This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
IdanH
Participant
‎2020-10-15 01:26 AM

CEF Logs Format - Fields Meaning

Hello, I am trying to work with CEF logs that originate in an R80.20 system.

The logs I am using are in a CEF format. Two examples:

CEF:0|Check Point|SmartDefense|Check Point|IPS|SQL Servers MSSQL Vendor-specific SQL Injection|Very-High| eventId=882492844392 msg=Application Intelligence mrt=1599552618944 in=-2147483648 out=-2147483648 customerURI=XXXX catdt=Firewall severity=0 priority=8 deviceSeverity=Very-High rt=1599552617058 deviceDirection=0 shost=XXXX src=<src_ip_addr> sourceZoneURI=XXXX sourceGeoCountryCode=XXXX sourceGeoRegionCode=XXXX cs2=asm_dynamic_prop_SQL_FINGERPRINT_A cs3=IPS cs4=SQL Servers MSSQL Vendor-specific SQL Injection flexString2=SQL Servers MSSQL Vendor-specific SQL Injection flexNumber1=5 flexNumber2=3 locality=1 amac=<mac_addr> dvc=<dvc_ip_addr>

CEF:0|Check Point|SmartDefense|Check Point|IPS|PhpMyAdmin REQUEST Superglobal Remote Variable Manipulation|High| eventId=882492941690 msg=Application Servers Protection Violation mrt=1599552634403 in=-2147483648 out=-2147483648 customerURI=XXXX catdt=Firewall severity=0 priority=7 deviceSeverity=High rt=1599552618699 deviceDirection=0 shost=XXX src=<src_ip_addr> sourceZoneURI=XXXX sourceGeoCountryCode=XXXX sourceGeoRegionCode=XXXX cs2=asm_dynamic_prop_SUPGLOB_REQUEST cs3=IPS cs4=PhpMyAdmin REQUEST Superglobal Remote Variable Manipulation flexString2=PhpMyAdmin REQUEST Superglobal Remote Variable Manipulation - Detect over uploaded data flexNumber1=5 flexNumber2=3 locality=1 amac=<mac_addr> dvc=<dvc_ip_addr>

This log "alerts" for "SQL Servers MSSQL Vendor-specific SQL Injection". I can't seem to determine - does this alert means that an attack has already happened, or that the asset is vulnerable to such vulnerability?

If an attack has already happened, who is the source and who is the destination? what does the src and dvc columns stands for, and why there is no dst? Whos mac is the "amac"?

Thank you.

Labels
4 Replies
_Val_
Admin
Admin
‎2020-10-15 04:39 AM

The log means, the attack is detected. we do not scan for vulnerabilities.

IdanH
Participant
‎2020-10-15 04:46 AM
In response to _Val_

Thanks!
But still, I don't understand in which column can I see the IP of the attacker, and where to see the target...
src? dvc?

PhoneBoy
Admin
Admin
‎2020-10-17 10:45 PM
In response to IdanH

I presume one of the src/dst IP reflects the SQL server in question, the other would be where the attack came from.

0 Kudos
IdanH
Participant
‎2020-10-17 10:51 PM
In response to PhoneBoy

But you can see in the examples above, there is no dst column...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events