Hello, I am trying to work with CEF logs that originate in an R80.20 system.
The logs I am using are in a CEF format. Two examples:
CEF:0|Check Point|SmartDefense|Check Point|IPS|SQL Servers MSSQL Vendor-specific SQL Injection|Very-High| eventId=882492844392 msg=Application Intelligence mrt=1599552618944 in=-2147483648 out=-2147483648 customerURI=XXXX catdt=Firewall severity=0 priority=8 deviceSeverity=Very-High rt=1599552617058 deviceDirection=0 shost=XXXX src=<src_ip_addr> sourceZoneURI=XXXX sourceGeoCountryCode=XXXX sourceGeoRegionCode=XXXX cs2=asm_dynamic_prop_SQL_FINGERPRINT_A cs3=IPS cs4=SQL Servers MSSQL Vendor-specific SQL Injection flexString2=SQL Servers MSSQL Vendor-specific SQL Injection flexNumber1=5 flexNumber2=3 locality=1 amac=<mac_addr> dvc=<dvc_ip_addr>
CEF:0|Check Point|SmartDefense|Check Point|IPS|PhpMyAdmin REQUEST Superglobal Remote Variable Manipulation|High| eventId=882492941690 msg=Application Servers Protection Violation mrt=1599552634403 in=-2147483648 out=-2147483648 customerURI=XXXX catdt=Firewall severity=0 priority=7 deviceSeverity=High rt=1599552618699 deviceDirection=0 shost=XXX src=<src_ip_addr> sourceZoneURI=XXXX sourceGeoCountryCode=XXXX sourceGeoRegionCode=XXXX cs2=asm_dynamic_prop_SUPGLOB_REQUEST cs3=IPS cs4=PhpMyAdmin REQUEST Superglobal Remote Variable Manipulation flexString2=PhpMyAdmin REQUEST Superglobal Remote Variable Manipulation - Detect over uploaded data flexNumber1=5 flexNumber2=3 locality=1 amac=<mac_addr> dvc=<dvc_ip_addr>
This log "alerts" for "SQL Servers MSSQL Vendor-specific SQL Injection". I can't seem to determine - does this alert means that an attack has already happened, or that the asset is vulnerable to such vulnerability?
If an attack has already happened, who is the source and who is the destination? what does the src and dvc columns stands for, and why there is no dst? Whos mac is the "amac"?
Thank you.