Clavister Next-Gen Firewall
Overview
Clavister Next-Gen Firewall offers advanced network protection with integrated features like intrusion prevention, application control, and content filtering, designed to safeguard enterprises from diverse cybersecurity threats.
- Vendor: Clavister
- Supported environment: On Premise
- Version compatibility: Clavister cOS Core 15.10.05 (Latest version as of now)
- Detection based on: Telemetry
- Supported application or feature: Network management and operation
- Supported events:
- network:
- ALG
- ARP
- CONN
- DNSCACHE
- DYNROUTING
- IP_PROTO
- IPREPUTATION
- OSPF
- SNMP
- SSL
- TCP_FLAG
- TCP_OPT
- session:
- IPSEC
- ONECONNECT
- SESMGR
- application control (APPCONTROL)
- authentication (USERAUTH)
- rule (RULE)
Warning
This format is currently in beta. We highly value your feedback to improve its performance.
Configure
This setup guide will show you how to forward your Clavister Next-Gen Firewall events to Sekoia.io.
Prerequisites
- Having an internal log concentrator
Configure Clavister cOS to forward logs
There are two ways to configure Configure Clavister cOS to forward logs:
- Command line interface (CLI)
- Web interface
Command line interface (CLI)
To configure the Clavister cOS to forward logs using the CLI, follow these steps:
- Log into the firewall console
- Add a new log receiver
Device:/> add LogReceiver LogReceiverSyslog <name of the receiver> IPAddress=<ip of the log concentrator> LogSeverity=Emergency,Alert,Critical,Error,Warning,Notice,Info Facility=local1 - Exit the console
Web interface
To configure the Clavister cOS to forward logs using the web interface, follow these steps:
- Log into the interface
- Go to
System>Device>Log Receivers>Add>Syslog Receiver - Type a name of the log receiver
- Type the ip address of the log concentrator as IP Address
- Select
local1from theFacilitylist - Select from
EmergencytoInfoasSeverityFilter - Click on
OK
Create an intake
Go to the intake page and create a new intake from the format Clavister Next-Gen Firewall. Copy the intake key.
Forward logs to Sekoia.io
Please consult the Syslog Forwarding documentation to forward these logs to Sekoia.io.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
id=200002 event=alg_session_closed message=ALG session closed [alg algmod=lw-http algsesid=111111111 ]
id=200001 event=alg_session_open [message=ALG session opened conndestzone="Zone_INTERNET" connrecvzone="Zone_T0" ][alg algmod=lw-http algsesid=111111111 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=8.7.6.5 connipproto=TCP connsrcport=53264 conndestport=443 newconnsrcport=48703 newconndestport=443 connrecvif=IF_VLAN240_T0 conndestif=AGG-VLAN_FO ]]
id=7200003 event=application_end [message=Application ended. Application: microsoft. connrecvzone="Zone_T0" family=web application=microsoft risk="Very low" origsent=314 conndestzone="Zone_INTERNET" termsent=143 ssl_inspected=no ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=58967 conndestport=443 newconnsrcport=47929 newconndestport=443 origsent=695 termsent=4.52 K connrecvif=IF_VLAN1_T0 conndestif=AGG-VLAN_FO ]]
id=7200001 event=application_identified action=allow [message=Application identified. Application: http2. application=http2 connrecvzone="Zone_T0" conndestzone="Zone_INTERNET" ][rules rule=Nat_APPC_MICROSOFT_443 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=58732 conndestport=443 newconnsrcport=18314 newconndestport=443 origsent=414 termsent=3.09 K connrecvif=IF_VLAN1_T0 conndestif=AGG-VLAN_FO ]]
id=7200002 event=application_identified action=close [message=Application identified. Application: windows_update. application=windows_update applicationpath="tcp.http.akamai.windows_update" connrecvzone="Zone_T0" conndestzone="Zone_INTERNET" ][rules rule=Nat_APPC_MICROSOFT_443 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=58871 conndestport=80 newconnsrcport=54739 newconndestport=80 origsent=334 termsent=52.0 connrecvif=IF_VLAN1_T0 conndestif=AGG-VLAN_FO ]]
id=600002 event=conn_close action=close [message=Connection closed reason="" connrecvzone="Zone_INTRA" conndestzone="Zone_T0" ][rules rule=Alw_GRP_NET-T11__EXA-T0_VB ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=UDP connsrcport=64650 conndestport=53 origsent=59.0 termsent=75.0 connrecvif=AGG-VLAN_INTRA conndestif=IF_VLAN240_T0 ]]
id=600001 event=conn_open [message=Connection opened conndestzone="Zone_T0" connrecvzone="Zone_INTRA" ][rules rule=Alw_GRP_NET-T11__EXA-T0_VB ][conn [conn conn=Open connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=UDP connsrcport=63182 conndestport=53 connrecvif=AGG-VLAN_INTRA conndestif=IF_VLAN240_T0 ]]
id=6000031 event=directed_broadcasts action=drop [message=Packet directed to the broadcast address of the destination network. Dropping recvzone="Zone_OneConnect" ][rules rule=DirectedBroadcasts ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=78 ipproto=UDP ttl=128 fragid=27544 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xC425 srcip=1.2.3.4 destip=255.255.255.255 ][udp packet srcport=137 destport=137 chksum=0xE3A9 iptotlen=58 ]
id=1200400 event=disallowed_on_sync_iface action=drop [message=Received non-HA traffic on sync iface. Dropping recvzone="" ][rules rule=HA_RestrictSyncIf ][ethernet hwsender=000000000000 hwdest=111111111111 ipproto=39 ]
id=3100001 event=disallowed_sender action=drop [message=Disallowed SNMP from 1.2.3.4, disallowed sender IP conndestzone="" connrecvzone="Zone_INTERNET" peer=1.2.3.4 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=UDP connsrcport=55506 conndestport=161 connrecvif=AGG-VLAN_FO conndestif=core ]]
id=8000004 event=dns_cache_freeip4entry action=ignore [message=Removing an IP address from an FQDN object. fqdn="example.org" removed_address="5.6.7.8" ]
id=300008 event=hwaddr_change action=allow_processing [message=1.2.3.4 has a different address 00-00-00-00-00-00 compared to the known hardware address 00-11-22-33-44-55. Allow packet for further processing. knownhw=00-11-22-33-44-55 knownip=1.2.3.4 recvzone="Zone_INTRA" newhw=00-00-00-00-00-00 ][rules rule=ARPChanges ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Arp ][arp opcode=Reply hardwareAddressSpace=1 protocolAddressSpace=2048 hardwareAddressLength=6 protocolAddressLength=4 [ARP Packet Data hwsender=111111111111 hwdest=000000000000 srcip=1.2.3.4 destip=5.6.7.8 ]]
id=1800906 event=ike_sa_deleted [message=IKE SA deleted, Local IKE peer: 1.2.3.4:500 1.2.3.4, Remote IKE peer: AGG-VLAN_FO:5.6.7.8:500 5.6.7.8. remote_behind_nat=FALSE lifetime=28800 local_port=500 local_ip=1.2.3.4 remote_id=5.6.7.8 local_behind_nat=FALSE initiator=FALSE remote_port=500 remote_ip=5.6.7.8 algorithms=aes128-cbc/hmac-sha256-128/hmac-sha256/MODP_3072 local_id=1.2.3.4 remote_ike_spi=0x6de8b28f11c541ad local_ike_spi=0x6662761c9f754ed5 ipsec_if=VPN_EXAMPLE remote_iface=AGG-VLAN_FO ]
id=1802022 event=ike_sa_failed action=no_ike_sa [message=IKE SA negotiation failed: "Timed out" "",Local IKE peer: "1.2.3.4:500 ID (null)", Remote IKE peer: "5.6.7.8:500 ID (null)", Initiator SPI: 0x0000000000000000, Responder SPI: 0x0000000000000000. spi_i=0x0000000000000000 local_peer="1.2.3.4:500 ID (null)" ipsec_if=VPN_JOHN_DOE remote_peer="5.6.7.8:500 ID (null)" statusmsg="Timed out" reason="" spi_r=0x0000000000000000 initiator=TRUE ]
id=1800905 event=ike_sa_rekeyed [message=IKE SA rekeyed, Local IKE peer: 1.2.3.4:500 1.2.3.4, Remote IKE peer: AGG-VLAN_FO:5.6.7.8:500 5.6.7.8. remote_behind_nat=FALSE lifetime=28800 local_port=500 local_ip=1.2.3.4 remote_id=5.6.7.8 local_behind_nat=FALSE initiator=FALSE remote_port=500 remote_ip=5.6.7.8 algorithms=aes128-cbc/hmac-sha256-128/hmac-sha256/MODP_3072 local_id=1.2.3.4 remote_ike_spi=0x6de8b28f11c541ad local_ike_spi=0x6662761c9f754ed5 ipsec_if=VPN_EXAMPLE remote_iface=AGG-VLAN_FO ]
