Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|
Pattern 1 : PIX Traffic Messages |
Base Rule |
Network Traffic |
Network Traffic |
|
PIX-2-106013 : Dropped Echo Request |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
PIX-2-106016 : Dropped Packet Due to IP Spoof |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
PIX-2-106017 : Dropped Packet Due to Land Attack |
Sub Rule |
Failed Host Denial of Service |
Failed Denial of Service |
|
PIX-2-106020 : Drop Packet Due to Teardrop Attack |
Sub Rule |
Failed Host Denial of Service |
Failed Denial of Service |
|
PIX-3-109023 : Attempt to Use Service Before Auth |
Sub Rule |
Failed Suspicious Host Activity |
Failed Suspicious |
|
PIX-4-400013 : ICMP Redirect |
Sub Rule |
Protocol Anomaly |
Attack |
|
PIX-4-400014 : ICMP Echo Request |
Sub Rule |
ICMP Echo Request |
Network Traffic |
|
PIX-4-400011 : ICMP Unreachable |
Sub Rule |
ICMP: Host Unreachable |
Activity |
|
PIX-4-40012 : ICMP Source Quench |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-3-109003 : Authorization Failed |
Sub Rule |
Unable to Communicate with Authentication Server |
Error |
|
PIX-3-109002 : Failed Authentication |
Sub Rule |
Unable to Communicate with Authentication Server |
Error |
|
PIX-6-109009 : Authorization Denied (Not Auth) |
Sub Rule |
Access Object Failure |
Access Failure |
|
PIX-X-713061 : Tunnel Rej:Crypto Map Pol Not Found |
Sub Rule |
Failed Suspicious Activity |
Failed Suspicious |
|
PIX-X-713042 : IKE Initiator Unable to Find Policy |
Sub Rule |
IKE Initiator Unable to Find Key |
Error |
|
PIX-X-703002 : H.225 Release Complete |
Sub Rule |
General Information |
Information |
|
PIX-X-703001 : H.225 Message Received |
Sub Rule |
General Information |
Information |
|
PIX-X-621007 : Bad Register |
Sub Rule |
Bad PIM Register |
Information |
|
PIX-X-620002 : Un-Supported CTIQBE Version |
Sub Rule |
General VOIP Message |
Information |
|
PIX-X-620001 : Pre-Allocate CTIQBE |
Sub Rule |
General VOIP Message |
Information |
|
PIX-X-617004 : GTP Connection Created |
Sub Rule |
GTP Connection Created |
Information |
|
PIX-X-617003 : GTP Tunnel Created |
Sub Rule |
Tunnel Created |
Network Traffic |
|
PIX-X-617001 : GTP Message |
Sub Rule |
General Information |
Information |
|
PIX-X-616001 : Pre-Allocate MGCP Connection |
Sub Rule |
General Information |
Information |
|
PIX-X-611314 : Load Balancing Cluster Redirected |
Sub Rule |
General Information |
Information |
|
PIX-X-608001 : Pre-Allocate Skinny Connection |
Sub Rule |
General Information |
Information |
|
PIX-X-607001 : Pre-Allocate SIP Connection |
Sub Rule |
General Information |
Information |
|
PIX-X-500002 : Java Content Modified |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-500001 : ActiveX Content Modified |
Sub Rule |
Packet Contains ActiveX Content and Is Modified |
Critical |
|
PIX-X-415014 : Max Unanswered HTTP Reqs Exceeded |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-415013 : HTTP Transfer Encoding Vuln Detected |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-415012 : HTTP Deobfuscation Signature Detected |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-415011 : HTTP URL Length Exceeded |
Sub Rule |
Buffer Overflow/Underflow |
Attack |
|
PIX-X-415010 : HTTP Protocol Violation Detected |
Sub Rule |
Protocol Anomaly |
Attack |
|
PIX-X-415009 : HTTP Header Length Exceeded |
Sub Rule |
Buffer Overflow/Underflow |
Attack |
|
PIX-X-415008 : HTTP RFC Method Illegal |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-415007 : HTTP Extension Method Illegal |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-415006 : Content Size Out of Range |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-415005 : Content No Match for Specified Type |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-415004 : Content Type Not Found |
