"ZAlog.txt" contains information on ZoneAlarm Alerts. The location of this file (assumes default Windows home directories, adapt to your own system as necessary) is:
Windows 9x/Me : C:\Windows\Internet Logs 2000 : C:\Winnt\Internet Logs XP/Vista : C:\Windows\Internet Logs
A description of information that ZoneAlarm logs is below.
The timestamp is given in the computer's local time (ex: GMT - 08:00). If it shows an incorrect time zone then you must change your Windows settings. See your local Windows help files for more information on how to do this.
FWIN: indicates that the firewall blocked an inbound packet of data coming to your computer. Some, but not all, of these packets are connection attempts.
FWOUT: indicates that the firewall blocked an outbound packet of data from leaving your computer.
FWROUTE - the firewall blocked a packet that was not addressed to or from your computer, but was routed through it.
FWLOOP - the firewall blocked a packet addressed to the loopback adapter (127.0.0.1)
LOCK - the firewall blocked a packet due to a lock violation
PE: indicates that an application on your computer requested access to the Internet.
N/A: "Not Applicable" - for any log file entries (often PE) with less than 6 fields to report, ZA/ZAP will pad that line with "N/A" ACCESS - an application was blocked because it did not have access permission
MS - MailSafe quarantined a file attachment
The TCP flags are:
S (SYN),
F (FIN),
R (RESET),
P (PUSH),
A (ACK),
U (URGENT),
4 (low-order unused bit),
8 (high-order unused bit)
The SYN-flag is only set in the first packet initiating a TCP connection. It represents an attempt to make a connection rather than a response to an existing connection. The FIN-flag represents an attempt to terminate a connection.
ICMP types:
0 - Echo Reply
3 - Destination Unreachable
4 - Source Quench
5 - Redirect
8 - Echo Request
9 - Router Advertisement
10 - Router Solicitation
11 - Time Exceeded
12 - Parameter Problem
13 - Timestamp Request
14 - Timestamp Reply
15 - Information Request
16 - Information Reply
17 - Address Mask Request
18 - Address Mask Reply
If you use netstat (from a DOS prompt, type netstat -an) here are some useful terms to know:
CLOSE_WAIT Remote shut down: waiting for the socket to close
CLOSED The connection is disconnected and not being used
CLOSING Closed, then remote shutdown: awaiting ack. Attempting to shut down connection
ESTABLISHED Connection has been established, connection is active
FIN_WAIT_1 Socket closed, shutting down connection
FIN_WAIT_2 Socket closed, waiting for shutdown from other computer
LAST_ACK Remote shut down, then closed: awaiting acknowledgement
LISTENING Your computer is waiting for an incoming connection
SYN_RECEIVED Initial synchronization of the connection under way, about to connect
SYN_SENT Actively trying to establish connection
TIME_WAIT Wait after close for remote shutdown retransmission
The above information is provided to help you interpret the information in the Alert log file. ZoneAlarm does not investigate possible intrusion attempts, and we do not analyze log files for this purpose. However, we are interested in receiving detailed, step-by-step results of vulnerability testing of our products.
How do I read the ZoneAlarm log files?
¿Tiene más preguntas? Enviar una solicitud
El artículo está cerrado para comentarios.
0 Comentarios