Pattern 17 : Traffic

Rule Name

Rule Type

Common Event

Classification

Pattern 17 : Traffic

Base Rule

General Firewall Log

Network Traffic

PIX-X-713061 : Tunnel Rej:Crypto Map Pol Not Found

Sub Rule

Failed Suspicious Activity

Failed Suspicious

PIX-X-713042 : IKE Initiator Unable to Find Policy

Sub Rule

IKE Initiator Unable to Find Key

Error

PIX-X-710003 : Access Denied By ACL

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-703002 : H.225 Release Complete

Sub Rule

General Information

Information

PIX-X-703001 : H.225 Message Received

Sub Rule

General Information

Information

PIX-X-621007 : Bad Register

Sub Rule

Bad PIM Register

Information

PIX-X-620002 : Un-Supported CTIQBE Version

Sub Rule

General VOIP Message

Information

PIX-X-620001 : Pre-Allocate CTIQBE

Sub Rule

General VOIP Message

Information

PIX-X-617004 : GTP Connection Created

Sub Rule

GTP Connection Created

Information

PIX-X-617003 : GTP Tunnel Created

Sub Rule

Tunnel Created

Network Traffic

PIX-X-617001 : GTP Message

Sub Rule

General Information

Information

PIX-X-616001 : Pre-Allocate MGCP Connection

Sub Rule

General Information

Information

PIX-X-614002 : DNS Reply

Sub Rule

DNS Reply

Network Traffic

PIX-X-614001 : DNS Request

Sub Rule

DNS Request

Network Traffic

PIX-X-611314 : Load Balancing Cluster Redirected

Sub Rule

General Information

Information

PIX-X-608001 : Pre-Allocate Skinny Connection

Sub Rule

General Information

Information

PIX-X-607001 : Pre-Allocate SIP Connection

Sub Rule

General Information

Information

PIX-X-507001 : Terminated Connection

Sub Rule

Connection Closed

Network Traffic

PIX-X-500004 : Invalid Transport Field

Sub Rule

Invalid Transport Field

Warning

PIX-X-500003 : Bad TCP Header Length

Sub Rule

Protocol Anomaly

Attack

PIX-X-500002 : Java Content Modified

Sub Rule

Suspicious Activity

Suspicious

PIX-X-500001 : ActiveX Content Modified

Sub Rule

Packet Contains ActiveX Content and Is Modified

Critical

PIX-X-419002 : Duplicate SYN Packet

Sub Rule

Duplicate SYN Packet

Network Traffic

PIX-X-419001 : Dropped Packet

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-418001 : Dropped Packet

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-416001 : Dropped Packet

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-415014 : Maximum Unanswered HTTP Requests Exc

