V 2.0 Traffic Messages 1
Vendor Documentation
Classification
Rule Name | Rule Type | Common Event | Classification |
---|---|---|---|
V 2.0 Traffic Messages | Base Rule | General Network Traffic | Network Traffic |
V 2.0 Session Traffic Start Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0 Session Traffic Start Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Start Dropped | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Start Reset | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic End Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0 Session Traffic End Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic End Dropped | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic End Reset | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Drop Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0 Session Traffic Drop Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Drop | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Drop Reset | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Deny Allowed | Sub Rule | Traffic Allowed by Network Firewall | Network Allow |
V 2.0 Session Traffic Denied | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Deny Dropped | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
V 2.0 Session Traffic Deny Reset | Sub Rule | Traffic Denied by Network Firewall | Network Deny |
Mapping with LogRhythm Schema
Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
---|---|---|---|
Header: Severity | <severity> | Text/String | N/A |
Type (type) | <vmid> | Text/String | Specifies the type of log; the value is TRAFFIC |
Threat/Content Type (subtype) | <vendorinfo> <tag1> | Text/String | Subtype of traffic log; values are start, end, drop, and deny Start—session started End—session ended Drop—The session dropped before the application is identified and there is no rule that allows the session. Deny—The session is dropped after the application is identified, and there is a rule to block it or no rule that allows it. |
Source Address (src) | <sip> | IP Address | Original session source IP address |
Destination Address (dst) | <dip> | IP Address | Original session destination IP address |
NAT Source IP (natsrc) | <snatip> | IP Address | If Source NAT is performed, the post-NAT Source IP address |
NAT Destination IP (natdst) | <dnatip> | IP Address | If Destination NAT is performed, the post-NAT Destination IP address |
Rule Name (rule) | <policy> | Text/String | Name of the rule that the session matched |
Source User (srcuser) | <domainorigin> <login> | Text/String | The username of the user who initiated the session |
Destination User (dstuser) | <domainimpacted> <account> | Text/String | The username of the user to which the session was destined |
Application (app) | <object> | Text/String | Application associated with the session |
Inbound Interface (inbound_if) | <sinterface> | Text/String | Interface that the session was sourced from |
Outbound Interface (outbound_if) | <dinterface> | Text/String | The interface that the session was destined to |
Session ID (sessionid) | <session> | Number | An internal numerical identifier is applied to each session |
Source Port (sport) | <sport> | Number | Source port utilized by the session |
Destination Port (dport) | <dport> | Number | Destination port utilized by the session |
NAT Source Port (natsport) | <snatport> | Number | Post-NAT source port |
NAT Destination Port (natdport) | <dnatport> | Number | Post-NAT destination port |
IP Protocol (proto) | <protname> | Text/String | IP protocol associated with the session |
Action (action) | <action> <tag2> | Text/String | Action taken for the session; possible values are: allow—the session was allowed by policy deny—the session was denied by policy drop—the session was dropped silently drop ICMP—the session was silently dropped with an ICMP unreachable message to the host or application reset both—session was terminated and a TCP reset is sent to both sides of the connection reset client—the session was terminated and a TCP reset is sent to the client reset server—session was terminated and a TCP reset is sent to the server |
Bytes Sent (bytes_sent) | <bytesin> | Number | Number of bytes in the client-to-server direction of the session |
Bytes Received (bytes_received) | <bytesout> | Number | Number of bytes in the server-to-client direction of the session |
Elapsed Time (elapsed) | <seconds> | Number | The elapsed time of the session |
Category (category) | <subject> | Text/String | URL category associated with the session (if applicable) |
Packets Sent (pkts_sent) | <packetsin> | Number | Number of client-to-server packets for the session |
Packets Received (pkts_received) | <packetsout> | Number | Number of server-to-client packets for the session |
Session End Reason (session_end_reason) | <reason> | Text/String | The reason a session was terminated. If the termination had multiple causes, this field displays only the highest priority reason. The possible session end reason values are as follows, in order of priority (where the first is highest):
|
Device Name (device_name) | <objectname> | Text/String | The hostname of the firewall on which the session was logged. |
Application Category (category_of_app)** | <objecttype> | Text/String | The application category is specified in the application configuration properties. Values are: business-systems collaboration general-internet media networking saas |
Application Characteristic (characteristic_of_app)** | <result> | Text/String | Comma-separated list of applicable characteristics of the application |