Sub Rule |
Content Type Not Found |
Activity |
|
PIX-X-415003 : HTTP Peer-To-Peer Detected |
Sub Rule |
P2P Activity |
Misuse |
|
PIX-X-415002 : HTTP Instant Messenger Detected |
Sub Rule |
IM/Chat Activity |
Misuse |
|
PIX-X-415001 : HTTP Tunnel Detected |
Sub Rule |
Anonymizing Activity |
Misuse |
|
PIX-X-406002 : FTP Port Cmd with Different Address |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-406001 : FTP Low Port Command |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-405201 : ILS Message |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-405105 : H323 RAS Message |
Sub Rule |
General Information |
Information |
|
PIX-X-405104 : H225 Message Received |
Sub Rule |
General Information |
Information |
|
PIX-X-405103 : H225 Message |
Sub Rule |
General Information |
Information |
|
PIX-X-400050 : STATd Buffer Overflow |
Sub Rule |
Buffer Overflow/Underflow |
Attack |
|
PIX-X-400049 : Remote Exec Daemon Attempt |
Sub Rule |
Arbitrary Code Execution |
Attack |
|
PIX-X-400048 : Remote Exec Daemon Portmap Request |
Sub Rule |
Arbitrary Code Execution |
Attack |
|
PIX-X-400047 : Mount Daemon Portmap Request |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-400046 : YP Transfer Daemon Portmap Request |
Sub Rule |
Port Scan |
Reconnaissance |
|
PIX-X-400045 : YP Update Daemon Portmap Request |
Sub Rule |
Port Scan |
Reconnaissance |
|
PIX-X-400044 : YP Password Daemon Portmap Request |
Sub Rule |
Port Scan |
Reconnaissance |
|
PIX-X-400043 : YP Bind Daemon Portmap Request |
Sub Rule |
RPC Portmap YPServ Request |
Activity |
|
PIX-X-400042 : YP Server Daemon Portmap Request |
Sub Rule |
Port Scan |
Reconnaissance |
|
PIX-X-400041 : Proxied RPC Request |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-400040 : RPC Dump |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-400039 : RPC Port Unregistration |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-400038 : RPC Port Registration |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-400037 : DNS Request for All Records |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-400036 : DNS Zone Transfer From High Port |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-400035 : DNS Zone Transfer |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-400034 : DNS HINFO Request |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-400033 : UDP Chargen DoS Attack |
Sub Rule |
Host Denial of Service |
Denial of Service |
|
PIX-X-400032 : UDP Snork Attack |
Sub Rule |
General Attack Activity |
Attack |
|
PIX-X-400031 : UDP Bomb Attack |
Sub Rule |
General Attack Activity |
Attack |
|
PIX-X-400030 : FTP Improper Port Specified |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-400029 : FTP Improper Address Specified |
Sub Rule |
Suspicious Activity |
Suspicious |
|
PIX-X-400028 : TCP FIN Only Flags |
Sub Rule |
Protocol Anomaly |
Attack |
|
PIX-X-400027 : TCP SYN+FIN Flags |
Sub Rule |
Protocol Anomaly |
Attack |
|
PIX-X-400026 : TCP NULL Flags |
Sub Rule |
Protocol Anomaly |
Attack |
|
PIX-X-400025 : Ping of Death Attack |
Sub Rule |
General Attack Activity |
Attack |
|
PIX-X-400024 : Large ICMP Traffic |
Sub Rule |
Protocol Anomaly |
Attack |
|
PIX-X-400023 : Fragmented ICMP Traffic |
Sub Rule |
Fragmented Packet Received |
Network Traffic |
|
PIX-X-400022 : ICMP Address Mask Reply |
Sub Rule |
ICMP Address Mask Reply |
Activity |
|
PIX-X-400021 : ICMP Address Mask Request |
Sub Rule |
ICMP Address Mask Request |
Activity |
|
PIX-X-400020 : ICMP Information Reply |
Sub Rule |
ICMP Information Reply |
Activity |
|
PIX-X-400019 : ICMP Information Request |
Sub Rule |
ICMP Information Request |
Activity |
|
PIX-X-400018 : ICMP Timestamp Reply |
Sub Rule |
ICMP Timestamp Reply |
Activity |
|
PIX-X-400017 : ICMP Timestamp Request |