Sub Rule

Suspicious Activity

Suspicious

PIX-X-415013 : HTTP Transfer Encoding Vltn Detected

Sub Rule

Suspicious Activity

Suspicious

PIX-X-415012 : HTTP Deobfuscation Sig Detected

Sub Rule

Suspicious Activity

Suspicious

PIX-X-415011 : HTTP URL Length Exceeded

Sub Rule

Buffer Overflow/Underflow

Attack

PIX-X-415010 : HTTP Protocol Violation Detected

Sub Rule

Protocol Anomaly

Attack

PIX-X-415009 : HTTP Header Length Exceeded

Sub Rule

Buffer Overflow/Underflow

Attack

PIX-X-415008 : HTTP RFC Method Illegal

Sub Rule

Suspicious Activity

Suspicious

PIX-X-415007 : HTTP Extension Method Illegal

Sub Rule

Suspicious Activity

Suspicious

PIX-X-415006 : Content Size Out of Range

Sub Rule

Suspicious Activity

Suspicious

PIX-X-415005 : Content Type Doesn't Match Spec Type

Sub Rule

Suspicious Activity

Suspicious

PIX-X-415004 : Content Type Not Found

Sub Rule

Content Type Not Found

Activity

PIX-X-415003 : HTTP Peer-To-Peer Detected

Sub Rule

P2P Activity

Misuse

PIX-X-415002 : HTTP Instant Messenger Detected

Sub Rule

IM/Chat Activity

Misuse

PIX-X-415001 : HTTP Tunnel Detected

Sub Rule

Anonymizing Activity

Misuse

PIX-X-410001 : DNS Request Exceeds Packet Length

Sub Rule

Suspicious Activity

Suspicious

PIX-X-406002 : FTP Port Command with Diff Address

Sub Rule

Suspicious Activity

Suspicious

PIX-X-406001 : FTP Low Port Command

Sub Rule

Suspicious Activity

Suspicious

PIX-X-405201 : ILS Message

Sub Rule

Suspicious Activity

Suspicious

PIX-X-405105 : H323 RAS Message

Sub Rule

General Information

Information

PIX-X-405104 : H225 Message Received

Sub Rule

General Information

Information

PIX-X-405103 : H225 Message

Sub Rule

General Information

Information

PIX-X-400050 : STATd Buffer Overflow

Sub Rule

Buffer Overflow/Underflow

Attack

PIX-X-400049 : Remote Exec Daemon Attempt

Sub Rule

Arbitrary Code Execution

Attack

PIX-X-400048 : Remote Exec Daemon Portmap Request

Sub Rule

Arbitrary Code Execution

Attack

PIX-X-400047 : Mount Daemon Portmap Request

Sub Rule

Suspicious Activity

Suspicious

PIX-X-400046 : YP Transfer Daemon Portmap Request

Sub Rule

Port Scan

Reconnaissance

PIX-X-400045 : YP Update Daemon Portmap Request

Sub Rule

Port Scan

Reconnaissance

PIX-X-400044 : YP Password Daemon Portmap Request

Sub Rule

Port Scan

Reconnaissance

PIX-X-400043 : YP Bind Daemon Portmap Request

Sub Rule

RPC Portmap YPServ Request

Activity

PIX-X-400042 : YP Server Daemon Portmap Request

Sub Rule

General Attack Activity

Attack

PIX-X-400041 : Proxied RPC Request

Sub Rule

Suspicious Activity

Suspicious

PIX-X-400040 : RPC Dump

Sub Rule

Suspicious Activity

Suspicious

PIX-X-400039 : RPC Port Unregistration

Sub Rule

Suspicious Activity

Suspicious

PIX-X-400038 : RPC Port Registration

Sub Rule

Suspicious Activity

Suspicious

PIX-X-400037 : DNS Request for All Records

Sub Rule

Suspicious Activity

Suspicious

PIX-X-400036 : DNS Zone Transfer from High Port

Sub Rule

Suspicious Activity

Suspicious

PIX-X-400035 : DNS Zone Transfer

Sub Rule

Suspicious Activity

Suspicious

PIX-X-400034 : DNS HINFO Request

Sub Rule

Suspicious Activity

Suspicious

PIX-X-400033 : UDP Chargen DoS Attack

Sub Rule

Host Denial of Service

Denial of Service

PIX-X-400032 : UDP Snork Attack

Sub Rule

General Attack Activity

Attack

PIX-X-400031 : UDP Bomb Attack

Sub Rule

General Attack Activity

Attack

PIX-X-400030 : FTP Improper Port Specified

Sub Rule

Suspicious Activity

Suspicious

PIX-X-400029 : FTP Improper Address Specified

Sub Rule

Suspicious Activity

Suspicious

PIX-X-400028 : TCP FIN Only Flags

Sub Rule

Protocol Anomaly

