<< PREVIOUS

 NEXT >>

 

ATTACK AND THREAT LOG FORMAT

 

  1. The generic format of the log statements for a typical VSP-detected attack/threat is shown below:

     

    TIMESTAMP|Virsec Security Platform|Virsec|<RELEASE VERSION>|<MESSAGE SPECIFIC NUMBER>|<BRIEF EVENT DECRIPTION>|<SEVERITY>|<EVENT ID>|<DETAILED INFORMATION>

     

  2. Only two parameters are different from the normal message

    1. TIMESTAMP - The timestamp when the event occurred along with the log format (CEF: 1)

    2. Virsec Security Platform - (Constant) Product name

    3. Virsec - Constant

    4. <RELEASE VERSION> - Indicates the VSP release number. Example: 1.3.0

    5. <MESSAGE SPECIFIC NUMBER> - This number is unique to each type of event. More information about the specific codes is provided in VSP Events

    6. <BRIEF EVENT DECRIPTION> - Provides a brief description of the event

    7. <SEVERITY> - Provides the severity as below

      1. 10 – Attack

      2. 8 – Threat

      3. 5 - Notification

    8. <EVENT ID> - This event ID is a unique ID generated for each incident in VSP CMS

      1. Each Event ID depicts the below information

        Picture 1073742083

    9. <DETAILED INFORMATION> - Provides all the relevant information related to the event


       
  3. A typical attack/threat log message is depicted below:

     
    1. CEF format

       

      Jul  7 02:46:23 10.16.6.4 CEF: 1|Virsec Security Platform|Virsec|1.3.0|2|SQLi|10|EventId=VS-SQLI-070720-A00262|Application_Name=Suneel-Tomcat7 Tomcat7 Server_Name=WIN-SUNEEL Incident_Level=ATTACK Incident_Category=WEB_ATTACK Incident_Type=SQLi Incident_Timestamp=07 Jul 2020 06:47:28 AM UTC Threat Level=ATTACK Malicious Input=[{"account_name": "smith' OR '1' = '1"}] Attacker=10.16.11.250:55998 Event Source Name=CVE SQL=SELECT * FROM user_data WHERE last_name = ?{1=smith' OR '1' = '1} Session token id=F5B0479E70CE19603A807CC15183EB1A UUID=50e5e82d-403e-4c HTTP Request=POST /webgoat/attack pid=2056 description=SQLi category=Web Attack eventTime=2020-07-07 06:46:32 tid=25

       

    2. CEF - Fixed Key Definition format

       

      Sep  8 03:36:06 10.16.6.4 CEF: 1|Virsec Security Platform|Virsec|1.4.0|2|SQLi|10|EventId=VS-SQLI-090820-A00004|cs1Label=Application_Name cs1=RHEL_webgoat_17 8 cs2Label=Server_Name cs2=rhelwebgoat_17 cs3Label=Incident_Level cs3=ATTACK cs4Label=Incident_Category cs4=WEB_ATTACK cs5Label=Incident_Type cs5=SQLi cs6Label=Incident_Timestamp cs6=08 Sep 2020 07:37:33 AM UTC cs7Label=Threat Level cs7=ATTACK cs8Label=Malicious Input cs8=[{"account_name": "-1' OR 2+825-825-1=0+0+0+1 or 'HOGhgtZF'='"} cs9Label=Attacker cs9=10.16.3.114:61530 cs10Label=Event Source Name cs10=CVE cs11Label=SQL cs11=SELECT * FROM user_data WHERE last_name = '-1' OR 2+825-825-1=0+0+0+1 or 'HOGhgtZF'='' cs12Label=Session token id cs12=C28A27CEE515223A7D98C6955C1A31EA cs13Label=UUID cs13=50ef87b7-97e2-4c cs14Label=HTTP Request cs14=POST /webgoat/attack cs15Label=pid cs15=31392 cs16Label=description cs16=SQLi cs17Label=category cs17=Web Attack cs18Label=eventTime cs18=2020-09-08T07:37:15.015-04:00 cs19Label=tid cs19=34

 

<<  PREVIOUS   NEXT >>