CEF Disruptive Application Logs
|
CEF Key
|
Description
|
Value
|
|
Header (logVer)
|
CEF format version
|
CEF: 0
|
|
Header (vendor)
|
Appliance vendor
|
Trend Micro
|
|
Header (pname)
|
Appliance product
|
Deep Discovery Director
|
|
Header (pver)
|
Appliance version
|
Example: 5.3.0.1212
|
|
Header (eventid)
|
Signature ID
|
100120
|
|
Header (eventName)
|
Description
|
Deep Discovery Inspector detected this protocol in your monitored
network.
|
|
Header (severity)
|
Severity
|
|
|
app
|
Protocol
|
Example: HTTP
|
|
c6a1
|
Interested IPv6
|
Example: 2001:0:0:1::21
|
|
c6a1Label
|
Interested IPv6
|
InterestedIPv6
|
|
c6a2
|
Source IPv6 address
|
Example: 2001:0:0:1::21
|
|
c6a2Label
|
Source IPv6 address
|
Source IPv6 Address
|
|
c6a3
|
Destination IPv6 address
|
Example: 2001:0:0:1::21
|
|
c6a3Label
|
Destination IPv6 address
|
Destination IPv6 Address
|
|
c6a4
|
Peer IPv6 address
|
Example: 2001:0:0:1::21
|
|
c6a4Label
|
Peer IPv6 address
|
PeerIPv6
|
|
cnt
|
Total count
|
PeerIPv6
|
|
cn3
|
Threat type
|
6
|
|
cn3Label
|
Threat type
|
Threat Type
|
|
destinationTranslatedAddress
|
Peer IP
|
Example: 10.1.144.199
|
|
deviceDirection
|
Packet direction
|
0, 1, or 2
|
|
deviceExternalId
|
Appliance GUID
|
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
|
|
devicePayloadId
|
An extendable field.
Format: {threat_type}:{log_id}:{with pcap file captured}{:extensions}*
|
Examples:
|
|
dhost
|
Destination host name
|
Example: dhost1
|
|
dmac
|
Destination MAC
|
Example: 00:0C:29:6E:CB:F9
|
|
dpt
|
Destination port
|
Value between 1 and 65535
|
|
dst
|
Destination IP address
|
Example: 10.1.144.199
|
|
dvc
|
Appliance IP address
|
Example: 10.1.144.199
|
|
dvchost
|
Appliance host name
|
Example: localhost
|
|
dvcmac
|
Appliance MAC address
|
Example: 00:0C:29:6E:CB:F9
|
|
flexNumber1
|
vLANId
|
Example: 4095
|
|
flexNumber1Label
|
vLANId
|
vLANId
|
|
rt
|
Log generation time
Format: Unix time stamp (number of milliseconds since Jan
01 1970 UTC)
|
Example: 1593761104000
|
|
shost
|
Source host name
|
Example: shost1
|
|
smac
|
Source MAC
|
Example: 00:0C:29:6E:CB:F9
|
|
sourceTranslatedAddress
|
Interested IP
|
Example: 10.1.144.199
|
|
spt
|
Source port
|
Value between 1 and 65535
|
|
src
|
Source IP address
|
Example: 10.1.144.199
|
Log sample:
May 15 16:00:47 localhost CEF:0|Trend Micro|Deep Discovery Dir ector|5.3.0.1212|100120|Deep Discovery Inspector detected the protocol in your monitored network.|2|dvc=172.22.9.32 dvcmac=0 0:50:56:AD:03:BD dvchost=localhost deviceExternalId=E9A3FA4339 16-4738984C-A4BF-84A0-D603 rt=1593761104000 app=eDonkey device Direction=1 dhost=10.1.100.223 dst=10.1.100.223 dpt=4662 dmac= 00:0c:29:a7:72:74 shost=10.1.117.231 src=10.1.117.231 spt=3993 3 smac=00:30:da:2d:47:32 cn3Label=Threat Type cn3=6 sourceTran slatedAddress=10.1.117.231 destinationTransla tedAddress=10.1. 100.223 cnt=1 flexNumber1Label=vLANId flexNum ber1=4095 device PayloadId=6:11:P