SmartDefense
Vendor Documentation
Log Fields and Parsing
This section details the log fields available in this log message type, along with values parsed for both LogRhythm Default and LogRhythm Default v2.0 policies. A value of "N/A" (not applicable) means that there is no value parsed for a specified log field.
| Log Field | LogRhythm Default | LogRhythm Default v2.0 |
|---|---|---|
| Product | <version> | <vmid> |
| Origin | <sender> | N/A |
| Action | <action> <tag3> | <action> <tag2> |
| SIP | <sip> | <sip> |
| SPort | <sport> | <sport> |
| DIP | <dip> | <dip> |
| DPort | <dport> | <dport> |
| Protocol | <protnum>\<protname> | <protnum> |
| IFName | <sinterface> | <sinterface> |
| IFDirection | <tag4> | N/A |
| Reason | <reason> | <reason> |
| Rule | <command> | N/A |
| PolicyName | <policy> | N/A |
| XlateSIP | <snatip> | <snatip> |
| XlateSport | N/A | <snatport> |
| XlateDIP | <dnatip> | <dnatip> |
| XlateDport | N/A | <dnatport> |
| User | <login> | N/A |
| src_user_name | <login> | <login> |
| dst_user_name | <account> | <account> |
| to | <recipient> | <recipient> |
| from | <sender> | <sender> |
| web_client_type | <useragent> | N/A |
| Url | <url> | <url> |
| dst_machine_name | <dname> | <dname> |
| src_machine_name | <sname> | <sname> |
| Attack | <threatname> <tag2> | <vendorinfo> <tag1> |
| AttackInfo | N/A | <threatname> |
| Protection_Name | <object> | N/A |
| Severity | <severity> | <severity> |
| Confidence_Level | <responsecode> | N/A |
| Industry_Reference | <cve> | <cve> |
| Protection_Type | <objecttype> <tag1> | N/A |
| rule_name | <command> | N/A |
| Info | <vendorinfo> | N/A |
| __policy_id_tag | N/A | <policy> |
Log Processing Settings
This section details log processing changes made from the LogRhythm Default policy to LogRhythm Default v2.0. In some cases, base rules are broken down into sub-rules to appropriately parse log message types by their event types.
LogRhythm Default
| Rule ID | Rule Name | Rule Type | Common Event | Classification |
| 1010513 | SmartDefense | Base Rule | General Firewall Log | Network Traffic |
| SmartDefense : Block HTTP Non Compliant : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow | |
| SmartDefense : Block Non HTTP Traffic : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow | |
| SmartDefense : IP Fragments : Drop | Sub Rule | IP Microfragment | Activity | |
| SmartDefense : Protection : Outbound | Sub Rule | Established Outbound Connection | Information | |
| SmartDefense : Geo_protection: Outbound | Sub Rule | Established Outbound Connection | Information | |
| SmartDefense : Geo_protection: Inbound | Sub Rule | Established Inbound Connection | Information | |
| SmartDefense : Adobe Reader Violation : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow | |
| SmartDefense : Attempt To Open Audio Con : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow | |
| SmartDefense : Anomaly_http : Outbound | Sub Rule | Established Outbound Connection | Information | |
| SmartDefense : Block HTTP Non Compliant : Reject | Sub Rule | Traffic Denied by IDS/IPS | Network Deny | |
| SmartDefense : Anomaly : Inbound | Sub Rule | Established Inbound Connection | Information | |
| SmartDefense : Anomaly : Outbound | Sub Rule | Established Outbound Connection | Information | |
| SmartDefense : Anomaly : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny | |
| SmartDefense : Apache Svr Protection Viol : Drop | Sub Rule | General Failed Activity | Failed Activity | |
| SmartDefense : Apache Svr Protection Viol : Drop | Sub Rule | General Failed Activity | Failed Activity | |
| SmartDefense : Content Protection Violation : Drop | Sub Rule | General Failed Activity | Failed Activity | |
| SmartDefense : DNS Reserved Header Bit : Drop | Sub Rule | Failed Protocol Anomaly | Failed Attack | |
| SmartDefense : Geo-Location Enforcement : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny | |
| SmartDefense : HTTP Protocol Inspection : Drop | Sub Rule | General Failed Activity | Failed Activity | |
| SmartDefense : HTTP Trfc Ovr Bad Port Viol : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny | |
| SmartDefense : Malformed HTTP : Drop | Sub Rule | Failed Malformed Object | Failed Suspicious | |
| SmartDefense : Malformed Packet : Drop | Sub Rule | Malformed Packet | Network Traffic | |
| SmartDefense : Port Scan : Drop | Sub Rule | General Failed Activity | Failed Activity | |
| SmartDefense : SSL Enforcement Violation : Drop | Sub Rule | General Failed Activity | Failed Activity | |
| SmartDefense : SSL Tunneling : Drop | Sub Rule | Failed Anonymizing Activity | Failed Misuse | |
| SmartDefense : Potl Network Config Problem : Drop | Sub Rule | Configuration Failure | Warning | |
| SmartDefense : TCP Segment Limit Enfrcm : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny | |
| SmartDefense : TCP Urgent Data Enforcement : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny | |
| SmartDefense : SYN : Drop | Sub Rule | Failed Network Denial Of Service | Failed Denial of Service | |
| SmartDefense : TCP Enforcement Violation : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny | |
| SmartDefense : Instant Messengers : Drop | Sub Rule | Failed IM/Chat Activity | Failed Misuse | |
| SmartDefense : Large Ping : Drop | Sub Rule | General Failed Activity | Failed Activity | |
| SmartDefense : Apache Svr Protection Viol : Mon | Sub Rule | Security Violation | Other Security | |
| SmartDefense : Apache Svr Protection Viol : Mon | Sub Rule | Security Violation | Other Security | |
| SmartDefense : Content Protection Violation : Mon | Sub Rule | Security Violation | Other Security | |
| SmartDefense : DNS Reserved Header Bit : Monitor | Sub Rule | Protocol Anomaly | Attack | |
| SmartDefense : Geo-Location Enforcement : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow | |
| SmartDefense : HTTP Protocol Inspection : Monitor | Sub Rule | Protocol Anomaly | Attack | |
| SmartDefense : HTTP Trfc Ovr Bad Port Viol : Mon | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow | |
| SmartDefense : Malformed HTTP : Monitor | Sub Rule | Malformed Object | Suspicious | |
| SmartDefense : Malformed Packet : Monitor | Sub Rule | Malformed Object | Suspicious | |
| SmartDefense : Port Scan : Monitor | Sub Rule | Port Scan | Reconnaissance | |
| SmartDefense : SSL Enforcement Violation : Monitor | Sub Rule | General Failed Activity | Failed Activity | |
| SmartDefense : SSL Tunneling : Monitor | Sub Rule | Anonymizing Activity | Misuse | |
| SmartDefense : Potl Net Config Problem : Monitor | Sub Rule | Configuration Failure | Warning | |
| SmartDefense : TCP Segment Limit Enfrcm : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow | |
| SmartDefense : TCP Urgent Data Enfrcm : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow | |
| SmartDefense : SYN : Monitor | Sub Rule | Network Denial Of Service | Denial Of Service | |
| SmartDefense : TCP Enforcement Violation : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow | |
| SmartDefense : Instant Messengers : Monitor | Sub Rule | IM/Chat Activity | Misuse | |
| SmartDefense : Large Ping : Monitor | Sub Rule | Ping Sweep | Reconnaissance | |
| SmartDefense : Anomaly : Monitor | Sub Rule | Protocol Anomaly | Attack | |
| SmartDefense : Content Protection Violation Detect | Sub Rule | General Activity | Activity | |
| SmartDefense : Non Compliant DNS : Detect | Sub Rule | Non Compliant DNS | Activity | |
| SmartDefense : Block HTTP Non Compliant | Sub Rule | Blocked Non-Compliant HTTP Format | Activity | |
| SmartDefense : TCP Segment Limit : Accept | Sub Rule | General Traffic Allowed | Network Traffic | |
| Attack Failed | Sub Rule | Failed General Attack Activity | Failed Attack |
LogRhythm Default v2.0
| Rule ID | Rule Name | Rule Type | Common Event | Classification |
| 1012010 | V 2.0 : Smart Defense Events | Base Rule | General Threat Message | Activity |
| V 2.0 : SmartDefense : Accept Action | Sub Rule | General Attack Activity | Attack | |
| V 2.0 : SmartDefense : Detect Action | Sub Rule | General Attack Activity | Attack | |
| V 2.0 : SmartDefense : Drop Action | Sub Rule | Threat Blocked | Failed Activity | |
| V 2.0 : Adobe Reader Violation : Monitor | Sub Rule | Adobe Reader Violation | Activity | |
