S

sandboxing

Classification of the file according to the sandboxing option.

Value: "clean", "suspicious", "malicious", "unknown", «forward", "failed".

Sandboxing indicates a "clean", "suspicious" or "malicious" status if the file has already been scanned and classified. The "unknown" status is returned if sandboxing does not know the file in question. In this case, the whole file will be sent to the firewall to be scanned.

Example: sandboxing=forward.

Affected logs: l_ftp, l_sandboxing, l_pop3, l_smtp and l_web.

Sandboxing

sandboxinglevel

Indicates the level of the file's infection on a scale of 0 to 100.

Value of "0" (clean) to "100" (malicious).

Example: sandboxinglevel=20.

Affected logs: l_ftp, l_sandboxing, l_pop3 and l_smtp.

Sandboxing score

SavedEvaluation

Number of rule evaluations that did not use intrusion prevention technology.

Example: SavedEvaluation=2.

Affected logs: l_filterstat.

SCTPAssoc

Number of SCTP associations.

Digital format.

Example: SCTPAssoc=2.

Available from: SNS v3.9.0.

Affected logs: l_filterstat.

SCTPAssocByte(i/o)

Number of bytes (incoming/outgoing) that have passed through the firewall for an SCTP association.

Digital format.

Example: SCTPAssocByte(i/o)=9728/9576.

Available from: SNS v3.9.0.

Affected logs: l_filterstat.

SCTPAssocPacket

Number of packets exchanged for an SCTP association.

Digital format.

Example: SCTPAssocPacket=128

Available from: SNS v3.9.0.

Affected logs: l_filterstat.

security

Indicator of the Firewall’s security status.

This value is used by the fleet management tool (Stormshield Network Unified Manager) to provide information on the security status (minor, major alarms, etc).

Decimal format representing a percentage.

Example: security=70.

Affected logs: l_monitor.

sent

Number of bytes sent over the connection.
Decimal format.
Example: sent=14623.
Available from: SNS v1.0.0.

Affected logs: l_connection, l_filter, l_ftp, l_plugin, l_pop3, l_smtp, l_ssl and l_web.

Sent
Example: "13 KB"
serverappid

Last server application detected on the connection.
Character string.
Example: serverappid=google.
Available from: SNS v3.2.0.

Affected logs: l_connection and l_plugin.

Server application

service

Name of the module that executed an action.

ASCII character string.

Example: service="SSOAgent".

Affected logs: l_pvm, l_sandboxing and l_system.

Service

sessionid

Session ID number allowing simultaneous connections to be differentiated.

Example: sessionid=18.

Affected logs: l_server.

Session

Example: "01.0018"

severity

 

 

Vulnerability’s intrinsic level of severity.

Values: “0” (Information), “1” (Weak), “2” (Moderate), “3” (High) or “4” (Critical).

Example: severity=3.

Affected logs: l_pvm.

Severity

Values: “Information”, “Weak”, “Moderate”, “High” or “Critical”.

side

Role of the Firewall in the negotiation of the tunnel.

Values: “initiator” or “responder”.

Example: side=initiator.

Affected logs: l_vpn.

Role

slotlevel 

Indicates the type of rule that activated logging.

Values: “0” (implicit), “1” (global), or “2” (local).

Example: slotlevel=1.

Available from: v1.0.0 SNS

Affected logs: l_alarm, l_connection, l_filter, l_ftp, l_plugin, l_pop3, l_smtp, l_ssl and l_web.

Rule level

Values: “Implicit”, “Global” or “Local”.

solution

Indicates whether a fix is available in order to correct the detected vulnerability.

Values: “0” (not available) or “1” (available).

Example: solution=1.

Affected logs: l_pvm.

Solution

Values: “Yes” or “No”.

spamlevel

Results of antispam processing on the message.

Values:

"X": error while processing the message.

"? ": the nature of the message could not be determined.

"0": non-spam message.

"1", "2" or "3": criticality of the spam message, 3 being the most critical.

Available from: v1.0.0 SNS

Spam

spi_in

SPI (Security Parameter Index) number of the negotiated incoming SA (Security Association). Character string in hexadecimal. Example: spi_in=0x01ae58af.

Affected logs: l_vpn.

Incoming spi

spi_out

SPI number of the negotiated outgoing SA.

Character string in hexadecimal.

Example: spi_out=0x003d098c.

Affected logs: l_vpn.

Outgoing spi

src

IP address of the source host.

Decimal format.

Example: src=192.168.0.1.

May be displayed anonymously depending on the administrator's access privileges.

Available from: SNS v1.0.0.