id=1802023 event=ike_sa_statistics [message=IKE SA negotiations: 757130 done, 17808 successful, 739322 failed done=757130 failed=739322 success=17808 ]
id=200275 event=invalid_clienthello_server_name [message=HTTPALG: HTTPS Failed to parse SNI server name from ClientHello SNI extension ("Pointer outside buffer (15)"). cause="Pointer outside buffer (15)" algname=DATACENTERS_EXA/71_NAT_SRV1111_ connrecvzone="Zone_T0" conndestzone="Zone_INTERNET" ][alg algmod=lw-http algsesid=111111111 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=6.7.8.9 connipproto=TCP connsrcport=59510 conndestport=443 newconnsrcport=31616 newconndestport=443 origsent=330 termsent=60.0 connrecvif=IF_VLAN240_T0 conndestif=AGG-VLAN_FO ]]
id=200144 event=invalid_http_syntax action=close [message=HTTPALG: Invalid HTTP syntax seen in request. reason="invalid HTTP method" algname=DATACENTERS_EXA/780_INTERNET type=request connrecvzone="Zone_T0" conndestzone="Zone_INTERNET" ][alg algmod=lw-http algsesid=111111111 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=63745 conndestport=443 newconnsrcport=15969 newconndestport=443 origsent=196 termsent=52.0 connrecvif=IF_VLAN241_T0 conndestif=AGG-VLAN_FO ]]
id=6000070 event=ip4_address_added action=policy_updated [message=IP address 5.6.7.8 added to FQDN address FQDN_NTP used in IPPolicy dest filter. dir=dest fqdn_name=FQDN_NTP ip=5.6.7.8 ][rules rule=Nat_SRV1_FQDN-NTP_123 ]
id=6000072 event=ip4_address_removed action=policy_updated [message=IP address 5.6.7.8 removed from FQDN address FQDN_NTP used in IPPolicy dest filter. dir=dest fqdn_name=FQDN_NTP ip=5.6.7.8 ][rules rule=Nat_SRV1_FQDN-NTP_123 ]
id=600120 event=ip_reputation action=none [message=IP address reputation query result. categories="none" score=80 ip=5.6.7.8 connrecvzone="Zone_T0" conndestzone="Zone_INTERNET" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=8.7.6.5 connipproto=UDP connsrcport=59428 conndestport=53 newconnsrcport=15661 newconndestport=53 connrecvif=IF_VLAN240_T0 conndestif=AGG-VLAN_FO ]]
id=8200005 event=ipreputation_server_connect action=none [message=Connected to IP Reputation server 5.6.7.8. server=5.6.7.8 ]
id=8200015 event=ipreputation_server_disconnect action=none [message=Disconnected from IP Reputation server 5.6.7.8. server=5.6.7.8 ]
id=1800908 event=ipsec_sa_rekeyed [message=IPsec SA rekeyed, Source IP: 1.2.3.4, Destination IP: 1.2.3.4, Inbound SPI: 0x11111111, Outbound SPI: 0x22222222). dh_bits=3072 imsi="" esp_spi_in=0x11111111 esp_spi_out=0x22222222 esp_mac=hmac-sha256-128 local_ip=1.2.3.4 esp_cipher=aes-cbc initiator=FALSE ike_spi_r=0x0011223344556677 esp_mac_keysize=0 old_spi=0x00000000 remote_ts="0.0.0.0/0" esp_cipher_keysize=0 life_seconds=3600 ike_spi_i=0x0011223344556677 local_ts="0.0.0.0/0" dh_group=15 remote_ip=1.2.3.4 life_kilobytes=0 ipsec_if=VPN_EXAMPLE_INTRANET ]
id=200110 event=max_http_sessions_reached action=close [message=HTTPALG: Maximum number of HTTP sessions (200) for service reached. Closing connection max_sessions=200 ]algmod=lw-http
id=3400019 event=mismatching_tcp_window_scale action=adjust [message=Mismatching TCP window scale shift count. Expected 8 got not_used will use not_used connrecvzone="Zone_EXA" effective=not_used new=not_used old=8 conndestzone="Zone_EXA" recvzone="Zone_INTRANET" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=58157 conndestport=445 connrecvif=VPN_EXAMPLE conndestif=AGG-VLAN_EXA ]][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=48 ipproto=TCP ttl=127 fragid=9367 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x20BB srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=58157 destport=445 seqno=2939096905 ackno=0 chksum=0xC995 window=8192 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=28 tcpopt=8 mss=1380 NOP=NOP NOP=NOP sackpermit ]]
