SmartDefense 1
Vendor Documentation
Classification
| Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
| SmartDefense | Base Rule | General Firewall Log | Network Traffic |
| SmartDefense : Block HTTP Non Compliant : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
| SmartDefense : Block Non HTTP Traffic : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
| SmartDefense : IP Fragments : Drop | Sub Rule | IP Microfragment | Activity |
| SmartDefense : Protection : Outbound | Sub Rule | Established Outbound Connection | Information |
| SmartDefense : Geo_protection: Outbound | Sub Rule | Established Outbound Connection | Information |
| SmartDefense : Geo_protection: Inbound | Sub Rule | Established Inbound Connection | Information |
| SmartDefense : Adobe Reader Violation : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
| SmartDefense : Attempt To Open Audio Con : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
| SmartDefense : Anomaly_http : Outbound | Sub Rule | Established Outbound Connection | Information |
| SmartDefense : Block HTTP Non Compliant : Reject | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
| SmartDefense : Anomaly : Inbound | Sub Rule | Established Inbound Connection | Information |
| SmartDefense : Anomaly : Outbound | Sub Rule | Established Outbound Connection | Information |
| SmartDefense : Anomaly : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
| SmartDefense : Apache Svr Protection Viol : Drop | Sub Rule | General Failed Activity | Failed Activity |
| SmartDefense : Apache Svr Protection Viol : Drop | Sub Rule | General Failed Activity | Failed Activity |
| SmartDefense : Content Protection Violation : Drop | Sub Rule | General Failed Activity | Failed Activity |
| SmartDefense : DNS Reserved Header Bit : Drop | Sub Rule | Failed Protocol Anomaly | Failed Attack |
| SmartDefense : Geo-Location Enforcement : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
| SmartDefense : HTTP Protocol Inspection : Drop | Sub Rule | General Failed Activity | Failed Activity |
| SmartDefense : HTTP Trfc Ovr Bad Port Viol : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
| SmartDefense : Malformed HTTP : Drop | Sub Rule | Failed Malformed Object | Failed Suspicious |
| SmartDefense : Malformed Packet : Drop | Sub Rule | Malformed Packet | Network Traffic |
| SmartDefense : Port Scan : Drop | Sub Rule | General Failed Activity | Failed Activity |
| SmartDefense : SSL Enforcement Violation : Drop | Sub Rule | General Failed Activity | Failed Activity |
| SmartDefense : SSL Tunneling : Drop | Sub Rule | Failed Anonymizing Activity | Failed Misuse |
| SmartDefense : Potl Network Config Problem : Drop | Sub Rule | Configuration Failure | Warning |
| SmartDefense : TCP Segment Limit Enfrcm : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
| SmartDefense : TCP Urgent Data Enforcement : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
| SmartDefense : SYN : Drop | Sub Rule | Failed Network Denial Of Service | Failed Denial of Service |
| SmartDefense : TCP Enforcement Violation : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
| SmartDefense : Instant Messengers : Drop | Sub Rule | Failed IM/Chat Activity | Failed Misuse |
| SmartDefense : Large Ping : Drop | Sub Rule | General Failed Activity | Failed Activity |
| SmartDefense : Apache Svr Protection Viol : Mon | Sub Rule | Security Violation | Other Security |
| SmartDefense : Apache Svr Protection Viol : Mon | Sub Rule | Security Violation | Other Security |
| SmartDefense : Content Protection Violation : Mon | Sub Rule | Security Violation | Other Security |
| SmartDefense : DNS Reserved Header Bit : Monitor | Sub Rule | Protocol Anomaly | Attack |
| SmartDefense : Geo-Location Enforcement : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
| SmartDefense : HTTP Protocol Inspection : Monitor | Sub Rule | Protocol Anomaly | Attack |
| SmartDefense : HTTP Trfc Ovr Bad Port Viol : Mon | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
| SmartDefense : Malformed HTTP : Monitor | Sub Rule | Malformed Object | Suspicious |
| SmartDefense : Malformed Packet : Monitor | Sub Rule | Malformed Object | Suspicious |
| SmartDefense : Port Scan : Monitor | Sub Rule | Port Scan | Reconnaissance |
| SmartDefense : SSL Enforcement Violation : Monitor | Sub Rule | General Failed Activity | Failed Activity |
| SmartDefense : SSL Tunneling : Monitor | Sub Rule | Anonymizing Activity | Misuse |
| SmartDefense : Potl Net Config Problem : Monitor | Sub Rule | Configuration Failure | Warning |
| SmartDefense : TCP Segment Limit Enfrcm : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
| SmartDefense : TCP Urgent Data Enfrcm : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
| SmartDefense : SYN : Monitor | Sub Rule | Network Denial Of Service | Denial Of Service |
| SmartDefense : TCP Enforcement Violation : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
| SmartDefense : Instant Messengers : Monitor | Sub Rule | IM/Chat Activity | Misuse |
| SmartDefense : Large Ping : Monitor | Sub Rule | Ping Sweep | Reconnaissance |
| SmartDefense : Geo Protection : Dropped | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
| SmartDefense : Geo Protection : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
| SmartDefense : Anomaly : Monitor | Sub Rule | Protocol Anomaly | Attack |
| SmartDefense : Content Protection Violation Detect | Sub Rule | General Activity | Activity |
| SmartDefense : Non Compliant DNS : Detect | Sub Rule | Non Compliant DNS | Activity |
| SmartDefense : Block HTTP Non Compliant | Sub Rule | Blocked Non-Compliant HTTP Format | Activity |
| SmartDefense : TCP Segment Limit : Accept | Sub Rule | General Traffic Allowed | Network Traffic |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type |
|---|---|---|
| Product | <version> | Number/Text |
| Origin | <sender> | Number/Text |
| Action | <action> | Number/Text |
| Action | <tag3> | Number/Text |
| SIP | <sip> | Number |
| SPort | <sport> | Number |
| DIP | <dip> | Number |
| DPort | <dport> | Number |
| Protocol | <protnum> | Number |
| Protocol | <protname> | Number/Text |
| IFName | <sinterface> | Text/String |
| IFDirection | <tag4> | Number/Text |
| Reason | <reason> | Number/Text |
| Rule | <command> | Number/Text |
| PolicyName | <policy> | Number/Text |
| XlateSIP | <snatip> | Number |
| XlateDIP | <dnatip> | Number |
| User | <login> | Number/Text |
| src_user_name | <login> | Number/Text |
| dst_user_name | <account> | Number/Text |
| to | <recipient> | Number/Text |
| from | <sender> | Number/Text |
| web_client_type | <useragent> | Number/Text |
| Url | <url> | Number/Text |
| dst_machine_name | <dname> | Text/String |
| src_machine_name | <sname> | Text/String |
| Attack | <tag2> | Number/Text |
| Attack | <threatname> | Number/Text |
| Protection_Name | <object> | Number/Text |
| Severity | <severity> | Number/Text |
| Confidence_Level | <responsecode> | Number/Text |
| Industry_Reference | <cve> | Number/Text |
| Protection_Type | <objecttype> | Number/Text |
| Protection_Type | <tag1> | Number/Text |
| rule_name | <command> | Number/Text |
| Info | <vendorinfo> | Number/Text |