Vendor Documentation
Classification
|
Rule Name |
Rule Type |
Common Event |
Classification |
|---|---|---|---|
|
V 2.0: Security Events |
Base Rule |
General Audit Message |
Other Audit |
|
V 2.0: Cookie Injection |
Sub Rule |
HTTP Cookie |
Activity |
|
V 2.0: XSS |
Sub Rule |
Vuln High Severity: CGI Abuses: XSS |
Vulnerability |
|
V 2.0: Custom Violation |
Sub Rule |
Security Violation |
Other Security |
|
V 2.0: Extremely Long HTTP Request |
Sub Rule |
Line In HTTP Request Too Long |
Warning |
|
V 2.0: HTTP Signature Violation |
Sub Rule |
General Signature Detection |
Warning |
|
V 2.0: Illegal Byte Code Character In Header Name |
Sub Rule |
Illegal Characters |
Error |
|
V 2.0: Illegal Byte Code Character In Method |
Sub Rule |
Illegal Characters |
Error |
|
V 2.0: Illegal Byte Code Character In URL |
Sub Rule |
Illegal Characters |
Error |
|
V 2.0: Illegal HTTP Version |
Sub Rule |
General HTTP Warning |
Warning |
|
V 2.0: Unauthorized SOAP Action |
Sub Rule |
SOAP Message Body |
Activity |
|
V 2.0: Unknown HTTP Request Method |
Sub Rule |
Invalid HTTP Request |
Information |
|
V 2.0: Custom-Policy-Violation |
Sub Rule |
Security Policy Violation |
Warning |
|
V 2.0: Malformed HTTP Header Line |
Sub Rule |
HTTP Header Error |
Error |
|
V 2.0: ThreatRader - TOR IPs |
Sub Rule |
TOR Client Request |
Activity |
|
V 2.0: Directory Trav (In Cookies/Parameters Val) |
Sub Rule |
Directory Traversal |
Attack |
|
V 2.0: Attempt To Execute Privileged Operation |
Sub Rule |
Failed Suspicious User Activity |
Failed Suspicious |
|
V 2.0: Extremely Long SQL Request |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0: SQL Signature Violation |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0: Unauthorized Database User |
Sub Rule |
Suspicious User Activity |
Suspicious |
|
V 2.0: Unauthorized Source Application |
Sub Rule |
Unauthorized Program/Process |
Misuse |
|
V 2.0: Web Profile Policy |
Sub Rule |
General POLICY Warning |
Warning |
|
V 2.0: Cross-Site Request Forgery |
Sub Rule |
Cross-Site Request Forgery |
Attack |
|
V 2.0: HTTP/1.x Protocol Policy |
Sub Rule |
General Protocol Information |
Information |
|
V 2.0: Migrated Web Protocol Policy For ServGroup |
Sub Rule |
Object Modified |
Access Success |
|
V 2.0: Network Protocol Violations Policy |
Sub Rule |
Security Policy Violation |
Warning |
|
V 2.0: Post Request - Missing Content Type |
Sub Rule |
Missing Attribute |
Warning |
|
V 2.0: Recommended Signatures Policy For Web App |
Sub Rule |
General Policy |
Other Audit |
|
V 2.0: Suspicious Response Code |
Sub Rule |
Suspicious Activity |
Suspicious |
|
V 2.0: Web Correlation Policy |
Sub Rule |
General Policy |
Other Audit |
|
V 2.0: Web Protocol Policy - Venture |
Sub Rule |
General Policy |
Other Audit |
|
V 2.0: XSS Taylor |
Sub Rule |
General Protocol Information |
Information |
|
V 2.0: SQL Login Failed |
Sub Rule |
SQL Login |
Activity |
|
V 2.0: Cookie Tampering |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0: Email Hoarding: Custom Violation |
Sub Rule |
Unauthorized E-mail |
Misuse |
|
V 2.0: Extremely Long Parameter |
Sub Rule |
Suspicious Activity |
Suspicious |
|
V 2.0: Double URL Encoding |
Sub Rule |
Suspicious Activity |
