0 Replies Latest reply on Sep 17, 2010 6:33 AM by pavankishorevuppada

    Format of the events for HIPS 7.0 in Event.log

      Hi,

       

          I have to scan through the events in the Event.log file of HIPS 7.0.  The problem is, I could not understand the format of these events. Following are some of the events:

       

       

      10 1233626817 0.0.0.0  0 0 4 3961 3 0 0 2009-02-02 18:06:56 Illegal_API_Use NT Authority\Local System  C:\WINDOWS\System32\svchost.exe
      6 1233628396 155.35.34.126 FirePacket2.cap 3700 4 3  2009-02-02 18:33:16  6 155.35.5.122 5376 155.35.34.126 3016 1 0
      8 1233473445 0.0.0.0  0 C:\PROGRAM FILES\MCAFEE\HOST INTRUSION PREVENTION\FIRETRAY.EXE WZRhJ+Ed7qdgiPbEPWQgZA== 1 22

      7 1233126652 155.35.5.216  30 17 155.35.5.122 35072 155.35.5.216 35072 1 1 4 C:\WINDOWS\SYSTEM32\NTOSKRNL.EXE 0

      ...

       

      For events starting with 10, I have come up with the following format:

      1.       Starts with 10

      2.       Has 13 fields

      3.       The following are significant fields

      a.       Field 2 – timestamp

      b.       Field 3 – Host IP (0.0.0.0 indicates localhost)

      c.        Field 6 – level

      d.       Field 7 – HIPS ID. For list of possible values and corresponding descriptions please refer HipsSigs.txt or IpsNames.txt at location C:\Program Files\McAfee\Host Intrusion Prevention\RepairCache\Resource

      e.        Field 11 – Time

      f.         Field 12 – Description

      g.       Field 13 – Application Name

       

        Can someone guide me to the appropriate resource, where I can find the format for these events..

       

      Thanks in advance for your help..

       

      Pavan