Attack

PIX-X-400027 : TCP SYN+FIN Flags

Sub Rule

Protocol Anomaly

Attack

PIX-X-400026 : TCP NULL Flags

Sub Rule

Protocol Anomaly

Attack

PIX-X-400025 : Ping of Death Attack

Sub Rule

General Attack Activity

Attack

PIX-X-400024 : Large ICMP Traffic

Sub Rule

Protocol Anomaly

Attack

PIX-X-400023 : Fragmented ICMP Traffic

Sub Rule

Fragmented Packet Received

Network Traffic

PIX-X-400022 : ICMP Address Mask Reply

Sub Rule

ICMP Address Mask Reply

Activity

PIX-X-400021 : ICMP Address Mask Request

Sub Rule

ICMP Address Mask Request

Activity

PIX-X-400020 : ICMP Information Reply

Sub Rule

ICMP Information Reply

Activity

PIX-X-400019 : ICMP Information Request

Sub Rule

ICMP Information Request

Activity

PIX-X-400018 : ICMP Timestamp Reply

Sub Rule

ICMP Timestamp Reply

Activity

PIX-X-400017 : ICMP Timestamp Request

Sub Rule

ICMP Timestamp Request

Activity

PIX-X-400016 : ICMP Parameter Problem On Datagram

Sub Rule

Protocol Anomaly

Attack

PIX-X-400015 : ICMP Time Exceeded for A Datagram

Sub Rule

Protocol Anomaly

Attack

PIX-X-400014 : ICMP Echo Request

Sub Rule

ICMP Echo Request

Network Traffic

PIX-X-400013 : ICMP Redirect

Sub Rule

Protocol Anomaly

Attack

PIX-X-40012 : ICMP Source Quench

Sub Rule

Suspicious Activity

Suspicious

PIX-X-400011 : ICMP Unreachable

Sub Rule

ICMP : Host Unreachable

Activity

PIX-X-400010 : ICMP Echo Reply

Sub Rule

ICMP Echo Reply

Activity

PIX-X-400009 : IP Fragments Overlap

Sub Rule

Protocol Anomaly

Attack

PIX-X-400008 : IP Impossible Packet

Sub Rule

General Attack Activity

Attack

PIX-X-400007 : IP Fragment Attack

Sub Rule

General Attack Activity

Attack

PIX-X-400006 : IP Options-Strict Source Route

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-400005 : IP Options-SATNET ID

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-400004 : IP Options-Loose Source Route

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-400003 : IP Options-Security

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-400002 : IP Options-Timestamp

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-400001 : IP Options-Record Packet Route

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-400000 : IP Options-Bad Option List

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-326007 : MRIB Entry-Update Failed

Sub Rule

MRIB Entry-Update Failed

Error

PIX-X-326006 : MRIB Entry-Creation Failed

Sub Rule

MRIB Entry-Creation Failed

Error

PIX-X-326005 : MRIB Notification Failed

Sub Rule

MRIB Notification Failed

Error

PIX-X-324007 : Unable to Create GTP Connection

Sub Rule

Unable to Create Connection

Error

PIX-X-324005 : Unable to Create Tunnel

Sub Rule

Tunnel Creation Failure

Error

PIX-X-324004 : Packet Version Not Supported

Sub Rule

Packet Version Not Supported

Activity

PIX-X-324003 : No Matching Request

Sub Rule

No Matching Request for Response

Warning

PIX-X-324002 : No PDP Exists

Sub Rule

No PDP Exists

Error

PIX-X-324001 : Packet Parsing Error

Sub Rule

Packet Parsing Error

Error

PIX-X-324000 : Packet Dropped

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-322004 : No Management IP Configured

Sub Rule

No Management IP Address Configured

Warning

PIX-X-318005 : Inconsistency in Routing Table

Sub Rule

Inconsistency in Routing Table

Error

PIX-X-314001 : Pre-Allocate Backconnection

Sub Rule

Pre-Allocated RTSP Connection

Information

PIX-X-313005 : No Matching Connection for ICMP

Sub Rule

No Matching Connection for ICMP Error Message

Warning

PIX-X-313004 : Dropped Packet

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-305012 : Teardown Translation

