MA: Sample Syslog Auditing File

Document created by RSA Information Design and Development on Jul 29, 2016
Version 1Show Document
  • View in full screen mode
 

This topic provides a detailed description of a sample entry from a syslog auditing based on the entry below:

Feb 6 10:02:28 10.10.10.125 SpectrumServer125

CEF: 0|NetWitness|Spectrum|1.2.1.130|Suspicious Event|Detected suspicious
network event ID 857 session ID 73|2|

static=100.0 network=29.0 community=8.0 sandbox=N/R file.name=-CVE-00_DOC_2010-05-13_attachment.doc file.size=0 file.md5.hash=20a29259c0e5958afb2f50c4177bb307

com.netwitness.event.internal.id=73 com.netwitness.event.internal.uuid=37d2bad7-06bc-4b34-88e1-df43d9710204 alias.ip=10.25.50.149 client=Wget/1.11.4 Red Hat modified payload=108872 packets=136 country.dst=Private time=Fri Jan 27 10:09:25 EST 2012 threat.source=netwitness tcp.srcport=43580 action=get com.netwitness.event.internal.source=http://QASpectrum2:50104/sdk filetype=rtf alias.host=qa-fc12-149 eth.src=00:25:90:18:76:E2 ip.proto=6 tcp.flags=27 ip.src=10.25.50.61 tcp.dstport=80 threat.category=spectrum eth.dst=00:0C:29:F8:50:2D lifetime=0 alert.id=nw32535 sessionid=73 medium=1 size=117864 content=spectrum.consume11 extension=doc directory=/files/MALWAREMALWARE/OfficeDocs/DOC/ eth.type=2048 ip.dst=10.25.50.149 service=80 filename=-CVE-00_DOC_2010-05-13_attachment.doc server=Apache/2.2.13 (Fedora) streams=2 referer=http://qa-fc12-149/files/MALWAREMALW...fficeDocs/DOC/ risk.info=http client server version mismatch

First Line

Feb 6 10:02:28 10.10.10.125 SpectrumServer125

                       
Log InformationDescription
Feb 6 10:02:28The timestamp for the entry.
10.10.10.125The source IP address for the event.
SpectrumServer125The source hostname for the event.

Audit Common Event Format (CEF) Header

0|NetWitness|Spectrum|1.2.1.130|Suspicious Event|Detected suspicious network event ID 857 session ID 73|2|

The audit CEF header is a pipe-separated listing of the following fields:

                                       
Log InformationDescription
0The ArcSight Common Event Format (CEF) version used for the audit syslog.
NetWitnessThe service that created the syslog message.
SpectrumSecurity Analytics Malware Analysis is the logger for the event.
1.2.1.130Security Analytics Malware Analysis version.
event ID 857Unique network event id for this event.
session ID 73Security Analytics Core unique session id for the session that included this event.
2

Severity, an integer between 1 and 6 indicates the level of severity for the message.

  • 1 = INFORMATION_LEVEL
  • 2 = WARNING_LEVEL
  • 3 = ERROR_LEVEL
  • 4 = SUCCESS_LEVEL
  • 5 = FAILURE_LEVEL
  • 6 = AUDIT_FAILURE_LEVEL

Audit CEF Extension

static=100.0 network=29.0 community=8.0 sandbox=N/R

file.name=-CVE-00_DOC_2010-05-13_attachment.doc  file.size=0 file.md5.hash=20a29259c0e5958afb2f50c4177bb307 com.netwitness.event.internal.id=73

com.netwitness.event.internal.uuid=37d2bad7-06bc-4b34-88e1-df43d9710204 alias.ip=10.25.50.149 client=Wget/1.11.4 Red Hat modified payload=108872 packets=136 country.dst=Private time=Fri Jan 27 10:09:25 EST 2012 threat.source=netwitness tcp.srcport=43580 action=get com.netwitness.event.internal.source=http://QASpectrum2:50104/sdk filetype=rtf alias.host=qa-fc12-149 eth.src=00:25:90:18:76:E2 ip.proto=6 tcp.flags=27 ip.src=10.25.50.61 tcp.dstport=80 threat.category=spectrum eth.dst=00:0C:29:F8:50:2D lifetime=0 alert.id=nw32535 sessionid=73 medium=1 size=117864 content=spectrum.consume11 extension=doc directory=/files/MALWAREMALWARE/OfficeDocs/DOC/ eth.type=2048 ip.dst=10.25.50.149 service=80 filename=-CVE-00_DOC_2010-05-13_attachment.doc server=Apache/2.2.13 (Fedora) streams=2 referer=http://qa-fc12-149/files/MALWAREMALW...fficeDocs/DOC/ risk.info=http client server version mismatch

Analysis Scores

The first entry in the audit CEF extension provides the four Security Analytics Malware Analysis analysis scores for the event: Static, Network, Community, and Sandbox.

                           
Log InformationSample Value
static100.0
network29.0
community

8.0

A score of 0.0 can be a community score for the event or can indicate that no community services were enabled.

sandbox

N/R

N/R (not run) indicates that the GFI sandbox was not enabled.

File Information

The next three entries provide file information: file name, size, and hash.

                       
Log InformationSample Value
file.name-CVE-00_DOC_2010-05-13_attachment.doc
file.size0
file.md5.hash20a29259c0e5958afb2f50c4177bb307

Event Meta Data Retrieved by NextGen

The record continues with the Security Analytics Core meta data for the event. The meta data in the message depends on the event. The amount of data in the message is truncated to the maximum length in bytes configured in the Syslog Settings. The default value is 1024.

                                                                                                                                                               
Log InformationSample Value
com.netwitness.event.internal.id73
com.netwitness.event.internal.uuid37d2bad7-06bc-4b34-88e1-df43d9710204
alias.ip10.25.50.149
clientWget/1.11.4 Red Hat modified
payload108872
packets136
country.dstPrivate
timeFri Jan 27 10:09:25 EST 2012
threat.sourcenetwitness
tcp.srcport43580
actionget
com.netwitness.event.internal.sourcehttp://QASpectrum2:50104/sdk
filetypertf
alias.hostqa-fc12-149
eth.src00:25:90:18:76:E2
ip.proto6
tcp.flags27
ip.src10.25.50.61
tcp.dstport80
threat.categoryspectrum
eth.dst00:0C:29:F8:50:2D
lifetime0
alert.idnw32535
sessionid73
medium1
size117864
contentspectrum.consume11
extensiondoc
directory/files/MALWAREMALWARE/OfficeDocs/DOC/
eth.type2048
ip.dst10.25.50.149
service80
filename-CVE-00_DOC_2010-05-13_attachment.doc
serverApache/2.2.13 (Fedora)
streams2
refererhttp://qa-fc12-149/files/MALWAREMALWARE/OfficeDocs/DOC/
risk.infohttp client server version mismatch
You are here: Malware Analysis References > Sample Syslog Auditing File

Attachments

    Outcomes