrusion prevention technology. Example: SavedEvaluation=2. Affected logs: l_filterstat. |
| SCTPAssoc |
Number of SCTP associations. Digital format. Example: SCTPAssoc=2. Available from: SNS v3.9.0. Affected logs: l_filterstat. |
| SCTPAssocByte(i/o) |
Number of bytes (incoming/outgoing) that have passed through the firewall for an SCTP association. Digital format. Example: SCTPAssocByte(i/o)=9728/9576. Available from: SNS v3.9.0. Affected logs: l_filterstat. |
| SCTPAssocPacket |
Number of packets exchanged for an SCTP association. Digital format. Example: SCTPAssocPacket=128 Available from: SNS v3.9.0. Affected logs: l_filterstat. |
|
security |
Indicator of the Firewall’s security status. This value is used by the fleet management tool (Stormshield Network Unified Manager) to provide information on the security status (minor, major alarms, etc). Decimal format representing a percentage. Example: security=70. Affected logs: l_monitor. |
| sent |
Number of bytes sent over the connection. Affected logs: l_connection, l_filter, l_ftp, l_plugin, l_pop3, l_smtp, l_ssl and l_web. |
| Sent
Example: "13 KB" |
|
| serverappid |
Last server application detected on the connection. Affected logs: l_connection and l_plugin. |
| Server application | |
|
service |
Name of the module that executed an action. ASCII character string. Example: service="SSOAgent". Affected logs: l_pvm, l_sandboxing and l_system, l_routing. |
|
Service |
|
|
sessionid |
Session ID number allowing simultaneous connections to be differentiated. Example: sessionid=18. Affected logs: l_server. |
|
Session Example: "01.0018" |
|
|
severity
|
Vulnerability’s intrinsic level of severity. Values: “0” (Information), “1” (Weak), “2” (Moderate), “3” (High) or “4” (Critical). Example: severity=3. Affected logs: l_pvm. |
|
Severity Values: “Information”, “Weak”, “Moderate”, “High” or “Critical”. |
|
|
side |
Role of the Firewall in the negotiation of the tunnel. Values: “initiator” or “responder”. Example: side=initiator. Affected logs: l_vpn. |
|
Role |
|
|
slotlevel |
Indicates the type of rule that activated logging. Values: “0” (implicit), “1” (global), or “2” (local). Example: slotlevel=1. Available from: v1.0.0 SNS Affected logs: l_alarm, l_connection, l_filter, l_ftp, l_plugin, l_pop3, l_smtp, l_ssl and l_web. |
|
Rule level Values: “Implicit”, “Global” or “Local”. |
|
|
solution |
Indicates whether a fix is available in order to correct the detected vulnerability. Values: “0” (not available) or “1” (available). Example: solution=1. Affected logs: l_pvm. |
|
Solution Values: “Yes” or “No”. |
|
|
spamlevel |
Results of antispam processing on the message. Values: "X": error while processing the message. "? ": the nature of the message could not be determined. "0": non-spam message. "1", "2" or "3": criticality of the spam message, 3 being the most critical. Available from: v1.0.0 SNS |
|
Spam |
|
|
spi_in |
SPI (Security Parameter Index) number of the negotiated incoming SA (Security Association). Character string in hexadecimal. Example: spi_in=0x01ae58af. Affected logs: l_vpn. |
|
Incoming spi |
|
|
spi_out |
SPI number of the negotiated outgoing SA. Character string in hexadecimal. Example: spi_out=0x003d098c. Affected logs: l_vpn. |
|
Outgoing spi |
|
|
src |
IP address of the source host. Decimal format. Example: src=192.168.0.1. May be displayed anonymously depending on the administrator's access privileges. Available from: SNS v1.0.0. Affected logs: l_alarm, l_auth, l_connection, l_filter, l_ftp, l_plugin, l_pop3, l_pvm, l_sandboxing, l_smtp, l_ssl, l_vpn, l_web and l_xvpn, l_dmrouting. |