id=600012 event=no_new_conn_for_this_packet action=reject [message=State inspector would not open a new connection for this TCP packet, rejecting protocol=tcp recvzone="Zone_INTERNET" ][rules rule=LogOpenFails ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=40 ipproto=TCP ttl=119 fragid=36135 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x4A8D srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=53255 destport=443 seqno=3259249701 ackno=1747743363 chksum=0xE0D8 window=0 urgentpointer=0 rsv=4 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=1 PSH=0 RST=1 SYN=0 FIN=0 dataoffset=20 ]]
id=300003 event=no_sender_ip action=drop [message=ARP query sender IP is 0.0.0.0. Dropping recvzone="Zone_T0" ][rules rule=ARPQueryNoSenderIP ][ethernet hwsender=000000000000 hwdest=FFFFFFFFFFFF ipproto=Arp ][arp opcode=Request hardwareAddressSpace=1 protocolAddressSpace=2048 hardwareAddressLength=6 protocolAddressLength=4 [ARP Packet Data hwsender=000000000000 hwdest=FFFFFFFFFFFF srcip=0.0.0.0 destip=5.6.7.8 ]]
id=9000032 event=oneconnect_connection_attempt [message=OneConnect Client connection attempt device_id=win av_enabled=TRUE os_info="Microsoft Windows NT 10.0.19045.0" oneconnect_version=3.9.9.0 ipaddr=1.2.3.4 av_updated=TRUE uid=01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b iface=IF_OneConnect arch=X64 ]
id=9000029 event=oneconnect_dtls_conn_failed [message=OneConnect DTLS connection failed error="DTLS connection negotiation aborted" iface=IF_OneConnect ipaddr=1.2.3.4 ]
id=9000030 event=oneconnect_dtls_read_error [message=OneConnect DTLS packet read error errors=26 first_error=2 ipaddr=1.2.3.4 ]
id=9000003 event=oneconnect_session_closed [message=OneConnect session closed at IF_OneConnect username=JDOE ipaddr=1.2.3.4 iface=IF_OneConnect connrecvzone="Zone_INTERNET" conndestzone="" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=31713 conndestport=443 origsent=7.62 K termsent=7.67 K connrecvif=AGG-VLAN_FO conndestif=core ]]
id=9000004 event=oneconnect_session_closed [message=OneConnect session closed at IF_OneConnect username=jdoe iface=IF_OneConnect ipaddr=1.2.3.4 ]
id=9000001 event=oneconnect_session_created [message=OneConnect Session created at IF_OneConnect connrecvzone="Zone_INTERNET" ipaddr=1.2.3.4 username=jdoe iface=IF_OneConnect client_ip=4.3.2.1 conndestzone="" uid=01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=5181 conndestport=443 origsent=5.79 K termsent=4.95 K connrecvif=AGG-VLAN_FO conndestif=core ]]
id=9000005 event=oneconnect_session_disconnected [message=OneConnect session disconnected at IF_OneConnect username=JDOE iface=IF_OneConnect ipaddr=1.2.3.4 ]
id=9000002 event=oneconnect_session_reconnected [message=OneConnect Session reconnected at IF_OneConnect connrecvzone="Zone_INTERNET" ipaddr=1.2.3.4 username=jdoe iface=IF_OneConnect client_ip=4.3.2.1 conndestzone="" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=51249 conndestport=443 origsent=1.24 K termsent=2.86 K connrecvif=AGG-VLAN_FO conndestif=core ]]
id=3700105 event=radius_auth_timeout message=Timeout during RADIUS user authentication, contact with RADIUS server not established [userauth authrule=IF_OneConnect username=jdoe authagent=OneConnect authsrc=n/a authevent=Disallowed srcip=1.2.3.4 ]
id=200125 event=request_url action=allow [message=HTTPALG: Requesting URL "aaa.example.org/". Categories: "whitelist". Audit: off. Override: no. ALG name: DATACENTERS_INTRA/189_NAT_POWERSH. connrecvzone="Zone_T0" categories="whitelist" audit=off url="aaa.example.org/" domain=example.org override=no conndestzone="Zone_INTERNET" algname=DATACENTERS_EXA/189_NAT_POWERSH ][alg algmod=lw-http algsesid=132209793 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=53879 conndestport=443 newconnsrcport=38330 newconndestport=443 origsent=337 termsent=52.0 connrecvif=IF_VLAN248_T0 conndestif=AGG-VLAN_FO ]]
