This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SG310 -Interpreting Dropped Packets in Firewall Log

We have a Sophos SG310 Firmware v9.714-4. I am trying to figure out some issues and have been reviewing the firewall log but I'm unable to something out.

Below is an example of a dropped packet listed in the Firewall log.

2023:02:24-01:14:33 utm-wi01-1 ulogd[13185]: id="2022" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped (ATP)" action="drop" fwrule="63001" initf="eth0" threatname="C2/Generic-A" srcmac="00:2c:c8:fb:0e:80" dstmac="00:1a:8c:f0:03:c0" srcip="172.16.1.17" dstip="195.133.40.15" proto="17" length="78" tos="0x00" prec="0x00" ttl="127" srcport="137" dstport="137"

The item I'm having problems with is the "fwrule". I haven't been able to figure out of find how to translate the fwrule number (in this case 63001) to match up with the rules listed on the SG310. Is there a secret decoder ring?

I'm sure it's something obvious but so far I'm stumped.



This thread was automatically locked due to age.
Parents
  • Your example above is an advanced threat detection (ATP) (edited)

    name="Packet dropped (ATP)" action="drop" fwrule="63001" initf="eth0" threatname="C2/Generic-A

    Here is your list you asked for:  https://lists.astaro.com/ASGV9-IPS-rules.html

    I think that is a bit outdated, but you might find the updated list on Snort's site.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • That's quite a list.

    I probably didn't ask this question clearly and may have used a bad example to boot.

    The Sophos firewall log is pretty much all dropped packets. What I'm looking for is how to interpret the "fwrule" number. I looked at the log for just part of a day and it contained a mere 234,000 entries. I searched through those entries and got this list of unique fwrule number.

    • 0
    • 34
    • 60001
    • 60002
    • 60003
    • 60004
    • 60005
    • 60006
    • 62001
    • 62004

    When I go into the Sophos firewal rule setup (Network - Protection - Firewall - Rules) I can't find any reference to the fwrule numbers listed above.

    For any given firewall dropped packet, I'd like to know what rule dropped the packet.

Reply
  • That's quite a list.

    I probably didn't ask this question clearly and may have used a bad example to boot.

    The Sophos firewall log is pretty much all dropped packets. What I'm looking for is how to interpret the "fwrule" number. I looked at the log for just part of a day and it contained a mere 234,000 entries. I searched through those entries and got this list of unique fwrule number.

    • 0
    • 34
    • 60001
    • 60002
    • 60003
    • 60004
    • 60005
    • 60006
    • 62001
    • 62004

    When I go into the Sophos firewal rule setup (Network - Protection - Firewall - Rules) I can't find any reference to the fwrule numbers listed above.

    For any given firewall dropped packet, I'd like to know what rule dropped the packet.

Children