Greetings, I've made decoders for the ZoneAlarm firewall version 8+ and thought it might be useful to someone else too. I have some decoders for some of the program control aspects of ZoneAlarm, but I'm still testing them. I'm also still testing rules for all these. Both those will probably be posted later if anyone's interested. Feedback is appreciated.
For fwpktlog.txt:
Log samples:
965140 Packet DROPPED: Proto: IP_TCP Flags: 0x0000000a Src: 10.0.0.5
Dest: 10.0.0.1 SrcPort: 80 DstPort: 59687
2050156 Packet DROPPED: Proto: IP_UDP Flags: 0x00000002 Src: 10.0.0.3
Dest: 10.0.0.4 SrcPort: 137 DstPort: 137
3204609 Packet DROPPED: Proto: IP_ICMP Flags: 0x0000000a Src:
10.0.0.2 Dest: 10.0.0.1 Type ICMP_ECHO
<decoder name="zonealarm-fwpktlog">
<prematch>^\d+ Packet \w+: Proto: </prematch>
<type>firewall</type>
</decoder>
<decoder name="zonealarm-fwpktlog-1">
<parent>zonealarm-fwpktlog</parent>
<type>firewall</type>
<regex>^\d+ Packet (\w+): Proto: IP_(\w+) Flags: \w+ </regex>
<regex>Src: (\d+.\d+.\d+.\d+) Dest: (\d+.\d+.\d+.\d+) </regex>
<order>action,protocol,srcip,dstip</order>
</decoder>
<decoder name="zonealarm-fwpktlog-1">
<parent>zonealarm-fwpktlog</parent>
<type>firewall</type>
<regex offset="after_regex">^SrcPort: (\d+) DstPort: (\d+)</regex>
<order>srcport,dstport</order>
</decoder>
For ZALog.txt:
The ZALog.txt file can be delimited by commas (default), semicolons
or tabs. These cover all possibilities. These should work on
ZoneAlarm v7 as well but this hasn't been tested. This is included
mainly for completeness, since the fwpktlog.txt file is much more
useful.
Note: for ZoneAlarm to log to the ZALog.txt file, you must set it to
"Archive log files daily" in the Alerts and Logs preferences,
otherwise, this file will not appear.
Note 2: FYI, there may be double counting of packets between the
fwpktlog.txt and ZALog.txt files. ZoneAlarm is rather militant about
logging to fwpktlog.txt but not so much to ZALog.txt. Personally, I
don't really care if the packets are counted twice since it typically
isn't enough to trigger lockouts unexpectedly. If you care, just use
the fwpktlog.txt decoder above instead of this one.
Log samples (inbound and outbound traffic):
FWIN,2008/09/22,15:04:34 -7:00 GMT,
10.97.238.229:1493,10.12.67.21:1027,UDP
FWIN,2008/09/22,22:22:08 -7:00 GMT,
10.50.112.166:2413,10.18.69.21:5900,TCP (flags:S)
FWOUT,2009/01/23,10:48:56 -8:00 GMT,10.12.67.21:138,10.18.69.21:138,UDP
FWIN,2009/01/23,10:49:06 -8:00 GMT,10.12.67.21:0,10.13.68.22:0,ICMP
(type:8/subtype:0)
<decoder name="zonealarm-firewall">
<prematch>^FWIN|^FWOUT</prematch>
<type>firewall</type>
</decoder>
<decoder name="zonealarm-firewall-1">
<parent>zonealarm-firewall</parent>
<type>firewall</type>
<regex offset="after_parent">^,\d\d\d\d/\d\d/\d\d,\d+:\d+:\d+\.+,(\d
+.\d+.\d+.\d+):(\d+),(\d+.\d+.\d+.\d+):(\d+),(\w+)|</regex>
<regex>^\t\d\d\d\d/\d\d/\d\d\t\d+:\d+:\d+\.+\t(\d+.\d+.\d+.\d+):(\d
+)\t(\d+.\d+.\d+.\d+):(\d+)\t(\w+)|</regex>
<regex>^;\d\d\d\d/\d\d/\d\d;\d+:\d+:\d+\.+;(\d+.\d+.\d+.\d+):(\d+);
(\d+.\d+.\d+.\d+):(\d+);(\w+)</regex>
<order>srcip,srcport,dstip,dstport,protocol</order>
</decoder>
Windows agent config:
<localfile>
<location>C:\WINDOWS/Internet Logs/fwpktlog.txt</location>
<log_format>syslog</log_format>
</localfile>
<localfile>
<location>C:\WINDOWS/Internet Logs/ZALog.txt</location>
<log_format>syslog</log_format>
</localfile>
--cryogen
PGP.sig
Description: This is a digitally signed message part