id=1100002 event=route_exported_to_ospf_as [message=Route exported to OSPF AS routezone=Zone_OneConnect ][rules rule=ExportRoute-VPN-OneConnect ][dynrouting event=11111111 from=OneConnectServer to=ospfarea [route routerange=10.0.0.1-10.0.0.1 routeiface=IF_OneConnect routegw=0.0.0.0 routemetric=0 ]]
id=1100003 event=route_unexported_from_ospf_as [message=Route unexported from OSPF AS routezone=Zone_OneConnect ][rules rule=ExportRoute-VPN-OneConnect ][dynrouting event=11111111 from=OneConnectServer to=ospfarea [route routerange=10.1.0.1-10.1.0.1 routeiface=IF_OneConnect routegw=0.0.0.0 routemetric=0 ]]
id=6000051 event=ruleset_drop_packet action=drop [message=Packet dropped by rule-set. Dropping recvzone="Zone_INTRA" ][rules rule=Default_Rule ][ethernet hwsender=0000000000000 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Priority delay=Normal throughput=High reliability=Normal ]iptotlen=52 ipproto=TCP ttl=123 fragid=4107 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x21D8 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=57168 destport=9100 seqno=389322187 ackno=0 chksum=0xF5CB window=64240 urgentpointer=0 rsv=2 [tcpflags YMAS=1 XMAS=1 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=32 tcpopt=12 mss=1460 NOP=NOP wsopt shift=8 NOP=NOP NOP=NOP sackpermit ]]
id=4900001 event=sesmgr_session_created action=none [message=Session connected for User: jdoe1.2.3.4:54912. Database: (none). IP: 1.2.3.4. Type: Netcon. type=Netcon user=jdoe1.2.3.4:54912 ip=1.2.3.4 database=(none) ]
id=4900003 event=sesmgr_session_removed action=none [message=Session disconnected for User: jdoe1.2.3.4:54912. Database: (none). IP: 1.2.3.4. Type: Netcon. type=Netcon user=jdoe1.2.3.4:54912 ip=1.2.3.4 database=(none) ]
id=8800100 event=ssl_error action=close [message=Detected SSL Error. Closing down SSL connection error_code=341 client_ip=1.2.3.4 error_message="record layer length error" ]
id=8800100 event=ssl_error action=close [message=Detected SSL Error. Closing down SSL connection error_code=352 client_ip=1.2.3.4 error_message="Bad ECC Peer Key" ]
id=8800100 event=ssl_error action=close [message=Detected SSL Error. Closing down SSL connection error_code=501 client_ip=1.2.3.4 error_message="can't match cipher suite" ]
id=3300004 event=tcp_flag_set action=strip_flag [message=The TCP URG flag is set. Stripping recvzone="Zone_T0" bad_flag=URG ][rules rule=TCPUrg ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=41 ipproto=TCP ttl=128 fragid=11924 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xF2B9 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=64358 destport=1521 seqno=279418381 ackno=3379362693 chksum=0x4428 window=1026 urgentpointer=1 rsv=8 [tcpflags YMAS=0 XMAS=0 URG=1 ACK=1 PSH=1 RST=0 SYN=0 FIN=0 dataoffset=20 ]]
id=3300008 event=tcp_flags_set action=drop [message=The TCP SYN and URG flags are set. Dropping recvzone="Zone_INTERNET" good_flag=SYN bad_flag=URG ][rules rule=TCPSynUrg ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=60 ipproto=TCP ttl=47 fragid=22760 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xC1C8 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=9751 destport=65023 seqno=3200649084 ackno=0 chksum=0x43A5 window=0 urgentpointer=20148 rsv=15 [tcpflags YMAS=0 XMAS=0 URG=1 ACK=1 PSH=1 RST=1 SYN=1 FIN=1 dataoffset=40 tcpopt=20 mss=1400 sackpermit tsopt=S:0xa349f6f7 R:0x0 NOP=NOP wsopt shift=6 ]]
id=3400005 event=tcp_mss_above_log_level action=log [message=TCP MSS 8960 higher than log level. TCPMSSLogLevel=7000 recvzone="Zone_EXA" mss=8960 mssloglevel=7000 tcpopt=2 ][rules rule=TCPMSSLogLevel ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=60 ipproto=TCP ttl=64 fragid=15048 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x94B srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=50512 destport=2051 seqno=4048667863 ackno=0 chksum=0x3CBC window=26880 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=40 tcpopt=20 mss=8960 sackpermit tsopt=S:0xcb0fe1f R:0x0 NOP=NOP wsopt shift=8 ]]
