V 2.0 SCTP Messages

Vendor Documentation

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions.html

Classification

Rule Name	Rule Type	Common Event	Classification
V 2.0 SCTP Messages	Base Rule	General Network Traffic	Network Traffic
V 2.0 Traffic Allowed By Network Firewall Messages	Sub Rule	Traffic Allowed by Network Firewall	Network Allow
V 2.0 Traffic Denied By Network Firewall	Sub Rule	Traffic Denied by Network Firewall	Network Deny

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
Type (type)	<vmid>	Text/String	Specifies the type of log; value is SCTP.
Source Address (src)	<sip>	IP Address	Original session source IP address
Destination Address (dst)	<dip>	IP Address	Original session destination IP address
Rule Name (rule)	<policy>	Text/String	Name of the Security policy rule in effect on the session.
Inbound Interface (inbound_if)	<sinterface>	Text/String	Interface that the session was sourced from
Outbound Interface (outbound_if)	<dinterface>	Text/String	Interface that the session was destined to
Session ID (sessionid)	<session>	Number	An internal numerical identifier applied to each session
Source Port (sport)	<sport>	Number	Source port utilized by the session
Destination Port (dport)	<dport>	Number	Destination port utilized by the session
IP Protocol (proto)	<protname>	Text/String	IP protocol associated with the session
Action (action)	<action> <tag1>	Text/String	Action taken for the session; possible values are: allow—session was allowed by the policy deny—session was denied by the policy
Device Name (device_name)	<objectname>	Text/String	The hostname of the firewall on which the session was logged
Severity (severity)	<severity>	Text/String	Severity associated with the event; values are informational, low, medium, high, critical.
SCTP Event Type (sctp_event_type)	<subject>	Text/String	Defines the event triggered per SCTP chunk or packet when SCTP protection profile is applied to the SCTP traffic. It is also triggered by start or end of a SCTP association.
SCTP Association End Reason (assoc_end_reason)	<reason>	Text/String	Reason an association was terminated. If the termination had multiple causes, the highest priority reason is displayed. The possible session end reasons in descending priority are: shutdown-from-endpoint (highest)—endpoint sends out SHUTDOWN abort-from-endpoint—endpoint sends out ABORT unknown (lowest)—the association aged out, or association termination reason is not covered by one of the previous reasons (for example, a clear session all command).
Packets Sent (pkts_sent)	<packetsout>	Number	Number of client-to-server packets for the session
Packets Received (pkts_received)	<packetsin>	Number	Number of server-to-client packets for the session