Suspicious |
|
V 2.0: NULL Character In Parameter Value |
Sub Rule |
Suspicious Activity |
Suspicious |
|
V 2.0: Parameter Type Violation |
Sub Rule |
Suspicious Activity |
Suspicious |
|
V 2.0: SSL Untraceable Connection |
Sub Rule |
Suspicious Activity |
Suspicious |
|
V 2.0: Unauthorized Access To Service |
Sub Rule |
Unauthorized Program/Process |
Misuse |
|
V 2.0: Unauthorized Method For Known URL |
Sub Rule |
Unauthorized Activity |
Misuse |
|
V 2.0: Unauthorized Request Content Type |
Sub Rule |
Unauthorized Activity |
Misuse |
|
V 2.0: Unauthorized URL Access |
Sub Rule |
Unauthorized Activity |
Misuse |
|
V 2.0: Redundant UTF-8 Encoding |
Sub Rule |
General Protocol Violation |
Error |
|
V 2.0: SQL Injection |
Sub Rule |
SQL Injection |
Attack |
|
V 2.0: URL Above Root Directory |
Sub Rule |
Directory Traversal |
Attack |
|
V 2.0: Web Worm |
Sub Rule |
Detected Worm Activity |
Malware |
|
V 2.0: HTTP Signature Violation: Blocked |
Sub Rule |
Failed General Attack Activity |
Failed Attack |
|
V 2.0: SQL Injection: Blocked |
Sub Rule |
Failed SQL Injection |
Failed Attack |
|
V 2.0: Cross-Site Scripting: Blocked |
Sub Rule |
Failed Cross-Site Scripting |
Failed Attack |
|
V 2.0: Cross-Site Request Forgery: Blocked |
Sub Rule |
Failed Cross-Site Request Forgery |
Failed Attack |
|
V 2.0: Unknown HTTP Request Method: Blocked |
Sub Rule |
HTTP Request Failed |
Error |
|
V 2.0: URL Above Root Directory: Blocked |
Sub Rule |
Failed Directory Traversal |
Failed Attack |
|
V 2.0: Web Worm: Blocked |
Sub Rule |
Failed Worm Activity |
Failed Malware |
|
V 2.0: Illegal HTTP Version: Blocked |
Sub Rule |
Incorrect Version |
Error |
|
V 2.0: Redundant UTF-8 Encoding: Blocked |
Sub Rule |
General Protocol Violation |
Error |
|
V 2.0: Email Hoarding |
Sub Rule |
General AlertEmail Critical |
Critical |
|
V 2.0: Recommended Sign Policy For Web App PSHR |
Sub Rule |
Signatures Updated |
Configuration |
|
V 2.0: SOAP Element Vlaue Type Violation |
Sub Rule |
System Violation |
Error |
|
V 2.0: Threatrader - Anonymous Proxies |
Sub Rule |
Failed To Refresh List Proxies |
Error |
|
V 2.0: Threatrader - Malicious IPs |
Sub Rule |
General IPS/IDS Log Message |
Other Security |
|
V 2.0: Web Protocol Policy |
Sub Rule |
General Audit Policy Setting |
Information |
|
V 2.0: SQL Correlation Event |
Sub Rule |
General Policy |
Other Audit |
|
V 2.0: CalOptima - MSSQL Policy |
Sub Rule |
General Policy |
Other Audit |
|
V 2.0: CalOptima - Sensitive Data Access |
Sub Rule |
Data Queue Retrieved |
Information |
|
V 2.0: Cross-Site Request Forgery: Custom Violation |
Sub Rule |
Cross-Site Request Forgery |
Attack |
|
V 2.0: Distributed Suspicious Response Code |
Sub Rule |
Suspicious Activity |
Suspicious |
|
V 2.0: Suspicious Response Code Alert |
Sub Rule |
Suspicious Activity |
Suspicious |
|
V 2.0: Parameter Read Only Violation |
Sub Rule |
Suspicious Activity |
Suspicious |
|
V 2.0: Network Protocol Violation Policy |
Sub Rule |
Security Policy Violation |
Warning |
|
V 2.0: Recommended Signature Policy For Web App |
Sub Rule |
Signature Information |
Information |
|
