February 7th, 2003, 11:27 PM
ZoneAlarm Log explaination
I asked ZoneAlarm Tech support for an explanation of their logs because I heard members say the logs were cumbersome. The explaination that follows came directly from ZoneAlarm tech support.
Windows 9x/Me : C:\Windows\Internet Logs
NT/2000 : C:\Winnt\Internet Logs
In Windows XP it could be either of these folders.
A description of information that ZoneAlarm logs is below.
The timestamp is given in the computer's local time (ex: GMT -
08:00). If it shows an incorrect time zone then you must change your
Windows settings. See your local Windows help files for more
information on how to do this.
FWIN: indicates that the firewall blocked an inbound packet of data
coming to your computer. Some, but not all, of these packets are
FWOUT: indicates that the firewall blocked an outbound packet of
data from leaving your computer.
FWROUTE - the firewall blocked a packet that was not addressed to or
from your computer, but was routed through it.
FWLOOP - the firewall blocked a packet addressed to the loopback
LOCK - the firewall blocked a packet due to a lock violation
PE: indicates that an application on your computer requested access
to the Internet.
N/A: "Not Applicable" - for any log file entries (often PE) with
less than 6 fields to report, ZA/ZAP will pad that line with "N/A"
ACCESS - an application was blocked because it did not have access
MS - MailSafe quarantined a file attachment
The TCP flags are:
4 (low-order unused bit),
8 (high-order unused bit)
The SYN-flag is only set in the first packet initiating a TCP
connection. It represents an attempt to make a connection rather
than a response to an existing connection.
The FIN-flag represents an attempt to terminate a connection.
0 - Echo Reply
3 - Destination Unreachable
4 - Source Quench
5 - Redirect
8 - Echo Request
9 - Router Advertisement
10 - Router Solicitation
11 - Time Exceeded
12 - Parameter Problem
13 - Timestamp Request
14 - Timestamp Reply
15 - Information Request
16 - Information Reply
17 - Address Mask Request
18 - Address Mask Reply
If you use netstat (from a DOS prompt, type netstat -an) here are
some useful terms to know:
CLOSE_WAIT Remote shut down: waiting for the socket to close
CLOSED The connection is disconnected and not being used
CLOSING Closed, then remote shutdown: awaiting ack. Attempting to
shut down connection
ESTABLISHED Connection has been established, connection is active
FIN_WAIT_1 Socket closed, shutting down connection
FIN_WAIT_2 Socket closed, waiting for shutdown from other computer
LAST_ACK Remote shut down, then closed: awaiting acknowledgement
LISTENING Your computer is waiting for an incoming connection
SYN_RECEIVED Initial synchronization of the connection under way,
about to connect
SYN_SENT Actively trying to establish connection
TIME_WAIT Wait after close for remote shutdown retransmission
The above information is provided to help you interpret the
information in the Alert log file. Zone Labs does not investigate
possible intrusion attempts, and we do not analyze log files for
this purpose. However, we are interested in receiving detailed,
step-by-step results of vulnerability testing of our products.
February 8th, 2003, 05:17 PM
zone alarm log analyzer is a good tool to do all the work.
get it at http://zonelog.co.uk/
there the info of the logs is listed, explained...
nevertheless thanx for the info mayhem991
\"Knowledge is the Real Power\"
February 8th, 2003, 09:36 PM
Thanks, I have done most of my own tracking using Xcel and VB macros. I have looked at the site and the package looks useful.