CEF Disruptive Application Logs
|
CEF Key
|
Description
|
Value
|
|
Header (logVer)
|
CEF format version
|
CEF: 0
|
|
Header (vendor)
|
Appliance vendor
|
Trend Micro
|
|
Header (pname)
|
Appliance product
|
Deep Discovery Inspector
|
|
Header (pver)
|
Appliance version
|
Example: 3.8.1181
|
|
Header (eventid)
|
Signature ID
|
100120
|
|
Header (eventName)
|
Description
|
Deep Discovery Inspector
detected this protocol in your monitored network.
|
|
Header (severity)
|
Severity
|
|
|
app
|
Protocol
|
Example: HTTP
|
|
c6a1
|
Interested IPv6
|
Example: 2001:0:0:1::21
|
|
c6a1Label
|
Interested IPv6
|
InterestedIPv6
|
|
c6a2
|
Source IPv6 address
|
Example: 2001:0:0:1::21
|
|
c6a2Label
|
Source IPv6 address
|
Source IPv6 Address |
|
c6a3
|
Destination IPv6 address
|
Example: 2001:0:0:1::21
|
|
c6a3Label
|
Destination IPv6 address
|
Destination IPv6 Address
|
|
c6a4
|
Peer IPv6 address
|
Example: 2001:0:0:1::21
|
|
c6a4Label
|
Peer IPv6 address
|
PeerIPv6
|
|
cnt
|
Total count
|
Example: 1
|
|
cn3
|
Threat type
|
6
|
|
cn3Label
|
Threat type
|
ThreatType
|
|
destinationTranslatedAddress
|
Peer IP
|
Example: 10.1.144.199
|
|
deviceDirection
|
Packet direction
|
|
|
deviceExternalId
|
Appliance GUID
|
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
|
|
devicePayloadId
|
An extendable field.
Format: {threat_type}:{log_id}:{with pcap file
captured}{:extensions}*
|
Examples:
|
|
dhost
|
Destination host name
|
Example: dhost1
|
|
dmac
|
Destination MAC
|
Example: 00:0C:29:6E:CB:F9
|
|
dpt
|
Destination port
|
Value between 0 and 65535
|
|
dst
|
Destination IP address
|
Example: 10.1.144.199
|
|
dvc
|
Appliance IP address
|
Example: 10.1.144.199
|
|
dvchost
|
Appliance host name
|
Example: localhost
|
|
dvcmac
|
Appliance MAC address
|
Example: 00:0C:29:6E:CB:F9
|
|
flexNumber1
|
vLANId
|
Example: 4095
|
|
flexNumber1Label
|
vLANId
|
vLANId
|
|
rt
|
Log generation time
|
Example: Mar 09 2015 17:05:21 GMT+08:00
|
|
shost
|
Source host name
|
Example: shost1
|
|
smac
|
Source MAC
|
Example: 00:0C:29:6E:CB:F9
|
|
sourceTranslatedAddress
|
Interested IP
|
Example: 10.1.144.199
|
|
spt
|
Source port
|
Value between 0 and 65535
|
|
src
|
Source IP address
|
Example: 10.1.144.199
|
Log Sample:
CEF:0|Trend Micro|Deep Discovery Inspector|5.0.1329| 100120|Deep Discovery Inspector detected the protocol in your monitored network.|2|dvc=172.22.9.32 dvcmac= 00:50:56:AD:03:BD dvchost=localhost deviceExternalId=E9A3FA433916- 4738984C-A4BF-84A0-D603 rt=Jun 22 2017 10:06:24 GMT+08:00 app=eDonkey deviceDirection=1 dhost=10.1.100.223 dst=10.1.100.223 dpt=4662 dmac=00:0c:29:a7:72:74 shost=10.1.117.231 src=10.1.117.231 spt=39933 smac=00:30:da:2d:47:32 cn3Label=Threat Type cn3=6 sourceTranslatedAddress= 10.1.117.231 destinationTranslatedAddress=10.1.100.223 cnt=1 flexNumber1Label=vLANId flexNumber1=4095 devicePayloadId=6:11:P