symantec.firewall
#
$ target-query <path/to/target> -f symantec.firewall
Module |
|
Output |
|
Module documentation
Symantec Endpoint Security Suite Plugin, based on https://malwaremaloney.blogspot.com/2021/01/
Function documentation
Return log firewall records.
- Yields SEPFirewallRecord with the following fields:
ts (datetime): Timestamp associated with the event. protocol (string): Protocol name associated with the firewall record. local_ip (“net.ipaddress”): Local IP address associated with the event. remote_ip (“net.ipaddress”): Remote IP address associated with the event. local_ip6 (“net.ipaddress”): Local IPv6 address associated with the event. remote_ip6 (“net.ipaddress”): Remote IPv6 address associated with the event. local_port (varint): Local port associated with the event. remote_port (varint): Local port associated with the event. outbound (boolean): True in case of outbound traffic/connection. begin_time (datetime): Start of the event. end_time (datetime): End of the event. repetition (varint): How many times this event happened within the time frame. blocked (boolean): Whether the traffic/connection was succesfully blocked. severity (string): Severity of the event. rule_id (varint): Firewall rule ID associated with this event. rule_name (string): Name of the Firewall rule associated with this event. remote_host (string): Name of the remote host if it can be traced. application (path): Application responsible for/affected by event. user (string): User associated with the event. line_no (varint): Reference line number in log file.