id=3400007 event=tcp_option_strip action=strip [message=Packet has a type 254 TCP option. Stripping it tcpopt=254 recvzone="Zone_INTERNET" ][rules rule=TCPOPT_OTHER ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=64 ipproto=TCP ttl=111 fragid=52547 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x5CE srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=22 destport=23753 seqno=2894526312 ackno=2184314881 chksum=0xDC3B window=65535 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=1 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=44 tcpopt=24 mss=1460 sackpermit tsopt=S:0x327b23c6 R:0x327b23c6 opt=254 len=4 END=END ]]
id=3300029 event=tcp_syn_data action=drop [message=SYN packet contains data. Dropping recvzone="Zone_INTERNET" ][rules rule=TCP_SYN_Data ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Priority delay=Normal throughput=High reliability=Normal ]iptotlen=52 ipproto=TCP ttl=54 fragid=12818 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xD49 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=37751 destport=443 seqno=294625335 ackno=0 chksum=0x639C window=65535 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=20 ]]
id=7000014 event=ttl_low action=drop [message=Received packet with too low TTL of 1. Min TTL is 3. Dropping ttlmin=3 ttl=1 recvzone="Zone_OneConnect" ][rules rule=TTLOnLowMulticast ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=60 ipproto=UDP ttl=1 fragid=13147 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x9A66 srcip=1.2.3.4 destip=5.6.7.8 ][udp packet srcport=5353 destport=5353 chksum=0xC116 iptotlen=40 ]
id=2400400 event=unable_to_find_iface_to_stub_net [message=Internal error: Unable to find my interface attached to stub network 10.0.0.1/27 stub=10.0.0.1/27 ][rules rule=ospfarea ]
id=3300010 event=unexpected_tcp_flags action=drop [message=Unexpected tcp flags "SYN ECE CWR" from originator during state FIN_RCVD. Dropping connrecvzone="Zone_EXA" flags="SYN ECE CWR" state=FIN_RCVD endpoint=originator conndestzone="Zone_T0" recvzone="Zone_EXA" ][rules rule=LogStateViolations ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=55080 conndestport=88 origsent=2.08 K termsent=2.09 K connrecvif=IF_VLAN1_T0 conndestif=IF_VLAN2_T0 ]][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=52 ipproto=TCP ttl=128 fragid=11369 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xEE34 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=55080 destport=88 seqno=2465177740 ackno=0 chksum=0x632F window=8192 urgentpointer=0 rsv=2 [tcpflags YMAS=1 XMAS=1 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=32 tcpopt=12 mss=1460 NOP=NOP wsopt shift=8 NOP=NOP NOP=NOP sackpermit ]]
id=3300010 event=unexpected_tcp_flags action=drop [message=Unexpected tcp flags SYN from originator during state FIN_RCVD. Dropping connrecvzone="Zone_EXA" flags=SYN state=FIN_RCVD endpoint=originator conndestzone="Zone_EXA" recvzone="Zone_EXA" ][rules rule=LogStateViolations ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=61799 conndestport=58080 origsent=144 termsent=40.0 connrecvif=VPN_EXAMPLE_INTRANET conndestif=AGG-VLAN_EXAMPLE ]][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=52 ipproto=TCP ttl=127 fragid=24895 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xA2D6 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=61799 destport=58080 seqno=2709173819 ackno=0 chksum=0x10C2 window=64240 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=32 tcpopt=12 mss=1380 NOP=NOP wsopt shift=8 NOP=NOP NOP=NOP sackpermit ]]
id=6000060 event=unhandled_local action=drop [message=Allowed but unhandled packet to the firewall. Dropping recvzone="Zone_INTERNET" ][rules rule=LocalUndelivered ][ethernet hwsender=1111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=71 ipproto=UDP ttl=250 fragid=54321 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xF3B4 srcip=1.2.3.4 destip=5.6.7.8 ][udp packet srcport=55506 destport=161 chksum=0x0 iptotlen=51 ]
