Syslog - Imperva SecureSphere: V 2.0 : Security Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 : Security Events | Base Rule | General Audit Message | Other Audit |
V 2.0 : Cookie Injection | Sub Rule | HTTP Cookie | Activity |
V 2.0 : XSS | Sub Rule | Vuln High Severity : CGI Abuses : XSS | Vulnerability |
V 2.0 : Custom Violation | Sub Rule | Security Violation | Other Security |
V 2.0 : Extremely Long HTTP Request | Sub Rule | Line In HTTP Request Too Long | Warning |
V 2.0 : HTTP Signature Violation | Sub Rule | General Signature Detection | Warning |
V 2.0 : Illegal Byte Code Character In Header Name | Sub Rule | Illegal Characters | Error |
V 2.0 : Illegal Byte Code Character In Method | Sub Rule | Illegal Characters | Error |
V 2.0 : Illegal Byte Code Character In URL | Sub Rule | Illegal Characters | Error |
V 2.0 : Illegal HTTP Version | Sub Rule | General HTTP Warning | Warning |
V 2.0 : Unauthorized SOAP Action | Sub Rule | SOAP Message Body | Activity |
V 2.0 : Unknown HTTP Request Method | Sub Rule | Invalid HTTP Request | Information |
V 2.0 : Custom-Policy-Violation | Sub Rule | Security Policy Violation | Warning |
V 2.0 : Malformed HTTP Header Line | Sub Rule | HTTP Header Error | Error |
V 2.0 : ThreatRader - TOR IPs | Sub Rule | TOR Client Request | Activity |
V 2.0 : Directory Trav (In Cookies/Parameters Val) | Sub Rule | Directory Traversal | Attack |
V 2.0 : Attempt To Execute Privileged Operation | Sub Rule | Failed Suspicious User Activity | Failed Suspicious |
V 2.0 : Extremely Long SQL Request | Sub Rule | General Attack Activity | Attack |
V 2.0 : SQL Signature Violation | Sub Rule | General Attack Activity | Attack |
V 2.0 : Unauthorized Database User | Sub Rule | Suspicious User Activity | Suspicious |
V 2.0 : Unauthorized Source Application | Sub Rule | Unauthorized Program/Process | Misuse |
V 2.0 : Web Profile Policy | Sub Rule | General POLICY Warning | Warning |
V 2.0 : Cross Site Request Forgery | Sub Rule | Cross-Site Request Forgery | Attack |
V 2.0 : HTTP/1.x Protocol Policy | Sub Rule | General Protocol Information | Information |
V 2.0 : Migrated Web Protocol Policy For ServGroup | Sub Rule | Object Modified | Access Success |
V 2.0 : Network Protocol Violations Policy | Sub Rule | Security Policy Violation | Warning |
V 2.0 : Post Request - Missing Content Type | Sub Rule | Missing Attribute | Warning |
V 2.0 : Recommended Signatures Policy For Web App | Sub Rule | General Policy | Other Audit |
V 2.0 : Suspicious Response Code | Sub Rule | Suspicious Activity | Suspicious |
V 2.0 : Web Correlation Policy | Sub Rule | General Policy | Other Audit |
V 2.0 : Web Protocol Policy - Venture | Sub Rule | General Policy | Other Audit |
V 2.0 : XSS Taylor | Sub Rule | General Protocol Information | Information |
V 2.0 : SQL Login Failed | Sub Rule | SQL Login | Activity |
V 2.0 : Cookie Tampering | Sub Rule | General Attack Activity | Attack |
V 2.0 : Email Hoarding : Custom Violation | Sub Rule | Unauthorized E-mail | Misuse |
V 2.0 : Email Hoarding | Sub Rule | Suspicious Activity | Suspicious |
V 2.0 : Extremely Long Parameter | Sub Rule | Suspicious Activity | Suspicious |
V 2.0 : Double URL Encoding | Sub Rule | Suspicious Activity | Suspicious |
V 2.0 : NULL Character In Parameter Value | Sub Rule | Suspicious Activity | Suspicious |
V 2.0 : Parameter Type Violation | Sub Rule | Suspicious Activity | Suspicious |
V 2.0 : SSL Untraceable Connection | Sub Rule | Suspicious Activity | Suspicious |
V 2.0 : Unauthorized Access To Service | Sub Rule | Unauthorized Program/Process | Misuse |
V 2.0 : Unauthorized Method For Known URL | Sub Rule | Unauthorized Activity | Misuse |
V 2.0 : Unauthorized Request Content Type | Sub Rule | Unauthorized Activity | Misuse |
V 2.0 : Unauthorized URL Access | Sub Rule | Unauthorized Activity | Misuse |
V 2.0 : Redundant UTF-8 Encoding | Sub Rule | General Protocol Violation | Error |
V 2.0 : SQL Injection | Sub Rule | SQL Injection | Attack |
V 2.0 : URL Above Root Directory | Sub Rule | Directory Traversal | Attack |
V 2.0 : Web Worm | Sub Rule | Detected Worm Activity | Malware |
V 2.0 : HTTP Signature Violation : Blocked | Sub Rule | Failed General Attack Activity | Failed Attack |
V 2.0 : SQL Injection : Blocked | Sub Rule | Failed SQL Injection | Failed Attack |
V 2.0 : Cross-Site Scripting : Blocked | Sub Rule | Failed Cross-Site Scripting | Failed Attack |
V 2.0 : Cross Site Request Forgery : Blocked | Sub Rule | Failed Cross-Site Request Forgery | Failed Attack |
V 2.0 : Unknown HTTP Request Method : Blocked | Sub Rule | HTTP Request Failed | Error |
V 2.0 : URL Above Root Directory : Blocked | Sub Rule | Failed Directory Traversal | Failed Attack |
