How do I read the ZoneAlarm log files?

Updated

"ZAlog.txt" contains information on ZoneAlarm Alerts. The location of this file (assumes default Windows home directories, adapt to your own system as necessary) is: 

Windows 9x/Me : C:\Windows\Internet Logs 2000 : C:\Winnt\Internet Logs XP/Vista : C:\Windows\Internet Logs 

A description of information that ZoneAlarm logs is below. 

The timestamp is given in the computer's local time (ex: GMT - 08:00). If it shows an incorrect time zone then you must change your Windows settings. See your local Windows help files for more information on how to do this. 

FWIN: indicates that the firewall blocked an inbound packet of data coming to your computer. Some, but not all, of these packets are connection attempts. 

FWOUT: indicates that the firewall blocked an outbound packet of data from leaving your computer. 

FWROUTE - the firewall blocked a packet that was not addressed to or from your computer, but was routed through it. 

FWLOOP - the firewall blocked a packet addressed to the loopback adapter (127.0.0.1) 

LOCK - the firewall blocked a packet due to a lock violation 

PE: indicates that an application on your computer requested access to the Internet. 

N/A: "Not Applicable" - for any log file entries (often PE) with less than 6 fields to report, ZA/ZAP will pad that line with "N/A" ACCESS - an application was blocked because it did not have access permission 

MS - MailSafe quarantined a file attachment 

The TCP flags are: 
S (SYN), 
F (FIN), 
R (RESET), 
P (PUSH), 
A (ACK), 
U (URGENT), 
4 (low-order unused bit), 
8 (high-order unused bit) 

The SYN-flag is only set in the first packet initiating a TCP connection. It represents an attempt to make a connection rather than a response to an existing connection. The FIN-flag represents an attempt to terminate a connection. 

ICMP types: 
0 - Echo Reply 
3 - Destination Unreachable 
4 - Source Quench 
5 - Redirect 
8 - Echo Request 
9 - Router Advertisement 
10 - Router Solicitation 
11 - Time Exceeded 
12 - Parameter Problem 
13 - Timestamp Request 
14 - Timestamp Reply 
15 - Information Request 
16 - Information Reply 
17 - Address Mask Request 
18 - Address Mask Reply 

If you use netstat (from a DOS prompt, type netstat -an) here are some useful terms to know: 

CLOSE_WAIT Remote shut down: waiting for the socket to close 
CLOSED The connection is disconnected and not being used 
CLOSING Closed, then remote shutdown: awaiting ack. Attempting to shut down connection 
ESTABLISHED Connection has been established, connection is active 
FIN_WAIT_1 Socket closed, shutting down connection 
FIN_WAIT_2 Socket closed, waiting for shutdown from other computer 
LAST_ACK Remote shut down, then closed: awaiting acknowledgement 
LISTENING Your computer is waiting for an incoming connection 
SYN_RECEIVED Initial synchronization of the connection under way, about to connect 
SYN_SENT Actively trying to establish connection 
TIME_WAIT Wait after close for remote shutdown retransmission 

The above information is provided to help you interpret the information in the Alert log file. ZoneAlarm does not investigate possible intrusion attempts, and we do not analyze log files for this purpose. However, we are interested in receiving detailed, step-by-step results of vulnerability testing of our products.

Was this article helpful?

Have more questions?

Submit Request