Sub Rule |
ICMP Timestamp Request |
Activity |
|
PIX-X-400016 : ICMP Parameter Problem on Datagram |
Sub Rule |
Protocol Anomaly |
Attack |
|
PIX-X-400015 : ICMP Time Exceeded for a Datagram |
Sub Rule |
Protocol Anomaly |
Attack |
|
PIX-X-400010 : ICMP Echo Reply |
Sub Rule |
ICMP Echo Reply |
Activity |
|
PIX-X-400009 : IP Fragments Overlap |
Sub Rule |
Protocol Anomaly |
Attack |
|
PIX-X-400008 : IP Impossible Packet |
Sub Rule |
General Attack Activity |
Attack |
|
PIX-X-400007 : IP Fragment Attack |
Sub Rule |
General Attack Activity |
Attack |
|
PIX-X-400006 : IP Options-Strict Source Route |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
PIX-X-400005 : IP Options-SATNET ID |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
PIX-X-400004 : IP Options-Loose Source Route |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
PIX-X-400003 : IP Options-Security |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
PIX-X-400002 : IP Options-Timestamp |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
PIX-X-400001 : IP Options-Record Packet Route |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
PIX-X-400000 : IP Options-Bad Option List |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
PIX-X-324007 : Unable to Create GTP Connection |
Sub Rule |
Unable to Create Connection |
Error |
|
PIX-X-324005 : Unable to Create Tunnel |
Sub Rule |
Tunnel Creation Failure |
Error |
|
PIX-X-324004 : Packet Version Not Supported |
Sub Rule |
Packet Version Not Supported |
Activity |
|
PIX-X-324003 : No Matching Request |
Sub Rule |
No Matching Request for Response |
Warning |
|
PIX-X-324002 : No PDP Exists |
Sub Rule |
No PDP Exists |
Error |
|
PIX-X-324001 : Packet Parsing Error |
Sub Rule |
Packet Parsing Error |
Error |
|
PIX-X-324000 : Packet Dropped |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
PIX-X-305010 : Address Translation Slot Deleted |
Sub Rule |
IP Network Address Translation Info Msg |
Information |
|
PIX-X-305009 : Address Translation Slot Created |
Sub Rule |
IP Network Address Translation Info Msg |
Information |
|
PIX-X-305006 : Translation Creation Failed |
Sub Rule |
Regular Translation Creation Failed |
Error |
|
PIX-X-305005 : No Translation Group Found |
Sub Rule |
No Translation Group Found for Protocol |
Error |
|
PIX-X-304002 : URL Access Denied |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
PIX-X-303004 : FTP Command Un-Supported |
Sub Rule |
FTP Command Un-Supported |
Information |
|
PIX-X-303003 : FTP Command Denied |
Sub Rule |
FTP Command Denied |
Failed Activity |
|
PIX-X-202011 : Connection Limit Exceeded |
Sub Rule |
Connection Limit Exceeded |
Warning |
|
PIX-X-201010 : Embryonic Connection Limit Exceeded |
Sub Rule |
Network Denial of Service |
Denial of Service |
|
PIX-X-109028 : Built H245 Connection |
Sub Rule |
Connection Built |
Network Traffic |
|
PIX-X-109010 : Connection Limit Exceeded |
Sub Rule |
Connection Limit Exceeded |
Warning |
|
PIX-X-108002 : Invalid Char Replaced in Email Msg |
Sub Rule |
Replaced Invalid Characters in Email Address |
Warning |
|
PIX-X-106012 : Denied Packet Due to IP Options |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
|
No Matching Connection for ICMP Error Message |
Sub Rule |
No Matching Connection for ICMP Error Message |
Warning |
|
PIX-X-106014 : Denied Packet |
Sub Rule |
Traffic Denied by Network Firewall |
Network Deny |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
|
N/A |
<vmid> |
Number |
|
N/A |
<severity> |
Number |
|
N/A |
<sip> |
Number |
|
N/A |
<sname> |
Text/String |
|
N/A |
<dip> |
Number |
|
N/A |
<dname> |
Text/String |
|
N/A |
<sport> |
Number |
|
N/A |
<dport> |
Number |
|
N/A |
<protname> |
Text/String |
|
N/A |
<url> |
Text/String |
|
N/A |
<sender> |
Text/String |
|
N/A |
<size> |
Number |