Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
SmartDefense |
Base Rule |
General Firewall Log |
Network Traffic |
|
SmartDefense : Block HTTP Non Compliant : Monitor |
Sub Rule |
Traffic Allowed by IDS/IPS |
Network Allow |
|
SmartDefense : Block Non HTTP Traffic : Monitor |
Sub Rule |
Traffic Allowed by IDS/IPS |
Network Allow |
|
SmartDefense : IP Fragments : Drop |
Sub Rule |
IP Microfragment |
Activity |
|
SmartDefense : Protection : Outbound |
Sub Rule |
Established Outbound Connection |
Information |
|
SmartDefense : Geo_protection: Outbound |
Sub Rule |
Established Outbound Connection |
Information |
|
SmartDefense : Geo_protection: Inbound |
Sub Rule |
Established Inbound Connection |
Information |
|
SmartDefense : Adobe Reader Violation : Monitor |
Sub Rule |
Traffic Allowed by IDS/IPS |
Network Allow |
|
SmartDefense : Attempt To Open Audio Con : Monitor |
Sub Rule |
Traffic Allowed by IDS/IPS |
Network Allow |
|
SmartDefense : Anomaly_http : Outbound |
Sub Rule |
Established Outbound Connection |
Information |
|
SmartDefense : Block HTTP Non Compliant : Reject |
Sub Rule |
Traffic Denied by IDS/IPS |
Network Deny |
|
SmartDefense : Anomaly : Inbound |
Sub Rule |
Established Inbound Connection |
Information |
|
SmartDefense : Anomaly : Outbound |
Sub Rule |
Established Outbound Connection |
Information |
|
SmartDefense : Anomaly : Drop |
Sub Rule |
Traffic Denied by IDS/IPS |
Network Deny |
|
SmartDefense : Apache Svr Protection Viol : Drop |
Sub Rule |
General Failed Activity |
Failed Activity |
|
SmartDefense : Apache Svr Protection Viol : Drop |
Sub Rule |
General Failed Activity |
Failed Activity |
|
SmartDefense : Content Protection Violation : Drop |
Sub Rule |
General Failed Activity |
Failed Activity |
|
SmartDefense : DNS Reserved Header Bit : Drop |
Sub Rule |
Failed Protocol Anomaly |
Failed Attack |
|
SmartDefense : Geo-Location Enforcement : Drop |
Sub Rule |
Traffic Denied by IDS/IPS |
Network Deny |
|
SmartDefense : HTTP Protocol Inspection : Drop |
Sub Rule |
General Failed Activity |
Failed Activity |
|
SmartDefense : HTTP Trfc Ovr Bad Port Viol : Drop |
Sub Rule |
Traffic Denied by IDS/IPS |
Network Deny |
|
SmartDefense : Malformed HTTP : Drop |
Sub Rule |
Failed Malformed Object |
Failed Suspicious |
|
SmartDefense : Malformed Packet : Drop |
Sub Rule |
Malformed Packet |
Network Traffic |
|
SmartDefense : Port Scan : Drop |
Sub Rule |
General Failed Activity |
Failed Activity |
|
SmartDefense : SSL Enforcement Violation : Drop |
Sub Rule |
General Failed Activity |
Failed Activity |
|
SmartDefense : SSL Tunneling : Drop |
Sub Rule |
Failed Anonymizing Activity |
Failed Misuse |
|
SmartDefense : Potl Network Config Problem : Drop |
Sub Rule |
Configuration Failure |
Warning |
|
SmartDefense : TCP Segment Limit Enfrcm : Drop |
Sub Rule |
Traffic Denied by IDS/IPS |
Network Deny |
|
SmartDefense : TCP Urgent Data Enforcement : Drop |
Sub Rule |
Traffic Denied by IDS/IPS |
Network Deny |
|
SmartDefense : SYN : Drop |
Sub Rule |
Failed Network Denial Of Service |
Failed Denial of Service |
|
SmartDefense : TCP Enforcement Violation : Drop |
Sub Rule |
Traffic Denied by IDS/IPS |
Network Deny |
|
SmartDefense : Instant Messengers : Drop |
Sub Rule |
Failed IM/Chat Activity |
Failed Misuse |
|
SmartDefense : Large Ping : Drop |
Sub Rule |
General Failed Activity |
Failed Activity |
|
SmartDefense : Apache Svr Protection Viol : Mon |
Sub Rule |
Security Violation |
Other Security |
|
SmartDefense : Apache Svr Protection Viol : Mon |
Sub Rule |
Security Violation |
Other Security |
|
SmartDefense : Content Protection Violation : Mon |
Sub Rule |
Security Violation |