| V 2.0 : Apache Server Protection Violation : Drop | Sub Rule | Failed General Attack Activity | Failed Attack | |
| V 2.0 : Apache Srvr Protection Violation : Monitor | Sub Rule | Apache Web Server Message | Information | |
| V 2.0 : Audio Connection Attempt : Monitor | Sub Rule | Connection Attempt | Network Traffic | |
| V 2.0 : Block HTTP Non-Compliant : Monitor | Sub Rule | Noncompliant Attributes | Warning | |
| V 2.0 : Block HTTP Non Compliant : Reject | Sub Rule | Blocked Non-Compliant HTTP Format | Activity | |
| V 2.0 : Block Non HTTP Traffic : Monitor | Sub Rule | General Network Traffic | Network Traffic | |
| V 2.0 : Content Protection Violation : Monitor | Sub Rule | Security Policy Violation | Warning | |
| V 2.0 : Content Protection Violation : Drop | Sub Rule | General Failed Activity | Failed Activity | |
| V 2.0 : DNS Reserved Header Bit : Monitor | Sub Rule | Protocol Anomaly | Attack | |
| V 2.0 : DNS Reserved Header Bit : Drop | Sub Rule | Failed Protocol Anomaly | Failed Attack | |
| V 2.0 : Geo-location Enforcement : Monitor | Sub Rule | Geo-Location Enforcement | Other Operations | |
| V 2.0 : Geo-location Enforcement : Drop | Sub Rule | Failed General Attack Activity | Failed Attack | |
| V 2.0 : HTTP Protocol Inspection : Monitor | Sub Rule | HTTP Message Violates Inspection Rule | Information | |
| V 2.0 : HTTP Protocol Inspection : Drop | Sub Rule | General Failed Activity | Failed Activity | |
| V 2.0 : Non-Standard Port HTTP Violation : Monitor | Sub Rule | HTTP Security Violation | Other Security | |
| V 2.0 : Non-Standard Port HTTP Violation : Drop | Sub Rule | Failed Protocol Anomaly | Failed Attack | |
| V 2.0 : Instant Messengers : Monitor | Sub Rule | IM/Chat Activity | Misuse | |
| V 2.0 : Instant Messengers : Drop | Sub Rule | Failed IM/Chat Activity | Failed Misuse | |
| V 2.0 : IP Fragments : Drop | Sub Rule | Threat Blocked | Failed Activity | |
| V 2.0 : Large Ping : Monitor | Sub Rule | Ping Request | Network Traffic | |
| V 2.0 : Large Ping : Drop | Sub Rule | General Failed Activity | Failed Activity | |
| V 2.0 : Malformed HTTP : Monitor | Sub Rule | Malformed Object | Suspicious | |
| V 2.0 : Malformed HTTP : Drop | Sub Rule | Failed Malformed Object | Failed Suspicious | |
| V 2.0 : Malformed Packet : Monitor | Sub Rule | Malformed / Bad Packet Detected | Network Traffic | |
| V 2.0 : Malformed Packet : Drop | Sub Rule | Failed Malformed Object | Failed Suspicious | |
| V 2.0 : Non Compliant DNS : Detect | Sub Rule | Non Compliant DNS | Activity | |
| V 2.0 : Port Scan : Monitor | Sub Rule | Port Scan | Reconnaissance | |
| V 2.0 : Port Scan : Drop | Sub Rule | Port Scan Activity Dropped | Failed Activity | |
| V 2.0 : SSL Enforcement Violation : Monitor | Sub Rule | SSL Enforcement | Activity | |
| V 2.0 : SSL Enforcement Violation : Drop | Sub Rule | Drop VPN - SSL Enforcement | Failed Activity | |
| V 2.0 : SSL Tunneling : Monitor | Sub Rule | General TUNNEL Message | Information | |
| V 2.0 : SSL Tunneling : Drop | Sub Rule | Secure Tunnel Deleted | Information | |
| V 2.0 : Stream Engine : Net Conf Problem : Monitor | Sub Rule | General Configuration Error | Error | |
| V 2.0 : Stream Engine : Network Conf Problem: Drop | Sub Rule | Configuration Failure | Network Traffic | |
| V 2 : Stream Engine : TCP Seg Limit Enf : Monitor | Sub Rule | General TCP/IP Information | Information | |
| V 2.0 : Stream Engine : TCP Seg Limit Enf : Drop | Sub Rule | TCP Packet Dropped | Information | |
| V 2.0 : Stream Engine : TCP Seg Limit Enf : Accept | Sub Rule | Permitted TCP Packet | Network Traffic | |
| V 2.0 : Stream Engine : TCP Urg Data Enf : Monitor | Sub Rule | TCP Urgent Data Enforcement | Network Traffic | |
| V 2.0 : Stream Engine : TCP Urg Data Enf : Drop | Sub Rule | TCP Packet Dropped | Information | |
| V 2.0 : SmartDefense : SYN : Monitor | Sub Rule | Packet Received | Network Traffic | |
| V 2.0 : SmartDefense : SYN : Drop | Sub Rule | Packet Dropped | Warning | |
| V 2.0 : TCP Enforcement Violation : Monitor | Sub Rule | General Protocol Violation | Error | |
| V 2.0 : TCP Enforcement Violation : Drop | Sub Rule | General Failed Activity | Failed Activity |