Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Classification |
Common Event |
|---|---|---|---|
|
FTP Access Log |
Base Rule |
Information |
Connection Information |
|
EVID 1010 : Access Log FTP |
Sub Rule |
Information |
General FTP Information |
|
EVID 107 : Connecting To Primary Server |
Sub Rule |
Network Traffic |
Connection Built |
|
EVID 1080 : Creating Data Socket |
Sub Rule |
Network Traffic |
Connection Built |
|
EVID 1253 : STOR Command |
Sub Rule |
Information |
General FTP Command |
|
EVID 1526 : QUIT Command |
Sub Rule |
Information |
General FTP Command |
|
EVID 1629 : User Logged In |
Sub Rule |
Authentication Success |
User Logon |
|
EVID 498 : USER Command |
Sub Rule |
Information |
General FTP Command |
|
EVID 627 : PASS Command |
Sub Rule |
Information |
General FTP Command |
|
EVID 703 : TYPE Command |
Sub Rule |
Information |
General FTP Command |
|
EVID 782 : CWD Command |
Sub Rule |
Information |
General FTP Command |
|
Invalid Filename |
Sub Rule |
Error |
FTP - 553 - Cmd Not Accepted - Invalid Filename |
|
Requested File Action Aborted |
Sub Rule |
Error |
FTP - 552 - Cmd Not Accepted - Allocation Exceeded |
|
Page Type Unknown |
Sub Rule |
Error |
FTP - 551 - Cmd Not Accepted - Page Type Unknown |
|
File Unavailable |
Sub Rule |
Error |
FTP - 550 - Cmd Not Accepted - File Unavailable |
|
Need Account For Storing Files |
Sub Rule |
Error |
FTP - 532 - Cmd Not Accepted - Need Account |
|
User Not Logged In |
Sub Rule |
Access Failure |
Command Execution Failure |
|
Command Not Implemented For Parameter |
Sub Rule |
Warning |
FTP - 504 - Cmd Not Accepted - Invalid Parameter |
|
Bad Sequence Of Commands |
Sub Rule |
Error |
FTP - 503 - Cmd Not Accepted - Bad Sequence |
|
Command Not Implemented - ERRR |
Sub Rule |
Error |
FTP - 502 - Cmd Not Accepted - Not Implemented |
|
Syntax Error In Parameters Or Arguments |
Sub Rule |
Reconnaissance |
Reconnaissance Activity |
|
Syntax Error : Command Unrecognized |
Sub Rule |
Error |
FTP - 500 - Cmd Not Accepted - Error In Command |
|
Requested Action Not Taken |
Sub Rule |
Error |
FTP - 452 - Cmd Not Accepted - Insufficient Space |
|
Requested Action Aborted |
Sub Rule |
Error |
FTP - 451 - Cmd Not Accepted - Action Aborted |
|
Requested File Action Not Taken |
Sub Rule |
Error |
FTP - 450 - Cmd Not Accepted - Action Not Taken |
|
Host Unavailable |
Sub Rule |
Error |
FTP - 434 - Cmd Not Accepted - Host Unavailable |
|
Connection Closed : Transfer Aborted |
Sub Rule |
Error |
FTP - 426 - Cmd Not Accepted - Connection Closed |
|
Cant Open Data Connection |
Sub Rule |
Error |
FTP - 425 - Cmd Not Accepted - Cant Open Conn |
|
Service Not Available |
Sub Rule |
Error |
FTP - 421 - Cmd Not Accepted - Service Unavailable |
|
Requested File Action Pending |
Sub Rule |
Information |
FTP - 350 - Cmd Ok - Action Pending |
|
Need Account For Login |
Sub Rule |
Authentication Success |
Authentication Activity |
|
User Name Ok |
Sub Rule |
Authentication Success |
Authentication Activity |
|
Pathname Created |
Sub Rule |
Access Success |
Object Created |
|
Requested File Action Completed |
Sub Rule |
Access Success |
Command Executed |
|
Logout Noted |
Sub Rule |
Authentication Success |
Authentication Activity |
|
User Logged Out |
Sub Rule |
Authentication Success |
User Logoff |
|
User Logged In |
Sub Rule |
Authentication Success |
User Logon |
|
Extended Passive Mode |
Sub Rule |
Information |
FTP - 229 - Cmd Success - Extended Passive Mode |
|
Long Passive Mode |
Sub Rule |
Information |
FTP - 228 - Cmd Success - Long Passive Mode |
|
Entering Passive Mode |
Sub Rule |
Information |
FTP - 227 - Completed Successfully - Passive Mode |
|
Closing Data Connection |
Sub Rule |
Network Traffic |
Connection Closed |
|
Data Connection Open |
Sub Rule |
Network Traffic |
Connection Built |
|
Service Closing Control Connection |
Sub Rule |
Network Traffic |
Connection Closed |
|
Service Ready For New User |
Sub Rule |
Information |
FTP - 220 - Completed Successfully - Service Ready |
|
Name System Type |
Sub Rule |
Information |
FTP - 215 - Completed Successfully - System Type |
|
Help Message |
Sub Rule |
Information |
FTP - 214 - Completed Succesfully - Help Message |
|
File Status |
Sub Rule |
Information |
FTP - 213 - Completed Successfully - File Status |
|
Directory Status |
Sub Rule |
Information |
FTP - 212 - Completed Successfully - Dir Status |
|
System Status |
Sub Rule |
Information |
FTP - 211 - Completed Successfully - System Status |
|
Command Not Implemented - INFO |
Sub Rule |
Information |
FTP - 202 - Completed Successfully - No Command |
|
Command Okay |
Sub Rule |
Information |
FTP - 200 - Completed Successfully - Command Ok |
|
Open Data Connection |
Sub Rule |
Network Traffic |
Connection Built |
|
Transfer Starting |
Sub Rule |
Network Traffic |
Transfer Started |
|
Service Ready |
Sub Rule |
Information |
FTP - 120 - Cmd Initiated - Service Ready |
|
Restart Marker Reply |
Sub Rule |
Information |
FTP - 100 - Command Initiated - Action Initiated |
|
Transfer Starting |
Sub Rule |
Network Traffic |
Transfer Started |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
|---|---|---|
|
N/A |
<vmid> |
Text/String/Number |
|
N/A |
<tag3> |
Text/String/Number |
|
N/A |
<responsecode> |
Number |
|
N/A |
<domainorigin> |
Text/String |
|
N/A |
<dname> |
Text/String |
|
N/A |
<dport> |
Number |
|
N/A |
<login> |
Text/String |
|
N/A |
<subject> |
Text/String |
|
N/A |
<tag1> |
Text/String |
|
N/A |
<command> |
Text/String |
|
N/A |
<tag2> |
Text/String |
|
N/A |
<dip> |
Ip Address |