V 2.0: SQL Unauthorized Sensitive Query Group |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0: SQL Issued By Unauthorized User Name |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0: SQL Privileged Operation |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0: SQL Unauthorized Sensitive Table |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0: HTTP Abnormally Long Parameter |
Sub Rule |
General Protocol Information |
Information |
|
V 2.0: SQL Failed Mid-Session Login |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0: HTTP Double Url Encoding |
Sub Rule |
General Protocol Information |
Information |
|
V 2.0: HTTP Illegal Byte Code Parameter Value |
Sub Rule |
Illegal Characters |
Error |
|
V 2.0: Suspicious Pattern |
Sub Rule |
Suspicious Activity |
Suspicious |
|
V 2.0: HTTP Null Char Parameter Value |
Sub Rule |
General Null Information |
Information |
|
V 2.0: HTTP Post Missing Content Type |
Sub Rule |
General Protocol Information |
Information |
|
V 2.0: Anti Scraping |
Sub Rule |
General Attack Activity |
Attack |
|
V 2.0: HTTP Illegal Parameter Encoding |
Sub Rule |
General Protocol Information |
Information |
|
V 2.0: HTTP Abnormally Long Url |
Sub Rule |
URL Information |
Information |
|
V 2.0: SQL Unauthorized Host |
Sub Rule |
Unauthorized Host |
Error |
Mapping with LogRhythm Schema
|
Device Key in Log Message |
LogRhythm Schema |
Data Type |
Schema Description |
|---|---|---|---|
|
CEF: Version |
N/A |
N/A |
N/A |
|
N/A |
N/A |
N/A |
Device Vendor |
|
N/A |
N/A |
N/A |
Device Product |
|
N/A |
<version> |
Text/String/Number |
Device Version |
|
N/A |
<vmid> |
Text/String |
deviceEventClassId |
|
N/A |
<subject>
|
Text/String |
Name |
|
N/A |
<severity> |
Text/String |
Severity |
|
act |
<action>
|
Text/String |
The immediate action performed, either block
|
|
description |
<command> |
Text/String |
N/A |
|
operation |
N/A |
N/A |
N/A |
|
dst |
<dip> |
IP Address |
The destination IP address |
|
dpt |
<dport> |
Number |
The destination port |
|
duser |
<account><domainimpacted> |
Text/String |
The destination user. In web applications it refers to the application user logged into the application. In database applications it refers to the database user |
|
src |
<sip> |
IP Address |
The source IP address |
|
spt |
<sport> |
Number |
The source port |
|
proto |
<protname> |
Text/String |
The protocol used |
|
rt |
N/A |
N/A |
The alert time |
|
cat |
<objecttype> |
Text/String |
The type of event |
|
cs1 |
<policy> |
Text/String |
The violated policy's name |
|
cs1Label |
N/A |
N/A |
Policy label |
|
cs2 |
<group> |
Text/String |
The server group name |
|
cs2Label |
N/A |
N/A |
ServerGroup Label |
|
cs3 |
<process>
|
Text/String |
alert description
|
|
cs3Label |
N/A |
N/A |
Service is Service Label.
|
|
cs4 |
<object> |
Text/String |
application name |
|
cs4Label |
N/A |
N/A |
Application is Service Label |
|
cs5 |
<result>
|
Text/String |
alert description |
|
cs5Label |
N/A |
N/A |
Description is Description Label |
|
cs6Label |
N/A |
N/A |
HTTP Method |
|
cs6 |
<status> |
Text/String |
N/A |
|
cs7Label |
N/A |
N/A |
URL path |
|
cs7 |
<url> |
Text/String |
N/A |
|
cs8Label |
N/A |
N/A |
HTTP Response Code |
|
cs8 |
<responsecode> |
Text/String |
N/A |
|
cs9Label |
N/A |
N/A |
Web sessionID |
|
cs9 |
<session> |
Text/String/Number |
N/A |