Tuesday, January 26, 2021

Your AV is Trying to Tell You Something: tralog.log

tralog_Format.md

Network and Host Exploit Midigation Traffic Log

The traffic log contains network traffic that occur on the endpoint. This log is populated when there is a hit on one of the firewall rules. The things of interest that are missing from the Windows client inlude: the MD5/SHA256 hash of the executable that triggered the firewall rule and the rule id.

Traffic Log File Format

The traffic log for SEP can be found at the following location: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\tralog.log

Field Type Size Description
Log Type hex 8 Always 00000002
Max Log Size hex 8 Maximum log file size in bytes
Unknown hex 8 ?
Number of Entries hex 8 Number of entries in log
Unknown hex 8 ?
Running Total Entries hex 16 Total number of events generated
Max Log Days hex 8 Maximun days to save log entries

Log Entries

The log is in TSV format, meaning, each field is separated by a tab character.

Field Type Size Description
Entry Length hex 8 Length of log entry
Date and Time Windows: 64 bit Hex Value - Big Endian 16 The time of the generated event (GMT).
Event ID hex 8 An event ID from the sending agent:
301 = TCP initiated
302 = UDP datagram
303 = Ping request
304 = TCP completed
305 = Traffic (other)
306 = ICMPv4 packet
307 = Ethernet packet
308 = IP packet
309 = ICMPv6 packet *
Local Host hex 8 The IP address of the local computer (IPv4).
Remote Host hex 8 The IP address of the remote computer (IPv4).
Local Port hex 8 The TCP/UDP port of the local computer (host byte-order). It is only valid on
TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. For other events, it is always zero.
Remote Port hex 8 The TCP/UDP port of the remote computer (host byte-order). It is only valid on
TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. For other events, it is always zero.
Direction hex 8 The direction of traffic. (Unknown = 0; inbound = 1; outbound = 2)
Begin Time Windows: 64 bit Hex Value - Big Endian 16 The start time of the security issue.
End Time Windows: 64 bit Hex Value - Big Endian 16 The end time of the security issue. This field is an optional field because the exact
end time of traffic may not be detected; for example, as with UDP traffic. If the end
time is not detected, it is set to equal the start time.
Repetition hex 8 The number of attacks. Sometime, when a hacker launches a mass attack, it may
be reduced to one event by the log system, depending on the damper period.
Action hex 8 Specifies if the traffic was blocked. (Yes = 1, no = 0)
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Severity hex 8 Severity as defined in the security rule.
Critical = 0 - 3
Major = 4 - 7
Minor = 8 - 11
Info = 12 - 15
Rule ID char 32 The ID of the rule that is triggered by the event. It is always 0 if the rule ID is not
specified in the security rule. This field is helpful to security rule troubleshooting. If
multiple rules match, it logs the rule that has the final decision on PacketProc
(pass/block/drop).
Remote Host Name nvarchar 128 The host name of the remote computer. This field may be empty if the name resolution failed.
Rule nvarchar 512 The name of the rule that was triggered by the event. If the rule name is not
specified in the security rule, then this field is empty. Having the rule name can
be useful for troubleshooting. You may recognize a rule by the rule ID, but rule
name can help you recognize it more quickly.
Application nvarchar 512 The full path of application involved. It may be empty if an unknown application
is involved or if no application is involved. For example, the ping of death DoS
attack does not have AppName because it attacks the operating system itself.
Local MAC binary 32 The MAC address of the local computer.
Remote MAC binary 32 The MAC address of the remote computer.
Location nvarchar 512 The location used when the event occured.
User nvarchar 512 The logon user name.
User Domain nvarchar 512 The logon domain name.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Remote Host IPV6 hex 32 The IP address of the remote host (IPv6).
Local Host IPV6 hex 32 The IP address of the local comuter (IPv6).
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
Unknown hex 8 Will require further investigation as to the purpose of this log entry.
MD5 char 32 The MD5 hash of the executable that triggered the firewall rule.
SHA-256 char 64 The SHA256 hash of the executable that triggered the firewall rule.
Unknown ? ? Will require further investigation as to the purpose of this log entry.
Unknown ? ? Will require further investigation as to the purpose of this log entry.
Unknown ? ? Will require further investigation as to the purpose of this log entry.

* SEP14.2.1

NTOSKRNL is a special SYSTEM process with PID 4. Due to how Windows locks the file, SEP is unable to get the hash, so it was hard-coded with a static value.
MD5: 53797320000000000000000000000000
SHA-256: 5379732000000000000000000000000000000000000000000000000000000000

This value is a hexadecimal representation of text:
Hex: 53 79 73 20
Ascii: "Sys "

The reported hash on NTSOKRNL.exe is by design.

No comments:

Post a Comment