symantec.firewall¶
$ target-query <path/to/target> -f symantec.firewall
Module |
|
Output |
|
Module documentation
Symantec Endpoint Security Suite Plugin, based on https://malwaremaloney.blogspot.com/2021/01/
Function documentation
Return log firewall records.
Yields SEPFirewallRecord with the following fields:
ts (datetime): Timestamp associated with the event.
protocol (string): Protocol name associated with the firewall record.
local_ip ("net.ipaddress"): Local IP address associated with the event.
remote_ip ("net.ipaddress"): Remote IP address associated with the event.
local_ip6 ("net.ipaddress"): Local IPv6 address associated with the event.
remote_ip6 ("net.ipaddress"): Remote IPv6 address associated with the event.
local_port (varint): Local port associated with the event.
remote_port (varint): Local port associated with the event.
outbound (boolean): True in case of outbound traffic/connection.
begin_time (datetime): Start of the event.
end_time (datetime): End of the event.
repetition (varint): How many times this event happened within the time frame.
blocked (boolean): Whether the traffic/connection was succesfully blocked.
severity (string): Severity of the event.
rule_id (varint): Firewall rule ID associated with this event.
rule_name (string): Name of the Firewall rule associated with this event.
remote_host (string): Name of the remote host if it can be traced.
application (path): Application responsible for/affected by event.
user (string): User associated with the event.
line_no (varint): Reference line number in log file.