1.2. Context Parameters
In many cases, information regarding a certain object is featured in the log message. This can be
information about, for example, a connection. In this case, the log message should, besides all
the normal log message attributes, also include information about which protocol is used, source
and destination IP addresses and ports (if applicable), and so on.
As the same information will be included in many log messages, these are referenced as a
Context Parameter
. So whenever a log message includes information about a connection, it will
feature the CONN parameter in the Context Parameter list. This means that additional
information about the connection will also be included in the log message.
A description of all available context parameters follows with an explanation of all the additional
parameters. The names of the additional parameters are specified using the Syslog format.
ALG Module Name
An ALG is always of a certain type, for example FTP, H323 or HTTP. This parameter specifies the
name of the ALG sub-module, in order to quickly distinguish which type of ALG this is.
algmod
The name of the ALG sub-module.
ALG Session ID
Each ALG session has its own session ID, which uniquely identifies an ALG session. This is useful,
for example, when matching the opening of an ALG session with the closure of the same ALG
session.
algsesid
The session ID of an ALG session.
Packet Buffer
Information about the packet buffer, which in turn contains a large number of additional objects.
Certain parameters may or may not be included, depending on the type of packet buffer. For
example, the TCP flags are only included if the buffer contains a TCP protocol, and the
ICMP-specific parameters are only included if the buffer contains a ICMP protocol.
recvif
The name of the receiving interface.
[hwsender]
The sender hardware address. Valid if the protocol is ARP.
[hwdest]
The destination hardware address. Valid if the protocol is ARP.
[arp]
The ARP state. Valid if the protocol is ARP. Possible values:
request|reply
.
[srcip]
The source IP Address. Valid if the protocol is not ARP.
[destip]
The destination IP Address. Valid if the protocol is not ARP.
iphdrlen
The IP header length.
[fragoffs]
Fragmentation offset. Valid if the IP packet is fragmented.
Chapter 1: Introduction
38
Summary of Contents for NetDefend DFL-260E
Page 32: ...List of Tables 1 Abbreviations 35 32...
Page 33: ...List of Examples 1 Log Message Parameters 34 2 Conditional Log Message Parameters 34 33...
Page 42: ...routemetric Route metric cost Chapter 1 Introduction 42...
Page 44: ...Chapter 1 Introduction 44...
Page 216: ...Rule Information Connection Chapter 2 Log Message Reference 216...
Page 243: ...client_ip Context Parameters Rule Name Packet Buffer Chapter 2 Log Message Reference 243...
Page 556: ...logger Chapter 2 Log Message Reference 556...
Page 613: ...Parameters location Chapter 2 Log Message Reference 613...