ZoneAlarm Log explaination
Results 1 to 3 of 3

Thread: ZoneAlarm Log explaination

  1. #1
    Member
    Join Date
    Aug 2002
    Posts
    88

    ZoneAlarm Log explaination

    I asked ZoneAlarm Tech support for an explanation of their logs because I heard members say the logs were cumbersome. The explaination that follows came directly from ZoneAlarm tech support.

    Windows 9x/Me : C:\Windows\Internet Logs
    NT/2000 : C:\Winnt\Internet Logs
    In Windows XP it could be either of these folders.

    A description of information that ZoneAlarm logs is below.

    The timestamp is given in the computer's local time (ex: GMT -
    08:00). If it shows an incorrect time zone then you must change your
    Windows settings. See your local Windows help files for more
    information on how to do this.

    FWIN: indicates that the firewall blocked an inbound packet of data
    coming to your computer. Some, but not all, of these packets are
    connection attempts.

    FWOUT: indicates that the firewall blocked an outbound packet of
    data from leaving your computer.

    FWROUTE - the firewall blocked a packet that was not addressed to or
    from your computer, but was routed through it.

    FWLOOP - the firewall blocked a packet addressed to the loopback
    adapter (127.0.0.1)

    LOCK - the firewall blocked a packet due to a lock violation

    PE: indicates that an application on your computer requested access
    to the Internet.

    N/A: "Not Applicable" - for any log file entries (often PE) with
    less than 6 fields to report, ZA/ZAP will pad that line with "N/A"

    ACCESS - an application was blocked because it did not have access
    permission

    MS - MailSafe quarantined a file attachment

    The TCP flags are:
    S (SYN),
    F (FIN),
    R (RESET),
    P (PUSH),
    A (ACK),
    U (URGENT),
    4 (low-order unused bit),
    8 (high-order unused bit)

    The SYN-flag is only set in the first packet initiating a TCP
    connection. It represents an attempt to make a connection rather
    than a response to an existing connection.

    The FIN-flag represents an attempt to terminate a connection.

    ICMP types:
    0 - Echo Reply
    3 - Destination Unreachable
    4 - Source Quench
    5 - Redirect
    8 - Echo Request
    9 - Router Advertisement
    10 - Router Solicitation
    11 - Time Exceeded
    12 - Parameter Problem
    13 - Timestamp Request
    14 - Timestamp Reply
    15 - Information Request
    16 - Information Reply
    17 - Address Mask Request
    18 - Address Mask Reply

    If you use netstat (from a DOS prompt, type netstat -an) here are
    some useful terms to know:

    CLOSE_WAIT Remote shut down: waiting for the socket to close
    CLOSED The connection is disconnected and not being used
    CLOSING Closed, then remote shutdown: awaiting ack. Attempting to
    shut down connection
    ESTABLISHED Connection has been established, connection is active
    FIN_WAIT_1 Socket closed, shutting down connection
    FIN_WAIT_2 Socket closed, waiting for shutdown from other computer
    LAST_ACK Remote shut down, then closed: awaiting acknowledgement
    LISTENING Your computer is waiting for an incoming connection
    SYN_RECEIVED Initial synchronization of the connection under way,
    about to connect
    SYN_SENT Actively trying to establish connection
    TIME_WAIT Wait after close for remote shutdown retransmission

    The above information is provided to help you interpret the
    information in the Alert log file. Zone Labs does not investigate
    possible intrusion attempts, and we do not analyze log files for
    this purpose. However, we are interested in receiving detailed,
    step-by-step results of vulnerability testing of our products.

  2. #2
    Senior Member
    Join Date
    Aug 2001
    Posts
    100
    zone alarm log analyzer is a good tool to do all the work.
    get it at http://zonelog.co.uk/

    there the info of the logs is listed, explained...

    nevertheless thanx for the info mayhem991
    \"Knowledge is the Real Power\"

  3. #3
    Member
    Join Date
    Aug 2002
    Posts
    88
    Thanks, I have done most of my own tracking using Xcel and VB macros. I have looked at the site and the package looks useful.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •