Views:

TMEF Disruptive Application Logs

TMEF Key
Description
Value 
Header (logVer)
TMEF format version
CEF: 0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product
Deep Discovery Inspector
Header (pver)
Appliance version
Example: 3.8.1181
Header (eventid)
Signature ID
100120
Header (eventName)
Event Name
DISRUPTIVE_APPLICATION_DETECTION
Header (severity)
Severity
  • 2: Informational
  • 4: Low
  • 6: Medium
  • 8: High
app
Protocol
Example: HTTP
appGroup
Protocol group
Example: HTTP
cnt
Total count
Example: 1
cn4
Threat type
6
cn4Label
Threat type
Deep Discovery_ThreatType
cn5
Aggregated count
Example: 1
cn5Label
Aggregated count
AggregatedCnt
cs4
Network Group assigned to a source host
Example: monitor1
cs4Label
Network Group assigned to a source host
Deep Discovery_SrcGroup
cs5
Source zone
  • 0: Not in monitored network
  • 1: In monitored network and trusted
  • 2: In monitored network and not trusted
cs5Label
Source zone
Deep Discovery_SrcZone
cs9
Network Group assigned to a destination host
Example: monitor1
cs9Label
Network Group assigned to a destination host
Deep Discovery_DstGroup
cs10
Destination zone
  • 0: Not in monitored network
  • 1: In monitored network and trusted
  • 2: In monitored network and not trusted
cs10Label
Destination zone
Deep Discovery_DstZone
deviceDirection
Packet direction
  • 0: Source is external
  • 1: Source is internal
  • 2: Unknown
deviceGUID
Appliance GUID
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
deviceMacAddress
Appliance MAC address
Example: 00:0C:29:6E:CB:F9
devicePayloadId
An extendable field.
Format: {threat_type}:{log_id}:{with pcap file captured}{:extensions}*
Examples:
  • With pcap file captured: 2:10245:P
  • Without pcap file captured: 2:10245:
dhost
Destination host name
Example: dhost1
dmac
Destination MAC
Example: 00:0C:29:6E:CB:F9
dOSName
Destination host OS
Example: Android
dpt
Destination port
Value between 0 and 65535
dst
Destination IP address
Example: 10.1.144.199
dvc
Appliance IP address
Example: 10.1.144.199
dvchost
Appliance host name
Example: localhost
externalId
Log ID
Example: 11
interestedIp
Interested IP
Example: 10.1.144.199
msg
Description
Example: Deep Discovery Inspector detected the protocol in your monitored network.
pComp
Detection engine/component
Example: VSAPI
peerIP
Peer IP
Example: 10.1.144.199
ptype
Application type
IDS
rt
Log generation time
Example: Mar 09 2015 17:05:21 GMT+08:00
shost
Source host name
Example: shost1
smac
Source MAC
Example: 00:0C:29:6E:CB:F9
sOSName
Source host OS
Example: Android
spt
Source port
Value between 0 and 65535
src
Source IP address
Example: 10.1.144.199
vLANId
VLANID
Value between 0 and 4095
Log sample:
CEF:0|Trend Micro|Deep Discovery Inspector|5.0.1329|
100120|
DISRUPTIVE_APPLICATION_DETECTION|2|dvc=172.22.9.32 
deviceMacAddress=00:50:56:AD:03:BD dvchost=localhost 
deviceGUID=E9A3FA433916-4738984C-A4BF-84A0-D603 
ptype=IDS rt=Jun 22 2017 10:06:24 GMT+08:00 appGroup=P2P 
app=eDonkey vLANId=4095 deviceDirection=1 
dhost=10.1.100.223 
dst=10.1.100.223 dpt=4662 dmac=00:0c:29:a7:72:74 
shost=10.1.117.231 src=10.1.117.231 spt=39933 
smac=00:30:da:2d:47:32 cn5Label=AggregatedCount 
cn5=1 msg=Deep Discovery Inspector detected the 
protocol in your monitored network. cn4Label=Deep 
Discovery_ThreatType cn4=6 cs4Label=Deep 
Discovery_SrcGroup 
cs4=Default cs5Label=Deep Discovery_SrcZone cs5=1 
cs9Label=Deep Discovery_DstGroup cs9=Default 
cs10Label=Deep 
Discovery_DstZone cs10=1 interestedIp=10.1.117.231 
peerIp=10.1.100.223 pComp=CAV cnt=1 externalId=11 
devicePayloadId=6:11: