firewall.logs

$ target-query <path/to/target> -f firewall.logs

Details

Module	dissect.target.plugins.os.windows.firewall.WindowsFirewallPlugin
Output	records

Module documentation

Windows Firewall plugin.

Function documentation

Parse Windows Firewall log files.

Currently parses pfirewall* files in sysvol\Windows\System32\LogFiles\Firewall\ only. Does not yet parse dynamically set log locations e.g. netsh advfirewall set currentprofile logging filename.

References:

• https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-logging

Yields Windows Firewall log records with the following fields:

ts (datetime): The timestamp of the log entry.
hostname (string): The target hostname.
domain (string): The target domain.
action (string): Allow or Block.
protocol (string): TCP, UDP or other IANA protocol value.
src_ip (net.ipaddress): Source IP address.
dst_ip (net.ipaddress): Destination IP address.
src_port (varint): Source port number.
dst_port (varint): Destination port number.
size (filesize): Size in bytes of the packet(s).
tcpflags (string): TCP header control flags.
tcpsyn (string): TCP sequence number.
tcpack (string): TCP acknowledgement number.
tcpwin (string): TCP window size in bytes.
icmptype (string): ICMP packet type.
icmpcode (string): ICMP packet code.
info (string): Additional information.
path (string): Direction of the traffic, either SEND, RECEIVE, FORWARD or UNKNOWN.
source (path): Source path of the record log line.