Syslog - Imperva SecureSphere: V 2.0 : Security Events
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0: Security Events | Base Rule | General Audit Message | Other Audit |
V 2.0: Cookie Injection | Sub Rule | HTTP Cookie | Activity |
V 2.0: XSS | Sub Rule | Vuln High Severity: CGI Abuses: XSS | Vulnerability |
V 2.0: Custom Violation | Sub Rule | Security Violation | Other Security |
V 2.0: Extremely Long HTTP Request | Sub Rule | Line In HTTP Request Too Long | Warning |
V 2.0: HTTP Signature Violation | Sub Rule | General Signature Detection | Warning |
V 2.0: Illegal Byte Code Character In Header Name | Sub Rule | Illegal Characters | Error |
V 2.0: Illegal Byte Code Character In Method | Sub Rule | Illegal Characters | Error |
V 2.0: Illegal Byte Code Character In URL | Sub Rule | Illegal Characters | Error |
V 2.0: Illegal HTTP Version | Sub Rule | General HTTP Warning | Warning |
V 2.0: Unauthorized SOAP Action | Sub Rule | SOAP Message Body | Activity |
V 2.0: Unknown HTTP Request Method | Sub Rule | Invalid HTTP Request | Information |
V 2.0: Custom-Policy-Violation | Sub Rule | Security Policy Violation | Warning |
V 2.0: Malformed HTTP Header Line | Sub Rule | HTTP Header Error | Error |
V 2.0: ThreatRader - TOR IPs | Sub Rule | TOR Client Request | Activity |
V 2.0: Directory Trav (In Cookies/Parameters Val) | Sub Rule | Directory Traversal | Attack |
V 2.0: Attempt To Execute Privileged Operation | Sub Rule | Failed Suspicious User Activity | Failed Suspicious |
V 2.0: Extremely Long SQL Request | Sub Rule | General Attack Activity | Attack |
V 2.0: SQL Signature Violation | Sub Rule | General Attack Activity | Attack |
V 2.0: Unauthorized Database User | Sub Rule | Suspicious User Activity | Suspicious |
V 2.0: Unauthorized Source Application | Sub Rule | Unauthorized Program/Process | Misuse |
V 2.0: Web Profile Policy | Sub Rule | General POLICY Warning | Warning |
V 2.0: Cross Site Request Forgery | Sub Rule | Cross-Site Request Forgery | Attack |
V 2.0: HTTP/1.x Protocol Policy | Sub Rule | General Protocol Information | Information |
V 2.0: Migrated Web Protocol Policy For ServGroup | Sub Rule | Object Modified | Access Success |
V 2.0: Network Protocol Violations Policy | Sub Rule | Security Policy Violation | Warning |
V 2.0: Post Request - Missing Content Type | Sub Rule | Missing Attribute | Warning |
V 2.0: Recommended Signatures Policy For Web App | Sub Rule | General Policy | Other Audit |
V 2.0: Suspicious Response Code | Sub Rule | Suspicious Activity | Suspicious |
V 2.0: Web Correlation Policy | Sub Rule | General Policy | Other Audit |
V 2.0: Web Protocol Policy - Venture | Sub Rule | General Policy | Other Audit |
V 2.0: XSS Taylor | Sub Rule | General Protocol Information | Information |
V 2.0: SQL Login Failed | Sub Rule | SQL Login | Activity |
V 2.0: Cookie Tampering | Sub Rule | General Attack Activity | Attack |
V 2.0: Email Hoarding: Custom Violation | Sub Rule | Unauthorized E-mail | Misuse |
V 2.0: Email Hoarding | Sub Rule | Suspicious Activity | Suspicious |
V 2.0: Extremely Long Parameter | Sub Rule | Suspicious Activity | Suspicious |
V 2.0: Double URL Encoding | Sub Rule | Suspicious Activity | Suspicious |
V 2.0: NULL Character In Parameter Value | Sub Rule | Suspicious Activity | Suspicious |
V 2.0: Parameter Type Violation | Sub Rule | Suspicious Activity | Suspicious |
V 2.0: SSL Untraceable Connection | Sub Rule | Suspicious Activity | Suspicious |
V 2.0: Unauthorized Access To Service | Sub Rule | Unauthorized Program/Process | Misuse |
V 2.0: Unauthorized Method For Known URL | Sub Rule | Unauthorized Activity | Misuse |
V 2.0: Unauthorized Request Content Type | Sub Rule | Unauthorized Activity | Misuse |
V 2.0: Unauthorized URL Access | Sub Rule | Unauthorized Activity | Misuse |
V 2.0: Redundant UTF-8 Encoding | Sub Rule | General Protocol Violation | Error |
V 2.0: SQL Injection | Sub Rule | SQL Injection | Attack |
V 2.0: URL Above Root Directory | Sub Rule | Directory Traversal | Attack |
V 2.0: Web Worm | Sub Rule | Detected Worm Activity | Malware |
V 2.0: HTTP Signature Violation: Blocked | Sub Rule | Failed General Attack Activity | Failed Attack |
V 2.0: SQL Injection: Blocked | Sub Rule | Failed SQL Injection | Failed Attack |
V 2.0: Cross-Site Scripting: Blocked | Sub Rule | Failed Cross-Site Scripting | Failed Attack |
V 2.0: Cross Site Request Forgery: Blocked | Sub Rule | Failed Cross-Site Request Forgery | Failed Attack |
V 2.0: Unknown HTTP Request Method: Blocked | Sub Rule | HTTP Request Failed | Error |
V 2.0: URL Above Root Directory: Blocked | Sub Rule | Failed Directory Traversal | Failed Attack |
