Firewall log

bankwest
bankwest used Ask the Experts™
on
This is an example of log information created by a SonicWall tz210

Most of the information is pretty clear what it is telling me.   Some not so much.

Can someone give me an explanation of this entire entry or someplace that gives better information than I have found so far.     For example:    What is the UTC  fw=70.252.169.70?    I would like to report this to the ISP, but not sure who???
What is the pri=1?  c=32?  m=794?     Then further down, it has n=2???  before the src information.

id=firewall sn=0017C5441BD8 time="2012-04-13 14:29:16 UTC" fw=70.252.169.70
pri=1 c=32 m=794 msg="Anti-Spyware Prevention Alert: Freeze (Trojan)" sid=2138
spycat=Freeze spypri=1 n=2 src=10.1.3.62:1274:X0 dst=205.234.175.175:80:X1
Alert 16 - Local use 0 1 - Alert 2012/04/13 08:29:15

 
id=firewall sn=0017C5441BD8 time="2012-04-13 14:28:05 UTC" fw=70.252.169.70
pri=1 c=32 m=794 msg="Anti-Spyware Prevention Alert: Freeze (Trojan)" sid=2138
spycat=Freeze spypri=1 n=1 src=205.234.175.175:80:X1 dst=10.1.3.62:1255:X0
Alert 16 - Local use 0 1 - Alert 2012/04/13 08:28:03
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:
Hi,

I've never touched the device before generally work with Check Point but this is what I can make out from the log.

m=794 (Log Message ID: Anti-Spyware Prevention Alert: %s)

Pri=1 (Message priority Displays the event priority level (0=emergency.. 7=debug)

sid=2138 (signature ID)

c=32 I believe this is (Message category (legacy only))

fw=70.252.169.70 (Indicates the WAN IP Address)

n=2 (Indicates the number of times event occurs)

I believe the communications for this possible Tojan has been communicating with the IP
205.234.175.175:80 with your internal host so possibly infected.


IP Information:

IP Address:       205.234.175.175
IP Host:       vip1.G-anycast1.cachefly.net
Continent:      North America (NA)
Country:      United States   (US)
State:      Illinois
City:      Chicago
Postal Code:      60622
Area Code:      773
Metro Code:      602
ISP:      Server Central Network
Organization:      CacheNetworks
Time zone:      America/Chicago
 

Hope this helps.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial