Network and Host Exploit Mitigation Packet Log
The raw log contains packet traffic that occured on the endpoint. This log is populated if the firewall rule is set to capture a packet. The only thing the Windows client is missing is the rule id. This log is not very human readable due to the packet data it contains. One shortcoming to the smc commandline tool is that it will not export the packet data even though it is in the log and the Windows GUI client.
Packet Log File Format
The packet log for SEP can be found at the following location: C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Logs\rawlog.log
Header
| Field | Type | Size | Description |
|---|---|---|---|
| Log Type | hex | 8 | Always 00000003 |
| Max Log Size | hex | 8 | Maximum log file size in bytes |
| Unknown | hex | 8 | ? |
| Number of Entries | hex | 8 | Number of entries in log |
| Unknown | hex | 8 | ? |
| Running Total Entries | hex | 16 | Total number of events generated |
| Max Log Days | hex | 8 | Maximun days to save log entries |
Log Entries
The log is in TSV format, meaning, each field is separated by a tab character.
| Field | Type | Size | Description |
|---|---|---|---|
| Entry Length | hex | 8 | Length of log entry |
| Date and Time | Windows: 64 bit Hex Value - Big Endian | 16 | The time of the generated event (GMT). |
| Event ID | hex | 8 | An event ID from the sending agent: 401 = Raw Ethernet |
| Local Host | hex | 8 | The IP address of the local computer (IPv4). |
| Remote Host | hex | 8 | The IP address of the remote computer (IPv4). |
| Local Port | hex | 8 | The TCP/UDP port of the local computer (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. For other events, it is always zero. |
| Remote Port | hex | 8 | The TCP/UDP port of the remote computer (host byte-order). It is only valid on TSE_TRAFFIC_TCP and TSE_TRAFFIC_UDP. For other events, it is always zero. |
| Packet Length | hex | 8 | Lenght of packet data |
| Direction | hex | 8 | The direction of traffic (unknown = 0; inbound = 1; outbound = 2). |
| Action | hex | 8 | Specifies if the traffic was blocked (yes = 1, no = 0). |
| Unknown | hex | 8 | Will require further investigation as to the purpose of this log entry. |
| Remote Host Name | nvarchar | 128 | The host name of the remote computer. This field may be empty if the name resolution failed. |
| Application | nvarchar | 512 | The full path name of the application involved. It may be empty if an unknown application is involved or if no application is involved. For example, the ping of death DoS attack does not have an AppName because it attacks the operating system. |
| Packet | varbinary | 2000 | |
| Rule | nvarchar | 512 | The name of the rule that was triggered by the event. If the rule name is not specified in the security rule, then this field is empty. Having the rule name can be useful for troubleshooting. You may recognize a rule by the rule ID, but rule name can help you recognize it more quickly. |
| Unknown | hex | 8 | Will require further investigation as to the purpose of this log entry. |
| Unknown | hex | 8 | Will require further investigation as to the purpose of this log entry. |
| Remote Host IPV6 | hex | 32 | The IP address of the remote host (IPv6). |
| Local Host IPV6 | hex | 32 | The IP address of the local computer (IPv6). |
| Rule ID | cahr | 32 | The ID of the rule that is triggered by the event. It is always 0 if the rule ID is not specified in the security rule. This field is helpful to security rule troubleshooting. If multiple rules match, it logs the rule that has the final decision on PacketProc (pass/block/drop). |
No comments:
Post a Comment