cancel
Showing results for 
Search instead for 
Did you mean: 

Format of the events for HIPS 7.0 in Event.log

Hi,

    I have to scan through the events in the Event.log file of HIPS 7.0.  The problem is, I could not understand the format of these events. Following are some of the events:

10 1233626817 0.0.0.0  0 0 4 3961 3 0 0 2009-02-02 18:06:56 Illegal_API_Use NT Authority\Local System  C:\WINDOWS\System32\svchost.exe
6 1233628396 155.35.34.126 FirePacket2.cap 3700 4 3  2009-02-02 18:33:16  6 155.35.5.122 5376 155.35.34.126 3016 1 0
8 1233473445 0.0.0.0  0 C:\PROGRAM FILES\MCAFEE\HOST INTRUSION PREVENTION\FIRETRAY.EXE WZRhJ+Ed7qdgiPbEPWQgZA== 1 22

7 1233126652 155.35.5.216  30 17 155.35.5.122 35072 155.35.5.216 35072 1 1 4 C:\WINDOWS\SYSTEM32\NTOSKRNL.EXE 0

...

For events starting with 10, I have come up with the following format:

1.       Starts with 10

2.       Has 13 fields

3.       The following are significant fields

a.       Field 2 – timestamp

b.       Field 3 – Host IP (0.0.0.0 indicates localhost)

c.        Field 6 – level

d.       Field 7 – HIPS ID. For list of possible values and corresponding descriptions please refer HipsSigs.txt or IpsNames.txt at location C:\Program Files\McAfee\Host Intrusion Prevention\RepairCache\Resource

e.        Field 11 – Time

f.         Field 12 – Description

g.       Field 13 – Application Name

  Can someone guide me to the appropriate resource, where I can find the format for these events..

Thanks in advance for your help..

Pavan