Affected logs: l_alarm, l_auth, l_connection, l_filter, l_ftp, l_plugin, l_pop3, l_pvm, l_sandboxing, l_smtp, l_ssl, l_vpn, l_web and l_xvpn.

Source

srccontinent

Continent to which the source IP address of the connection belongs.

Value: continent's ISO code

Example: srccontinent="eu"

Available from: SNS v3.0.0.

Affected logs: l_alarm, l_connection, l_filter, l_plugin, l_pop3, l_sandboxing, l_smtp, l_ssl and l_web.

Source continent
srccountry

Country to which the source IP address of the connection belongs.

Format: country's ISO code

Example: srccountry="fr".

Available from: SNS v3.0.0.

Affected logs: l_alarm, l_connection, l_filter, l_plugin, l_pop3, l_sandboxing, l_smtp, l_ssl and l_web.

Source country
srchostrep

Reputation of the connection's source host. Available only if reputation management has been enabled for the relevant host.

Format: unrestricted integer.

Example: srchostrep=26123

Available from: SNS v3.0.0.

Affected logs: l_alarm, l_connection, l_filter, l_plugin, l_pop3, l_sandboxing, l_smtp, l_ssl and l_web.

Source host reputation
srcif

Internal name of the interface at the source of the traffic.
String of characters in UTF-8 format.
Example: "Ethernet0".
Available from: SNS v1.0.0.

Affected logs: l_alarm, l_connection, l_filter and l_plugin.

Source interf. (ID)
srcifname

Name of the object representing the interface at the source of the traffic.
String of characters in UTF-8 format.
Example: "out"
Available from: SNS v1.0.0.

Affected logs: l_alarm, l_connection, l_filter and l_plugin.

Source interf.
srciprep

Reputation of the source IP address. Available only if this IP address is public and listed in the IP address reputation base.

Value: "anonymizer", "botnet", "malware", "phishing", "tor", "scanner" or "spam".

Example: srciprep="anonymizer,tor".

Available from: SNS v3.0.0.

Affected logs: l_alarm, l_connection, l_filter, l_plugin, l_pop3, l_sandboxing, l_smtp, l_ssl and l_web.

Public reputation of the source IP address

srcmac

MAC address of the source host.

May be displayed anonymously depending on the administrator's access privileges.

Example: srcmac=00:25:90:01:ce:e7.

Affected logs: l_alarm, l_connection, l_filter, l_ftp, l_plugin, l_sandboxing, l_smtp, l_ssl and l_web.

Source MAC address

srcname

Name of the object corresponding to the source host. May be displayed anonymously depending on the administrator's access privileges.
String of characters in UTF-8 format.
Example: srcname=client_laptop.
Available from: SNS v1.0.0.

Affected logs: l_alarm, l_connection, l_filter, l_ftp, l_plugin, l_pop3, l_pvm, l_sandboxing, l_smtp, l_ssl, l_vpn, l_web and l_xvpn.

Source name

srcport

Source port number of the service.

Example: srcport=51166.

Available from: SNS v1.0.0.

Affected logs: l_alarm, l_connection, l_filter, l_ftp, l_plugin, l_pop3, l_sandboxing, l_smtp, l_ssl and l_web.

Source port

srcportname

“Source” port name if it is known.

String of characters in UTF-8 format.

Example: srcportname=ad2003-dyn_tcp.

Available from: SNS v1.0.0.

Affected logs: l_alarm, l_connection, l_filter, l_ftp, l_plugin, l_pop3, l_sandboxing, l_smtp, l_ssl and l_web.

Source port name

sslvpnX

Indicators of bandwidth used by SSL VPN traffic. :

  • Name of the interface. String of characters in UTF-8 format.
  • Incoming throughput (bits/second),
  • Maximum incoming throughput for a given period (bits/second),
  • Outgoing throughput (bits/second),
  • Maximum outgoing throughput for a given period (bits/second),
  • Number of packets accepted,
  • Number of packets blocked.

sslvpn0 represents TCP-based SSL VPN traffic.

sslvpn1 represents UDP-based SSL VPN traffic.

 

Format: 7 values separated by commas.

Example: sslvpn1=sslvpn_udp,61515,128648,788241,1890520,2130,21.

Affected logs: l_monitor.

system

Indicator of the Firewall’s system status.

This value is used by the fleet management tool (Stormshield Management Center) to provide information on the system status (available RAM, CPU use, bandwidth, interfaces, fullness of audit logs, etc).

Decimal format representing a percentage.

Example: system=0.

Affected logs: l_monitor.