IPS Messages | LogRhythm Documentation

Vendor Documentation

https://www.forcepoint.com/product/ngfw-next-generation-firewall
https://help.stonesoft.com/onlinehelp/StoneGate/SMC/6.5.0/GUID-71291199-8540-496C-A4DF-52A69E8FE227.html
https://support.forcepoint.com/KBArticle?id=000015002
https://www.websense.com/content/support/library/ngfw/v64/mgmt/ngfw_640_pg_a_en-us.pdf

Classification

Rule Name	Rule Type	Common Event	Classification
IPS Messages	Base Rule	General IPS/IDS Log Message	Other Security
EVID 503200 : Xssauditor-Filter-Sec-Policy-Bypass	Sub Rule	Vuln Low Severity : Web Server	Vulnerability
EVID 502970 : File-Text_HTML-Suspicious-Webkit	Sub Rule	Vuln Low Severity : Web Server	Vulnerability
EVID 502969 : File-Text_Script-In-HTML-Head	Sub Rule	Vuln Low Severity : Web Server	Vulnerability
EVID 502516 : File-Text_Invisible-Inline-Frame	Sub Rule	Vuln Low Severity : Web Server	Vulnerability
EVID 501776 : HTTP_SHS-Invalid-Response-HTTP-1.0	Sub Rule	Protocol Anomaly	Attack
EVID 501774 : HTTP_SHS-Invalid-Response-HTTP-1.1	Sub Rule	Protocol Anomaly	Attack
EVID 501486 : Conflicting-Content-Type-Text-HTML	Sub Rule	Vuln Low Severity : Protocol Violation	Vulnerability
EVID 501485 : Binary_Conflicting-Content-Type-Text	Sub Rule	Vuln Low Severity : Protocol Violation	Vulnerability
EVID 501280 : Google-Chrome-CRX-Extension-Package	Sub Rule	Vuln Low Severity : Web Server	Vulnerability
EVID 398857 : ARCserve-Bckp-Lgsrvr-Stack-Buffer-OF	Sub Rule	Host Compromised	Compromise
EVID 398400 : Timeout-Status-Code-In-HTTP-10-Resp	Sub Rule	Vuln Low Severity : Protocol Violation	Vulnerability
EVID 324107 : SNMP-UDP_Def-Comm-Strng-Pblic-Accptd	Sub Rule	Vuln Low Severity : SNMP	Vulnerability
EVID 324106 : SNMP-UDP_Def-Community-String-Rej	Sub Rule	Vuln Low Severity : SNMP	Vulnerability
EVID 320003 : Name-Null-Byte-Input-Validation-Err	Sub Rule	Host Compromised	Compromise
EVID 319510 : HTTPS_CS-SSL-3.0-Client-Hello	Sub Rule	Vuln Low Severity : Web Server	Vulnerability
EVID 319501 : ChangeCipher-Before-Key-Exchange	Sub Rule	Host Compromised	Compromise
EVID 318509 : Out-Of-Bounds-Array-Vuln-Func-Call	Sub Rule	Vuln Low Severity : SMB / NETBIOS	Vulnerability
EVID 316105 : MSRPC-TCP_NTLMSSP-Auth-Null-Sess-DOS	Sub Rule	Vuln Low Severity : Denial Of Service	Vulnerability
EVID 278056 : HTTP_SHS-Server-Version-Number-Discl	Sub Rule	Vuln Low Severity : Web Server	Vulnerability
EVID 275505 : HTTP_SLS-Unauthorized-Status-Code	Sub Rule	User Logon Failure	Authentication Failure
EVID 267329 : Windows-NAT-Helper-DNS-Query-DOS	Sub Rule	Vuln Low Severity : Denial Of Service	Vulnerability
EVID 264753 : Shared_Microsoft-Cabnet-File-Dwnload	Sub Rule	Compressed Executable Download	Activity
EVID 261653 : Analyzer_Compress-SIDs	Sub Rule	Suspicious Network Activity	Suspicious
EVID 79969 : SMB2_Unknown-Message-Identifier	Sub Rule	Suspicious Network Activity	Suspicious
EVID 79963 : SMB2_Unknown-Tree-Identifier	Sub Rule	Suspicious Network Activity	Suspicious
EVID 79917 : MSRPC_Request-Without-Bind	Sub Rule	Vuln Low Severity : RPC	Vulnerability