Other Security |
|
SmartDefense : DNS Reserved Header Bit : Monitor |
Sub Rule |
Protocol Anomaly |
Attack |
|
SmartDefense : Geo-Location Enforcement : Monitor |
Sub Rule |
Traffic Allowed by IDS/IPS |
Network Allow |
|
SmartDefense : HTTP Protocol Inspection : Monitor |
Sub Rule |
Protocol Anomaly |
Attack |
|
SmartDefense : HTTP Trfc Ovr Bad Port Viol : Mon |
Sub Rule |
Traffic Allowed by IDS/IPS |
Network Allow |
|
SmartDefense : Malformed HTTP : Monitor |
Sub Rule |
Malformed Object |
Suspicious |
|
SmartDefense : Malformed Packet : Monitor |
Sub Rule |
Malformed Object |
Suspicious |
|
SmartDefense : Port Scan : Monitor |
Sub Rule |
Port Scan |
Reconnaissance |
|
SmartDefense : SSL Enforcement Violation : Monitor |
Sub Rule |
General Failed Activity |
Failed Activity |
|
SmartDefense : SSL Tunneling : Monitor |
Sub Rule |
Anonymizing Activity |
Misuse |
|
SmartDefense : Potl Net Config Problem : Monitor |
Sub Rule |
Configuration Failure |
Warning |
|
SmartDefense : TCP Segment Limit Enfrcm : Monitor |
Sub Rule |
Traffic Allowed by IDS/IPS |
Network Allow |
|
SmartDefense : TCP Urgent Data Enfrcm : Monitor |
Sub Rule |
Traffic Allowed by IDS/IPS |
Network Allow |
|
SmartDefense : SYN : Monitor |
Sub Rule |
Network Denial Of Service |
Denial Of Service |
|
SmartDefense : TCP Enforcement Violation : Monitor |
Sub Rule |
Traffic Allowed by IDS/IPS |
Network Allow |
|
SmartDefense : Instant Messengers : Monitor |
Sub Rule |
IM/Chat Activity |
Misuse |
|
SmartDefense : Large Ping : Monitor |
Sub Rule |
Ping Sweep |
Reconnaissance |
|
SmartDefense : Geo Protection : Dropped |
Sub Rule |
Traffic Denied by IDS/IPS |
Network Deny |
|
SmartDefense : Geo Protection : Monitor |
Sub Rule |
Traffic Allowed by IDS/IPS |
Network Allow |
|
SmartDefense : Anomaly : Monitor |
Sub Rule |
Protocol Anomaly |
Attack |
|
SmartDefense : Content Protection Violation Detect |
Sub Rule |
General Activity |
Activity |
|
SmartDefense : Non Compliant DNS : Detect |
Sub Rule |
Non Compliant DNS |
Activity |
|
SmartDefense : Block HTTP Non Compliant |
Sub Rule |
Blocked Non-Compliant HTTP Format |
Activity |
|
SmartDefense : TCP Segment Limit : Accept |
Sub Rule |
General Traffic Allowed |
Network Traffic |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
|---|---|---|
|
Product |
<version> |
Number/Text |
|
Origin |
<sender> |
Number/Text |
|
Action |
<action> |
Number/Text |
|
Action |
<tag3> |
Number/Text |
|
SIP |
<sip> |
Number |
|
SPort |
<sport> |
Number |
|
DIP |
<dip> |
Number |
|
DPort |
<dport> |
Number |
|
Protocol |
<protnum> |
Number |
|
Protocol |
<protname> |
Number/Text |
|
IFName |
<sinterface> |
Text/String |
|
IFDirection |
<tag4> |
Number/Text |
|
Reason |
<reason> |
Number/Text |
|
Rule |
<command> |
Number/Text |
|
PolicyName |
<policy> |
Number/Text |
|
XlateSIP |
<snatip> |
Number |
|
XlateDIP |
<dnatip> |
Number |
|
User |
<login> |
Number/Text |
|
src_user_name |
<login> |
Number/Text |
|
dst_user_name |
<account> |
Number/Text |
|
to |
<recipient> |
Number/Text |
|
from |
<sender> |
Number/Text |
|
web_client_type |
<useragent> |
Number/Text |
|
Url |
<url> |
Number/Text |
|
dst_machine_name |
<dname> |
Text/String |
|
src_machine_name |
<sname> |
Text/String |
|
Attack |
<tag2> |
Number/Text |
|
Attack |
<threatname> |
Number/Text |
|
Protection_Name |
<object> |
Number/Text |
|
Severity |
<severity> |
Number/Text |
|
Confidence_Level |
<responsecode> |
Number/Text |
|
Industry_Reference |
<cve> |
Number/Text |
|
Protection_Type |
<objecttype> |
Number/Text |
|
Protection_Type |
<tag1> |
Number/Text |
|
rule_name |
<command> |
Number/Text |
|
Info |
<vendorinfo> |
Number/Text |