Skip to main content
Skip table of contents

CVE [7.2]

CVE ID (for example, CVE-1999-0003) from vulnerability scan data.

This field is not available in LogRhythm versions earlier than 7.2.1.

Data Type

String (64 characters maximum)

Aliases

UseAlias

Client Console Full Name

Not applicable

Client Console Short Name

Not applicable

Web Console Tab/Name

Classification/CVE

Elasticsearch Field Name

cve

Rule Builder Column Name

CVE

Regex Pattern

<cve>

NetMon Name

Not applicable

Field Relationships

  • Object (prior parsing for CVE)
  • VMID (prior parsing for CVE)
  • Threat Name
  • VMID

Common Applications

  • Vulnerability scanners
  • F5
  • Qualys
  • IDS (Bro, Snort)
  • NGFW (Palo Alto, Check Point)

Use Case

  • Cross referencing threat feeds.
  • Finding an entry point for an attack.
  • Locating what is vulnerable to CVE and what is the impact if exposed.

MPE/Data Masking Manipulations

Not applicable.

Usage Standards

  • Use most common format standard CVE-YYYY-#######.
  • A malformed CVE can be represented as CVE-MAP-NOMATCH. Parse that as a valid CVE because that is what the log message says.

Examples

  • Symantec Endpoint Protection

05 23 2014 20:21:58 1.1.1.1 <LPTR:CRIT> May 23 20:07:35 SymantecServer USABLDRRECFLOW01: USABLDRRECFLOW01,[SID: 27517] Attack: OpenSSL Heartbleed CVE-2014-0160 3 attack blocked. Traffic has been blocked for this application: SYSTEM,Local: 1.1.1.1,Local: 000000000000,Remote: ,Remote: 1.1.1.1,Remote: 000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2014-05-23 19:48:52,End: 2014-05-23 19:48:52,Occurrences: 1,Application: SYSTEM,Location: Coprorate Network,User: pete.store,Domain: safaware,Local Port 443,Remote Port 52901,CIDS Signature ID: 27517,CIDS Signature string: Attack: OpenSSL Heartbleed CVE-2014-0160 3,CIDS Signature SubID: 73036,Intrusion URL: ,Intrusion Payload URL:

CVE-2014-0160 parsed into CVE.

  • Cb Response

05 18 2016 09:51:39 1.1.1.1 <USER:NOTE> LEEF:1.0|CB|CB|511|feed.storage.hit.binary|alliance_data_nvd=["10473","10472","10475","10470","10435"]       alliance_link_nvd=http://web.nvd.nist.gov/view/vuln/detail?vulnId\=CVE-2013-3353       alliance_score_nvd=100     alliance_updated_nvd=2015-08-03T23:55:33.000Z       cb_server=cbserver  cb_version=511      company_name=Adobe Systems Incorporated       computer_name= USABLDRRECFLOW01  copied_mod_len=7790179     digsig_result=Unsigned       digsig_result_code=2148204800    endpoint=[" USABLDRRECFLOW01|26"," USABLDRRECFLOW01|13"," USABLDRRECFLOW01|39"," USABLDRRECFLOW01|35"," USABLDRRECFLOW01|14"]       feed_id=13   feed_name=nvd file_desc=Adobe Acrobat Annot Plug-In       file_version=1.1.1.1       group=RecordFlow HQ host_count=5 hostname= USABLDRRECFLOW01    ioc_attr={}  ioc_type=md5 ioc_value=4c6b53d9f75cb772e43f65960f905919       is_64bit=false      is_executable_image=false  last_seen=2016-05-18T00:01:11.682Z       legal_copyright=Copyright 1984-2012 Adobe Systems Incorporated and its licensors. All rights reserved.    md5=59E0D058686BD35B0D5C02A4FD8BD0E0    observed_filename=["c:\\program files (x86)\\adobe\\reader 11.0\\reader\\plug_ins\\annots.api"]    orig_mod_len=7790179       original_filename=Annot.api       os_type=Windows     product_name=Adobe Acrobat Annot  product_version=1.1.1.1    report_id=10435     report_score=100    sensor_id=14       server_added_timestamp=2016-05-17T15:26:48.469Z       server_name=localhost.localdomain timestamp=1463589930.842       type=feed.storage.hit.binary     watchlist_4=2016-05-17T15:30:03.182Z

CVE parsed into CVE field from URL (may not be sustainable). Not predictable enough to parse.

  • ForcePoint

10 28 2016 15:22:15 1.1.1.1 <KERN:INFO> CEF:0|FORCEPOINT|Alert|unknown|278069|HTTP_SHS-Microsoft-Windows-MHTML-Information-Disclosure-CVE-2011-0096-3|7|spt=3811 destinationServiceName=HTTP deviceExternalId=Davestown node 2 dst=1.1.1.1 requestMethod=POST cat=Potential Compromise requestURL=Host2 app=tcp_service_5080 rt=Oct 28 2016 15:22:14 deviceFacility=Inspection destinationTranslatedPort=5080 sourceTranslatedPort=3811 destinationTranslatedAddress=1.1.1.1 sourceTranslatedAddress=1.1.1.1 act=Permit deviceOutboundInterface=2 proto=6 dpt=5080 src=1.1.1.1 dvc=1.1.1.1 dvchost=1.1.1.1 cs1Label=RuleId cs1=1073.1

CVE showing inline within CEF vendor info. Full header could be VMID or VendorInfo.

  • McAfee Network Security Manager

03 27 2014 08:29:30 1.1.1.1 <SAU1:WARN> Mar 27 08:29:35 SyslogAlertForwarder: 2014-03-27 08:29:32 EDT!N/A!N/A!22222222222!0x4510fa00!Signature!Medium!Medium!Unknown!Exploit!code-execution!Inbound!Inconclusive!1.1.1.1!1.1.1.1!80!24683!http!tcp!BBQ!BBQ!Proxy Traffic (8A-8B)!signature!CVE-2013-3861!Not Forwarded!Unknown!No error!Unknown!HTTP: JSON Parsing Vulnerability

CVE within exclamation delimiters.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close