Does anybody have any documentation on the format Check Point uses for the
binary log file format in FW1 version 4.1SP1. I'd like to get at some of
the raw data before fw logexport converts it into a "readable" format.
The format of most of the records is defined in $FWDIR/lib/formats.def, but
each record has a 128-bit header, and most records have a 32-bit footer,
that I've only been able to partially decode. Here's what I've pieced
together so far for the record header:
range description
0-15 unknown (seems to be 0x0001 in most cases)
16-31 record size (not including header or footer)
32-63 origin of the record
64-95 timestamp
96-103 ID of record type (defined at the beginning of the file; derived
from $FWDIR/lib/formats.def)
104-105 unknown
106-111 ID of interface name (defined at the beginning of the file)
112-117 unknown (probably an ID code for the action, but where is it mapped
to accept, drop, etc?)
118-119 direction (01 = outbound; 00 = inbound)
120-127 unknown (seems to be 0x94 in most cases)
The footer seems to be fairly consistently 0x00ffffff (in the case of "log"
entries) except for a couple of cases where it's nonexistent or it's
0x00000000 (in the case of "alert" entries). Are there any other possible
values for this?
Michael Lea
Information Security
Manitoba Public Insurance
Phone: (204) 985-8224
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
