Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Participant

CEF Logs Format - Fields Meaning

Hello, I am trying to work with CEF logs that originate in an R80.20 system.

The logs I am using are in a CEF format. Two examples:

CEF:0|Check Point|SmartDefense|Check Point|IPS|SQL Servers MSSQL Vendor-specific SQL Injection|Very-High| eventId=882492844392 msg=Application Intelligence mrt=1599552618944 in=-2147483648 out=-2147483648 customerURI=XXXX catdt=Firewall severity=0 priority=8 deviceSeverity=Very-High rt=1599552617058 deviceDirection=0 shost=XXXX src=<src_ip_addr> sourceZoneURI=XXXX sourceGeoCountryCode=XXXX sourceGeoRegionCode=XXXX cs2=asm_dynamic_prop_SQL_FINGERPRINT_A cs3=IPS cs4=SQL Servers MSSQL Vendor-specific SQL Injection flexString2=SQL Servers MSSQL Vendor-specific SQL Injection flexNumber1=5 flexNumber2=3 locality=1 amac=<mac_addr> dvc=<dvc_ip_addr>

CEF:0|Check Point|SmartDefense|Check Point|IPS|PhpMyAdmin REQUEST Superglobal Remote Variable Manipulation|High| eventId=882492941690 msg=Application Servers Protection Violation mrt=1599552634403 in=-2147483648 out=-2147483648 customerURI=XXXX catdt=Firewall severity=0 priority=7 deviceSeverity=High rt=1599552618699 deviceDirection=0 shost=XXX src=<src_ip_addr> sourceZoneURI=XXXX sourceGeoCountryCode=XXXX sourceGeoRegionCode=XXXX cs2=asm_dynamic_prop_SUPGLOB_REQUEST cs3=IPS cs4=PhpMyAdmin REQUEST Superglobal Remote Variable Manipulation flexString2=PhpMyAdmin REQUEST Superglobal Remote Variable Manipulation - Detect over uploaded data flexNumber1=5 flexNumber2=3 locality=1 amac=<mac_addr> dvc=<dvc_ip_addr>

This log "alerts" for "SQL Servers MSSQL Vendor-specific SQL Injection". I can't seem to determine - does this alert means that an attack has already happened, or that the asset is vulnerable to such vulnerability?

If an attack has already happened, who is the source and who is the destination? what does the src and dvc columns stands for, and why there is no dst? Whos mac is the "amac"?

Thank you.

Labels (1)
4 Replies
Admin
Admin

The log means, the attack is detected. we do not scan for vulnerabilities.

Participant

Thanks!
But still, I don't understand in which column can I see the IP of the attacker, and where to see the target...
src? dvc?

Admin
Admin

I presume one of the src/dst IP reflects the SQL server in question, the other would be where the attack came from.

0 Kudos
Reply
Participant

But you can see in the examples above, there is no dst column...