TMEF Retro Scan Detection Logs
|
TMEF Key
|
Description
|
Value
|
|
Header (logVer)
|
TMEF format version
|
CEF: 0
|
|
Header (vendor)
|
Appliance vendor
|
Trend Micro
|
|
Header (pname)
|
Appliance product
|
Deep Discovery Inspector
|
|
Header (pver)
|
Appliance version
|
Example: 3.8.1181
|
|
Header (eventid)
|
Signature ID
|
100134
|
|
Header (eventName)
|
Event Name
|
RETROSCAN_DETECTION
|
|
Header (severity)
|
Severity
|
8
|
|
callback_address
|
Callback address
|
Example: http://1.2.3.4/
|
|
callback_time
|
Callback time
|
Example: Mar 09 2015 17:05:21 GMT+08:00
|
|
category
|
Category
|
Example: Reference
|
|
cnc_host
|
C&C host address
|
Example: 10.1.144.199
|
|
compromised_client
|
Compromised client address
|
Example: 10.1.144.199
|
|
deviceGUID
|
Appliance GUID
|
Example: 6B593E17AFB7-40FBBB28-A4CE-0462-A536
|
|
protocol
|
Protocol
|
Example: HTTP
|
|
rating
|
Rating
|
Example: Suspicious
|
|
related_attacker_group
|
Related attacker group
|
Example: Elise|Taidoor
|
|
related_malware
|
Related malware
|
Example: fosniw|ge|palevo
|
|
report_id
|
Report ID
|
Example: 74c15fe0-90c9-446b-abc4-379d6d7213e7
|
|
scan_category
|
Scan category
|
Example: C&C Server
|
|
scan_rating
|
Scan rating
|
Example: Dangerous
|
|
scan_ts
|
Scan time
|
Example: Mar 09 2015 17:05:21 GMT+08:00
|
Log sample:
CEF:0|Trend Micro|Deep Discovery Inspector|3.8.1200|100134|R ETROSCAN_DETECTION|8|guid=906A61690458-4099A441-898C-BDD2-C7 C1 report_id=0938508b-ec47-47a1-80ea-cd8e3b747822 scan_ts=Ma r 29 2015 03:14:31 GMT+02:00 callback_time=Mar 29 2015 03:04 :31 GMT+02:00 callback_address=http://app2.winsoft98.com/app .asp?prj\=4&pid\=haha1&logdata\=MacTryCnt:0&code\=&ver\=1.0. 0.45&appcheck\=1 compromised_client=59.125.99.235 cnc_host= app2.winsoft98.com protocol=HTTP rating=Suspicious category =Reference scan_rating=Dangerous scan_category=C&C Server r elated_malware=fosniw|ge|mactrycnt|palevo related_attacker_ group=Elise|Taidoor