V 2.0 SCTP Messages
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
|---|---|---|---|
V 2.0 SCTP Messages | Base Rule | General Network Traffic | Network Traffic |
V 2.0 Traffic Allowed By Network Firewall Messages | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
| V 2.0 Traffic Denied By Network Firewall | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| Type (type) | <vmid> | Text/String | Specifies the type of log; value is SCTP. |
| Source Address (src) | <sip> | IP Address | Original session source IP address |
| Destination Address (dst) | <dip> | IP Address | Original session destination IP address |
| Rule Name (rule) | <policy> | Text/String | Name of the Security policy rule in effect on the session. |
| Inbound Interface (inbound_if) | <sinterface> | Text/String | Interface that the session was sourced from |
| Outbound Interface (outbound_if) | <dinterface> | Text/String | Interface that the session was destined to |
| Session ID (sessionid) | <session> | Number | An internal numerical identifier applied to each session |
| Source Port (sport) | <sport> | Number | Source port utilized by the session |
| Destination Port (dport) | <dport> | Number | Destination port utilized by the session |
| IP Protocol (proto) | <protname> | Text/String | IP protocol associated with the session |
| Action (action) | <action> <tag1> | Text/String | Action taken for the session; possible values are: allow—session was allowed by the policy deny—session was denied by the policy |
| Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged |
| Severity (severity) | <severity> | Text/String | Severity associated with the event; values are informational, low, medium, high, critical. |
| SCTP Event Type (sctp_event_type) | <subject> | Text/String | Defines the event triggered per SCTP chunk or packet when SCTP protection profile is applied to the SCTP traffic. It is also triggered by start or end of a SCTP association. |
| SCTP Association End Reason (assoc_end_reason) | <reason> | Text/String | Reason an association was terminated. If the termination had multiple causes, the highest priority reason is displayed. The possible session end reasons in descending priority are: shutdown-from-endpoint (highest)—endpoint sends out SHUTDOWN abort-from-endpoint—endpoint sends out ABORT unknown (lowest)—the association aged out, or association termination reason is not covered by one of the previous reasons (for example, a clear session all command). |
| Packets Sent (pkts_sent) | <packetsout> | Number | Number of client-to-server packets for the session |
| Packets Received (pkts_received) | <packetsin> | Number | Number of server-to-client packets for the session |