SmartDefense 1
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
SmartDefense | Base Rule | General Firewall Log | Network Traffic |
SmartDefense : Block HTTP Non Compliant : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
SmartDefense : Block Non HTTP Traffic : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
SmartDefense : IP Fragments : Drop | Sub Rule | IP Microfragment | Activity |
SmartDefense : Protection : Outbound | Sub Rule | Established Outbound Connection | Information |
SmartDefense : Geo_protection: Outbound | Sub Rule | Established Outbound Connection | Information |
SmartDefense : Geo_protection: Inbound | Sub Rule | Established Inbound Connection | Information |
SmartDefense : Adobe Reader Violation : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
SmartDefense : Attempt To Open Audio Con : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
SmartDefense : Anomaly_http : Outbound | Sub Rule | Established Outbound Connection | Information |
SmartDefense : Block HTTP Non Compliant : Reject | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
SmartDefense : Anomaly : Inbound | Sub Rule | Established Inbound Connection | Information |
SmartDefense : Anomaly : Outbound | Sub Rule | Established Outbound Connection | Information |
SmartDefense : Anomaly : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
SmartDefense : Apache Svr Protection Viol : Drop | Sub Rule | General Failed Activity | Failed Activity |
SmartDefense : Apache Svr Protection Viol : Drop | Sub Rule | General Failed Activity | Failed Activity |
SmartDefense : Content Protection Violation : Drop | Sub Rule | General Failed Activity | Failed Activity |
SmartDefense : DNS Reserved Header Bit : Drop | Sub Rule | Failed Protocol Anomaly | Failed Attack |
SmartDefense : Geo-Location Enforcement : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
SmartDefense : HTTP Protocol Inspection : Drop | Sub Rule | General Failed Activity | Failed Activity |
SmartDefense : HTTP Trfc Ovr Bad Port Viol : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
SmartDefense : Malformed HTTP : Drop | Sub Rule | Failed Malformed Object | Failed Suspicious |
SmartDefense : Malformed Packet : Drop | Sub Rule | Malformed Packet | Network Traffic |
SmartDefense : Port Scan : Drop | Sub Rule | General Failed Activity | Failed Activity |
SmartDefense : SSL Enforcement Violation : Drop | Sub Rule | General Failed Activity | Failed Activity |
SmartDefense : SSL Tunneling : Drop | Sub Rule | Failed Anonymizing Activity | Failed Misuse |
SmartDefense : Potl Network Config Problem : Drop | Sub Rule | Configuration Failure | Warning |
SmartDefense : TCP Segment Limit Enfrcm : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
SmartDefense : TCP Urgent Data Enforcement : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
SmartDefense : SYN : Drop | Sub Rule | Failed Network Denial Of Service | Failed Denial of Service |
SmartDefense : TCP Enforcement Violation : Drop | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
SmartDefense : Instant Messengers : Drop | Sub Rule | Failed IM/Chat Activity | Failed Misuse |
SmartDefense : Large Ping : Drop | Sub Rule | General Failed Activity | Failed Activity |
SmartDefense : Apache Svr Protection Viol : Mon | Sub Rule | Security Violation | Other Security |
SmartDefense : Apache Svr Protection Viol : Mon | Sub Rule | Security Violation | Other Security |
SmartDefense : Content Protection Violation : Mon | Sub Rule | Security Violation | Other Security |
SmartDefense : DNS Reserved Header Bit : Monitor | Sub Rule | Protocol Anomaly | Attack |
SmartDefense : Geo-Location Enforcement : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
SmartDefense : HTTP Protocol Inspection : Monitor | Sub Rule | Protocol Anomaly | Attack |
SmartDefense : HTTP Trfc Ovr Bad Port Viol : Mon | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
SmartDefense : Malformed HTTP : Monitor | Sub Rule | Malformed Object | Suspicious |
SmartDefense : Malformed Packet : Monitor | Sub Rule | Malformed Object | Suspicious |
SmartDefense : Port Scan : Monitor | Sub Rule | Port Scan | Reconnaissance |
SmartDefense : SSL Enforcement Violation : Monitor | Sub Rule | General Failed Activity | Failed Activity |
SmartDefense : SSL Tunneling : Monitor | Sub Rule | Anonymizing Activity | Misuse |
SmartDefense : Potl Net Config Problem : Monitor | Sub Rule | Configuration Failure | Warning |
SmartDefense : TCP Segment Limit Enfrcm : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
SmartDefense : TCP Urgent Data Enfrcm : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
SmartDefense : SYN : Monitor | Sub Rule | Network Denial Of Service | Denial Of Service |
SmartDefense : TCP Enforcement Violation : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
SmartDefense : Instant Messengers : Monitor | Sub Rule | IM/Chat Activity | Misuse |
SmartDefense : Large Ping : Monitor | Sub Rule | Ping Sweep | Reconnaissance |
SmartDefense : Geo Protection : Dropped | Sub Rule | Traffic Denied by IDS/IPS | Network Deny |
SmartDefense : Geo Protection : Monitor | Sub Rule | Traffic Allowed by IDS/IPS | Network Allow |
SmartDefense : Anomaly : Monitor | Sub Rule | Protocol Anomaly | Attack |
SmartDefense : Content Protection Violation Detect | Sub Rule | General Activity | Activity |
SmartDefense : Non Compliant DNS : Detect | Sub Rule | Non Compliant DNS | Activity |
SmartDefense : Block HTTP Non Compliant | Sub Rule | Blocked Non-Compliant HTTP Format | Activity |
SmartDefense : TCP Segment Limit : Accept | Sub Rule | General Traffic Allowed | Network Traffic |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type |
---|---|---|
Product | <version> | Number/Text |
Origin | <sender> | Number/Text |
Action | <action> | Number/Text |
Action | <tag3> | Number/Text |
SIP | <sip> | Number |
SPort | <sport> | Number |
DIP | <dip> | Number |
DPort | <dport> | Number |
Protocol | <protnum> | Number |
Protocol | <protname> | Number/Text |
IFName | <sinterface> | Text/String |
IFDirection | <tag4> | Number/Text |
Reason | <reason> | Number/Text |
Rule | <command> | Number/Text |
PolicyName | <policy> | Number/Text |
XlateSIP | <snatip> | Number |
XlateDIP | <dnatip> | Number |
User | <login> | Number/Text |
src_user_name | <login> | Number/Text |
dst_user_name | <account> | Number/Text |
to | <recipient> | Number/Text |
from | <sender> | Number/Text |
web_client_type | <useragent> | Number/Text |
Url | <url> | Number/Text |
dst_machine_name | <dname> | Text/String |
src_machine_name | <sname> | Text/String |
Attack | <tag2> | Number/Text |
Attack | <threatname> | Number/Text |
Protection_Name | <object> | Number/Text |
Severity | <severity> | Number/Text |
Confidence_Level | <responsecode> | Number/Text |
Industry_Reference | <cve> | Number/Text |
Protection_Type | <objecttype> | Number/Text |
Protection_Type | <tag1> | Number/Text |
rule_name | <command> | Number/Text |
Info | <vendorinfo> | Number/Text |