Fields specific to the “l_alarm” log

Behavior associated with the filter rule.

Value: “pass” or “block”

Action

Text message explaining the alarm.

String of characters in UTF-8 format. Example: “Port probe”

Message

Information about the alarm’s category.

String of characters in UTF-8 format. Example: “protocol”, “system”, “filter”…

Context

Code number indicating alarm category.

Example: "0"

Classification

Example: "Application"

Size of the network packet that activated the alarm (in bytes).

Example: "133"

Size of the packet captured for deeper analysis by a third-party tool. This value may differ from the value of the “pktlen” field.

Example: "133"

Network packet captured and encoded in hexadecimal for deeper analysis by a third-party tool.

Example: “450000321fd240008011c2f50a00007b0a3c033d0035c”

Captured packet

Stormshield Network alarm ID

Decimal format. Example: "85"

Alarm ID

Number of occurrences of the alarm over a given period.

Decimal format. Example: "4"

Available from: SNS v1.0.0.

Repeat

Code number of the icmp message.

Example: “1” (meaning “Destination host unreachable”).

Available from: SNS v1.0.0.

Number of the type of icmp message.

Example: “3” (meaning “Destination unreachable”).

Available from: SNS v1.0.0.

Authentication method used or LDAP directory of the user authenticated by the firewall.

String of characters in UTF-8 format.

Example: domain="documentation.stormshield.eu"

Available from: SNS v3.0.0.

Risk relating to the connection. This value contributes to the reputation score of the connection's source host.

Value: between 1 (low risk) and 100 (very high risk).

Example: risk=20

Available from: SNS v3.0.0.

Shows whether the src or dst fields correspond to the target of the packet that had raised the alarm.

Values: "src" or "dst"

Available from: SNS v3.0.0.