EVID 79914 : MSRPC_Parsing-Error	Sub Rule	Vuln Low Severity : RPC	Vulnerability
EVID 79192 :_Client-Session-Packet-Type-Unknown	Sub Rule	Vuln Low Severity : SMB / NETBIOS	Vulnerability
EVID 79080 : TCP_Segment-Content-Conflict	Sub Rule	TCP Pending Crash Or Severe Problem	Critical
EVID 76506 : File_Allowed	Sub Rule	File Sent	Information
EVID 76461 : HTTP_Response-Version-Malformed	Sub Rule	Malformed Object	Suspicious
EVID 71038 : TLS_Server-Syntax-Error	Sub Rule	Bad Request/Invalid Syntax	Error
EVID 71037 : TLS_Client-Syntax-Error	Sub Rule	Bad Request/Invalid Syntax	Error
EVID 70977 : HTTP_Decompression-Stream-Error	Sub Rule	Stream Processing Error	Error
EVID 70512 : DNS_Client-UDP-QR-Wrong-Direction	Sub Rule	Non Compliant DNS	Activity
EVID 70511 : HTTP_URL-Logged	Sub Rule	URL Logged - Category	Activity
EVID 70414 : DNS_Client-QDCOUNT-Not-1	Sub Rule	Non Compliant DNS	Activity
EVID 70080 : HTTP_Reply-Header-Line-Unparseable	Sub Rule	HTTP Security Violation	Other Security
EVID 70061 : HTTP_Request-Unknown	Sub Rule	Vuln Low Severity : Protocol Violation	Vulnerability
EVID 70026 : Connection_Progress	Sub Rule	General Connection Messages	Network Traffic
EVID 70021 : Connection_Closed	Sub Rule	Connection Closed	Network Traffic
EVID 70018 : Connection_Allowed	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
EVID 1004 : FW_Related-Connection	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
EVID 500 : FW_Notice	Sub Rule	General Firewall Event	Information
EVID 79891 : HTTP_Headerline_LF	Sub Rule	Non Compliant DNS	Activity
EVID 503093 : Mcrsft-Xml-Core-Svs-Vuln-ActivX-Ctrl	Sub Rule	Vuln Low Severity : Web Server	Vulnerability
EVID 502478 : Microsoft-Embedded-Font-EOT-File-Ref	Sub Rule	Vuln Low Severity : Web Server	Vulnerability
EVID 501770 : Mult-Products-Mult-Location-Headers	Sub Rule	Protocol Anomaly	Attack
EVID 501657 : File-Binary_Microsoft-Cabinet-Trnsfr	Sub Rule	Vuln Low Severity : Web Server	Vulnerability
EVID 501338 : PNG-Img-With-Large-Data-Length-Value	Sub Rule	Vuln Low Severity : Web Server	Vulnerability
EVID 501274 : File-Exe_Executable-File-Upload	Sub Rule	Vuln Low Severity : Web Server	Vulnerability
EVID 323594 : Write-Atmt-Using-Def-Community-Strng	Sub Rule	Vuln Low Severity : SNMP	Vulnerability
EVID 264225 : Shared_Executable-File-Upload	Sub Rule	Compressed Executable Download	Activity

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type
Version	<version>	Number
vmid	<vmid>	Number
objectname	<objectname>	Text/String
severity	<severity>	Text/String/Number
spt	<sport>	Number
suser	<login>	Text/String
dmac	<dmac>	Text/String/Number
dst	<dip>	IP Address
cat	<subject>	Text/String
requestURL	<url>	Text/String
app	<session>	Text/String/Number
act	<command>	Text/String
msg	<object>	Text/String
deviceoutboundinterface	<sinterface>	Text/String/Number
deviceinboundinterface	<dinterface>	Text/String/Number
proto	<protnum>	Number
dpt	<dport>	Number
in	<bytesin>	Number
out	<bytesout>	Number
src	<sip>	IP Address
smac	<smac>	Text/String/Number