V 2.0 : Web Worm : Blocked | Sub Rule | Failed Worm Activity | Failed Malware |
V 2.0 : Illegal HTTP Version : Blocked | Sub Rule | Incorrect Version | Error |
V 2.0 :Redundant UTF-8 Encoding : Blocked | Sub Rule | General Protocol Violation | Error |
V 2.0 : Email Hoarding | Sub Rule | General AlertEmail Critical | Critical |
V 2.0 : Recommended Sign Policy For Web App PSHR | Sub Rule | Signatures Updated | Configuration |
V 2.0 : SOAP Element Vlaue Type Violation | Sub Rule | System Violation | Error |
V 2.0 : Threatrader - Anonymous Proxies | Sub Rule | Failed To Refresh List Proxies | Error |
V 2.0 : Threatrader - Malicious IPs | Sub Rule | General IPS/IDS Log Message | Other Security |
V 2.0 : Threatrader - TOR IPs | Sub Rule | TOR Client Request | Activity |
V 2.0 : Web Protcol Policy | Sub Rule | General Audit Policy Setting | Information |
V 2.0 : SQL Correlation Event | Sub Rule | General Policy | Other Audit |
V 2.0 : CalOptima - MSSQL Policy | Sub Rule | General Policy | Other Audit |
V 2.0 : CalOptima - Sensitive Data Access | Sub Rule | Data Queue Retrieved | Information |
V 2.0 : Email Hoarding | Sub Rule | Unauthorized E-mail | Misuse |
V 2.0 : Cross Site Request Forgery:Custom Violatio | Sub Rule | Cross-Site Request Forgery | Attack |
V 2.0 : Distributed Suspicious Response Code | Sub Rule | Suspicious Activity | Suspicious |
V 2.0 : Suspicious Response Code Alert | Sub Rule | Suspicious Activity | Suspicious |
V 2.0 : Parameter Read Only Violation | Sub Rule | Suspicious Activity | Suspicious |
V 2.0 : Network Protocol Violation Policy | Sub Rule | Security Policy Violation | Warning |
V 2.0 : Cross Site Request Forgery : Custom Violat | Sub Rule | Cross-Site Request Forgery | Attack |
V 2.0 : Recommended Signature Policy For Web App | Sub Rule | Signature Information | Information |
V 2.0 : Sql Unauthorized Sensitive Query Group | Sub Rule | General Attack Activity | Attack |
V 2.0 : Sql Issued By Unauthorized User Name | Sub Rule | General Attack Activity | Attack |
V 2.0 : Sql Privileged Operation | Sub Rule | General Attack Activity | Attack |
V 2.0 : Sql Unauthorized Sensitive Table | Sub Rule | General Attack Activity | Attack |
V 2.0 : Http Abnormally Long Parameter | Sub Rule | General Protocol Information | Information |
V 2.0 : Sql Failed Mid Session Login | Sub Rule | General Attack Activity | Attack |
V 2.0 : Http Double Url Encoding | Sub Rule | General Protocol Information | Information |
V 2.0 : Http Illegal Byte Code Parameter Value | Sub Rule | Illegal Characters | Error |
V 2.0 : Suspicious Pattern | Sub Rule | Suspicious Activity | Suspicious |
V 2.0 : Http Null Char Parameter Value | Sub Rule | General Null Information | Information |
V 2.0 : Http Post Missing Content Type | Sub Rule | General Protocol Information | Information |
V 2.0 : Anti Scraping | Sub Rule | General Attack Activity | Attack |
V 2.0 : Http Illegal Parameter Encoding | Sub Rule | General Protocol Information | Information |
V 2.0 : Http Abnormally Long Url | Sub Rule | URL Information | Information |
V 2.0 : Sql Unauthorized Host | Sub Rule | Unauthorized Host | Error |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
CEF:Version | N/A | N/A | N/A |
N/A | N/A | N/A | Device Vendor |
N/A | N/A | N/A | Device Product |
N/A | <version> | Text/String/Number | Device Version |
N/A | <vmid> | Text/String | deviceEventClassId |
N/A | <subject> | Text/String | Name |
N/A | <severity> | Text/String | Severity |
act | <action> | Text/String | The immediate action performed, either block |
dst | <dip> | IP Address | The destination IP address |
dpt | <dport> | Number | The destination port |
duser | <account><domainimpacted> | Text/String | The destination user. In web applications it refers to the application user logged into the application. In database applications it refers to the database user |
src | <sip> | IP Address | The source IP address |
spt | <sport> | Number | The source port |
proto | <protname> | Text/String | The protocol used |
rt | N/A | N/A | The alert time |
cat | <objecttype> | Text/String | The type of event |
cs1 | <policy> | Text/String | The violated policy's name |
cs1Label | N/A | N/A | Policy label |
cs2 | <group> | Text/String | The server group name |
cs2Label | N/A | N/A | ServerGroup Label |
cs3 | <process> | Text/String | alert description |
cs3Label | N/A | N/A | Service is Service Label. |
cs4 | <object> | Text/String | application name |
cs4Label | N/A | N/A | Application is Service Label |
cs5 | <result> | Text/String | alert description |
cs5Label | N/A | N/A | Description is Description Label |