1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE lire:dlf-schema PUBLIC
"-//LogReport.ORG//DTD Lire DLF Schema Markup Language V1.0//EN"
"http://www.logreport.org/LDSML/1.0/ldsml.dtd">
<!-- $Id: firewall.xml,v 1.5 2002/01/22 23:38:26 flacoste Exp $ -->
<lire:dlf-schema superservice="firewall" timestamp="time"
xmlns:lire="http://www.logreport.org/LDSML/">
<lire:title>DLF Schema for Firewall service</lire:title>
<lire:description>
<para>This DLF file is adequate to represent most common
informations about packet filters firewall events. It can also be
used for Network Intrusion Detection System.
</para>
</lire:description>
<lire:field name="time" type="timestamp"/>
<!-- e.g. denied or permitted (these are the cisco names for this field) -->
<lire:field name="action" type="string">
<lire:description>
<para>What action was associated with that packet. Either
<constant>denied</constant> or
<constant>permitted</constant>.
</para>
</lire:description>
</lire:field>
<!-- e.g. tcp, udp, icmp, etc. -->
<lire:field name="protocol" type="string"/>
<lire:field name="from_ip" type="ip">
<lire:description>
<para>The source ip address on the packet.</para>
</lire:description>
</lire:field>
<lire:field name="from_port" type="port">
<lire:description>
<para>The source port (in the case of the TCP or UDP) protocol.
This should be the ICMP type when the protocol is ICMP.</para>
</lire:description>
</lire:field>
<lire:field name="from_host" type="hostname">
<lire:description>
<para>The hostname associated with the source IP.</para>
</lire:description>
</lire:field>
<!-- e.g. Serial0/0.2 -->
<lire:field name="rcv_intf" type="string">
<lire:description>
<para>The receiving interface. That should be the network interface
on which the packet was received.
</para>
</lire:description>
</lire:field>
<!-- e.g. DLCI_120 -->
<lire:field name="rcv_hwaddr" type="string"/>
<lire:field name="to_ip" type="ip">
<lire:description>
<para>The description ip address on the packet.</para>
</lire:description>
</lire:field>
<lire:field name="to_port" type="port">
<lire:description>
<para>The destination port (in the case of the TCP or UDP) protocol.
This should be the ICMP code when the protocol is ICMP.
</para>
</lire:description>
</lire:field>
<lire:field name="to_host" type="hostname">
<lire:description>
<para>The hostname associated with the destination IP.</para>
</lire:description>
</lire:field>
<lire:field name="snt_intf" type="string" default="-">
<lire:description>
<para>The sending interface. That should be the network interface
on which the packet was outgoing.
</para>
</lire:description>
</lire:field>
<lire:field name="length" type="bytes" default="0">
<lire:description>
<para>The packet length (that is the header and payload length).
This should be the total length of the stream when the
event represent multiple packets.
</para>
</lire:description>
</lire:field>
<lire:field name="rule" type="string" default="-">
<lire:description>
<para>The rule that triggered that packet to be logged, denied,
permitted, etc.</para>
</lire:description>
</lire:field>
<lire:field name="msg" type="string" default="-">
<lire:description>
<para>A message associated with that packet. This could be an
attack signature detected by a Network Intrusion Detection System
or anything of similar nature.
</para>
</lire:description>
</lire:field>
<lire:field name="count" type="int" default="1">
<lire:description>
<para>The number of packets described by this event. This will be 1
in the case of a single packet. It can be higher in the case where
multiple packets are compressed into one event. Remember that the
<type>length</type> values should reflect the length of all those packets.
</para>
</lire:description>
</lire:field>
</lire:dlf-schema>
|