|
Source |
|
| srccontinent |
Continent to which the source IP address of the connection belongs. Value: continent's ISO code Example: srccontinent="eu" Available from: SNS v3.0.0. Affected logs: l_alarm, l_connection, l_filter, l_plugin, l_pop3, l_sandboxing, l_smtp, l_ssl and l_web. |
| Source continent | |
| srccountry |
Country to which the source IP address of the connection belongs. Format: country's ISO code Example: srccountry="fr". Available from: SNS v3.0.0. Affected logs: l_alarm, l_connection, l_filter, l_plugin, l_pop3, l_sandboxing, l_smtp, l_ssl and l_web. |
| Source country | |
| srchostrep |
Reputation of the connection's source host. Available only if reputation management has been enabled for the relevant host. Format: unrestricted integer. Example: srchostrep=26123 Available from: SNS v3.0.0. Affected logs: l_alarm, l_connection, l_filter, l_plugin, l_pop3, l_sandboxing, l_smtp, l_ssl and l_web. |
| Source host reputation | |
| srcif |
Internal name of the interface at the source of the traffic. Affected logs: l_alarm, l_connection, l_filter and l_plugin, l_dmrouting. |
| Source interf. (ID) | |
| srcifname |
Name of the object representing the interface at the source of the traffic. Affected logs: l_alarm, l_connection, l_filter and l_plugin, l_dmrouting. |
| Source interf. | |
| srciprep |
Reputation of the source IP address. Available only if this IP address is public and listed in the IP address reputation base. Value: "anonymizer", "botnet", "malware", "phishing", "tor", "scanner" or "spam". Example: srciprep="anonymizer,tor". Available from: SNS v3.0.0. Affected logs: l_alarm, l_connection, l_filter, l_plugin, l_pop3, l_sandboxing, l_smtp, l_ssl and l_web. |
| Public reputation of the source IP address | |
|
srcmac |
MAC address of the source host. May be displayed anonymously depending on the administrator's access privileges. Example: srcmac=00:25:90:01:ce:e7. Affected logs: l_alarm, l_connection, l_filter, l_ftp, l_plugin, l_sandboxing, l_smtp, l_ssl and l_web. |
|
Source MAC address |
|
| srcname |
Name of the object corresponding to the source host. May be displayed anonymously depending on the administrator's access privileges. Affected logs: l_alarm, l_connection, l_filter, l_ftp, l_plugin, l_pop3, l_pvm, l_sandboxing, l_smtp, l_ssl, l_vpn, l_web and l_xvpn, l_dmrouting. |
| Source name | |
|
srcport |
Source port number of the service. Example: srcport=51166. Available from: SNS v1.0.0. Affected logs: l_alarm, l_connection, l_filter, l_ftp, l_plugin, l_pop3, l_sandboxing, l_smtp, l_ssl and l_web. |
|
Source port |
|
|
srcportname |
“Source” port name if it is known. String of characters in UTF-8 format. Example: srcportname=ad2003-dyn_tcp. Available from: SNS v1.0.0. Affected logs: l_alarm, l_connection, l_filter, l_ftp, l_plugin, l_pop3, l_sandboxing, l_smtp, l_ssl and l_web. |
|
Source port name |
|
| sslvpnX |
Indicators of bandwidth used by SSL VPN traffic. :
sslvpn0 represents TCP-based SSL VPN traffic. sslvpn1 represents UDP-based SSL VPN traffic.
Format: 7 values separated by commas. Example: sslvpn1=sslvpn_udp,61515,128648,788241,1890520,2130,21. Affected logs: l_monitor. |
|
system |
Indicator of the Firewall’s system status. This value is used by the fleet management tool (Stormshield Management Center) to provide information on the system status (available RAM, CPU use, bandwidth, interfaces, fullness of audit logs, etc). Decimal format representing a percentage. Example: system=0. Affected logs: l_monitor. |