Sub Rule

Translation Teardown

Network Traffic

PIX-X-305011 : Built Translation

Sub Rule

Translation Built

Network Traffic

PIX-X-305010 : Address Translation Slot Deleted

Sub Rule

IP Network Address Translation Info Msg

Information

PIX-X-305009 : Address Translation Slot Created

Sub Rule

IP Network Address Translation Info Msg

Information

PIX-X-305006 : Translation Creation Failed

Sub Rule

Regular Translation Creation Failed

Error

PIX-X-305005 : No Translation Group Found

Sub Rule

No Translation Group Found for Protocol

Error

PIX-X-304002 : URL Access Denied

Sub Rule

Access Object Failure

Access Failure

PIX-X-303004 : FTP Command Un-Supported

Sub Rule

FTP Command Un-Supported

Information

PIX-X-303003 : FTP Command Denied

Sub Rule

FTP Command Denied

Failed Activity

PIX-X-302018 : Teardown Connection

Sub Rule

Connection Teardown

Network Traffic

PIX-X-302017 : Built Connection

Sub Rule

Connection Built

Network Traffic

PIX-X-302016 : Teardown Connection

Sub Rule

Connection Teardown

Network Traffic

PIX-X-302015 : Built Connection

Sub Rule

Connection Built

Network Traffic

PIX-X-302014 : Teardown Connection

Sub Rule

Connection Teardown

Network Traffic

PIX-X-302013 : Built Connection

Sub Rule

Connection Built

Network Traffic

PIX-X-302004 : Pre-Allocate Backconnection

Sub Rule

Pre-Allocate H323 Backconnection

Information

PIX-X-212006 : Dropped SNMP Request

Sub Rule

Dropped SNMP Request

Failed Activity

PIX-X-210010 : LU Make UDP Connection Failed

Sub Rule

LU Make UDP Connection Failed

Error

PIX-X-210008 : LU No Xlate

Sub Rule

LU No Xlate

Error

PIX-X-202011 : Connection Limit Exceeded

Sub Rule

Connection Limit Exceeded

Warning

PIX-X-201010 : Embryonic Connection Limit Exceeded

Sub Rule

Network Denial of Service

Denial of Service

PIX-X-201003 : Embryonic Limit Exceeded

Sub Rule

Network Denial of Service

Denial of Service

PIX-X-109028 : Built H245 Connection

Sub Rule

Connection Built

Network Traffic

PIX-X-109023 : Attempt to Use Service Before Auth

Sub Rule

Failed Suspicious Host Activity

Failed Suspicious

PIX-X-109010 : Connection Limit Exceeded

Sub Rule

Connection Limit Exceeded

Warning

PIX-X-109009 : Authorization Denied (Not Auth)

Sub Rule

Access Object Failure

Access Failure

PIX-X-109003 : Authorization Failed

Sub Rule

Unable to Communicate with Authentication Server

Error

PIX-X-109002 : Failed Authentication

Sub Rule

Unable to Communicate with Authentication Server

Error

PIX-X-108003 : Connection Terminated

Sub Rule

Connection Closed

Network Traffic

PIX-X-108002 : Invalid Char Replaced in Email Msg

Sub Rule

Replaced Invalid Characters in Email Address

Warning

PIX-X-106020 : Drop Packet Due to Teardrop Attack

Sub Rule

Failed Host Denial of Service

Failed Denial of Service

PIX-X-106018 : Packet Denied

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-106017 : Dropped Packet Due to Land Attack

Sub Rule

Failed Host Denial of Service

Failed Denial of Service

PIX-X-106016 : Dropped Packet Due to IP Spoof

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-106013 : Dropped Echo Request

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-106012 : Denied Packet Due to IP Options

Sub Rule

Traffic Denied by Network Firewall

Network Deny

PIX-X-106002 : Denied Connection

Sub Rule

Traffic Denied by Network Firewall

Network Deny

Device Key in Log Message

LogRhythm Schema

Data Type

N/A

<vmid>

Number

N/A

<sip>

Number

N/A

<sname>

Number

N/A

<dname>

Text/String

N/A

<sport>

Number

N/A

<dport>

Number

N/A

<protname>

Text/String