V 2.0: Web Worm: Blocked | Sub Rule | Failed Worm Activity | Failed Malware |
V 2.0: Illegal HTTP Version: Blocked | Sub Rule | Incorrect Version | Error |
V 2.0: Redundant UTF-8 Encoding: Blocked | Sub Rule | General Protocol Violation | Error |
V 2.0: Email Hoarding | Sub Rule | General AlertEmail Critical | Critical |
V 2.0: Recommended Sign Policy For Web App PSHR | Sub Rule | Signatures Updated | Configuration |
V 2.0: SOAP Element Value Type Violation | Sub Rule | System Violation | Error |
V 2.0: Threatrader - Anonymous Proxies | Sub Rule | Failed To Refresh List Proxies | Error |
V 2.0: Threatrader - Malicious IPs | Sub Rule | General IPS/IDS Log Message | Other Security |
V 2.0: Threatrader - TOR IPs | Sub Rule | TOR Client Request | Activity |
V 2.0: Web Protocol Policy | Sub Rule | General Audit Policy Setting | Information |
V 2.0: SQL Correlation Event | Sub Rule | General Policy | Other Audit |
V 2.0: CalOptima - MSSQL Policy | Sub Rule | General Policy | Other Audit |
V 2.0: CalOptima - Sensitive Data Access | Sub Rule | Data Queue Retrieved | Information |
V 2.0: Email Hoarding | Sub Rule | Unauthorized E-mail | Misuse |
V 2.0: Cross-Site Request Forgery: Custom Violation | Sub Rule | Cross-Site Request Forgery | Attack |
V 2.0: Distributed Suspicious Response Code | Sub Rule | Suspicious Activity | Suspicious |
V 2.0: Suspicious Response Code Alert | Sub Rule | Suspicious Activity | Suspicious |
V 2.0: Parameter Read Only Violation | Sub Rule | Suspicious Activity | Suspicious |
V 2.0: Network Protocol Violation Policy | Sub Rule | Security Policy Violation | Warning |
V 2.0: Cross-Site Request Forgery: Custom Violet | Sub Rule | Cross-Site Request Forgery | Attack |
V 2.0: Recommended Signature Policy For Web App | Sub Rule | Signature Information | Information |
V 2.0: SQL Unauthorized Sensitive Query Group | Sub Rule | General Attack Activity | Attack |
V 2.0: SQL Issued By Unauthorized User Name | Sub Rule | General Attack Activity | Attack |
V 2.0: SQL Privileged Operation | Sub Rule | General Attack Activity | Attack |
V 2.0: SQL Unauthorized Sensitive Table | Sub Rule | General Attack Activity | Attack |
V 2.0: Http Abnormally Long Parameter | Sub Rule | General Protocol Information | Information |
V 2.0: SQL Failed Mid-Session Login | Sub Rule | General Attack Activity | Attack |
V 2.0: Http Double Url Encoding | Sub Rule | General Protocol Information | Information |
V 2.0: Http Illegal Byte Code Parameter Value | Sub Rule | Illegal Characters | Error |
V 2.0: Suspicious Pattern | Sub Rule | Suspicious Activity | Suspicious |
V 2.0: HTTP Null Char Parameter Value | Sub Rule | General Null Information | Information |
V 2.0: HTTP Post Missing Content Type | Sub Rule | General Protocol Information | Information |
V 2.0: Anti Scraping | Sub Rule | General Attack Activity | Attack |
V 2.0: HTTP Illegal Parameter Encoding | Sub Rule | General Protocol Information | Information |
V 2.0: HTTP Abnormally Long Url | Sub Rule | URL Information | Information |
V 2.0: SQL Unauthorized Host | Sub Rule | Unauthorized Host | Error |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
CEF: Version | N/A | N/A | N/A |
N/A | N/A | N/A | Device Vendor |
N/A | N/A | N/A | Device Product |
N/A | <version> | Text/String/Number | Device Version |
N/A | <vmid> | Text/String | deviceEventClassId |
N/A | <subject> | Text/String | Name |
N/A | <severity> | Text/String | Severity |
act | <action> | Text/String | The immediate action performed, either block |
dst | <dip> | IP Address | The destination IP address |
dpt | <dport> | Number | The destination port |
duser | <account><domainimpacted> | Text/String | The destination user. In web applications it refers to the application user logged into the application. In database applications it refers to the database user |
src | <sip> | IP Address | The source IP address |
spt | <sport> | Number | The source port |
proto | <protname> | Text/String | The protocol used |
rt | N/A | N/A | The alert time |
cat | <objecttype> | Text/String | The type of event |
cs1 | <policy> | Text/String | The violated policy's name |
cs1Label | N/A | N/A | Policy label |
cs2 | <group> | Text/String | The server group name |
cs2Label | N/A | N/A | ServerGroup Label |
cs3 | <process> | Text/String | alert description |
cs3Label | N/A | N/A | Service is Service Label. |
cs4 | <object> | Text/String | application name |
cs4Label | N/A | N/A | Application is Service Label |
cs5 | <result> | Text/String | alert description |
cs5Label | N/A | N/A | Description is Description Label |