id=6000040 event=unknown_vlantag action=drop [message=Received VLAN packet with unknown type0x8100 and VLAN ID 271. Dropping vlanid=271 type=0x8100 recvzone="" ][rules rule=UnknownVLANTags ][ethernet hwsender=000000000000 hwdest=111111111111 ipproto=Vlan ]
id=300001 event=unsolicited_reply_drop [message=Unsolicited ARP reply received and dropped recvzone="Zone_INTRA" ][rules rule=UnsolicitedARPReplies ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Arp ][arp opcode=Reply hardwareAddressSpace=1 protocolAddressSpace=2048 hardwareAddressLength=6 protocolAddressLength=4 [ARP Packet Data hwsender=111111111111 hwdest=000000000000 srcip=1.2.3.4 destip=5.6.7.8 ]]
id=9000011 event=user_disconnected [message=User JDOE is forcibly disconnected. Client: 1.2.3.4 username=JDOE client_ip=4.3.2.1 ipaddr=1.2.3.4 ]
id=3700102 event=user_login [message=User logged in. Idle timeout: 1800, Session timeout: 0 groups="GROUP1,GROUP2" idle_timeout=1800 session_timeout=0 ][userauth authrule=IF_OneConnect username=jdoe authagent=OneConnect authsrc=n/a authevent=Login srcip=1.2.3.4 ]
id=3700110 event=user_logout message=User logged out [userauth authrule=IF_OneConnect username=JDOE authagent=OneConnect authsrc=n/a authevent=Logout srcip=1.2.3.4 ]
id=3700020 event=user_timeout action=user_removed message=User timeout expired, user is automatically logged out [userauth authrule=IF_OneConnect username=JDOE authagent=OneConnect authsrc=n/a authevent=Logout srcip=1.2.3.4 ]
id=200122 event=wcf_connecting action=connecting [message=HTTPALG:Connecting to web content server 5.6.7.8 server=5.6.7.8 ]algmod=http
id=200123 event=wcf_server_connected action=none [message=HTTPALG: Web content server 5.6.7.8 connected server=5.6.7.8 ]algmod=http
id=200134 event=wcf_server_disconnected action=none [message=HTTPALG: Web content server 164.132.83.85 disconnected server=164.132.83.85 ]algmod=http
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Related Built-in Rules
The following Sekoia.io built-in rules match the intake Clavister NGFW [BETA]. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake.
SEKOIA.IO x Clavister NGFW [BETA] on ATT&CK Navigator
Account Added To A Security Enabled Group
Detection in order to investigate who has added a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4728)
- Effort: master
Account Removed From A Security Enabled Group
Detection in order to investigate who has removed a specific Domain User in Domain Admins or Group Policy Creator Owners (Security event 4729)
- Effort: master
Computer Account Deleted
Detects computer account deletion.
- Effort: master
Cryptomining
Detection of domain names potentially related to cryptomining activities.
- Effort: master
Domain Trust Created Or Removed
A trust was created or removed to a domain. An attacker could perform that in order to do lateral movement easily between domains or shutdown the ability of two domains to communicate.
- Effort: advanced
Dynamic DNS Contacted
Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious.
- Effort: master
Exfiltration Domain
Detects traffic toward a domain flagged as a possible exfiltration vector.
- Effort: master
Password Change On Directory Service Restore Mode (DSRM) Account
The Directory Service Restore Mode (DSRM) account is a local administrator account on Domain Controllers. Attackers may change the password to gain persistence.
- Effort: intermediate
Possible Replay Attack
This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems.
- Effort: intermediate
RSA SecurID Failed Authentification
Detects many failed attempts to authenticate followed by a successfull login for a super admin account.
- Effort: advanced
Remote Access Tool Domain
Detects traffic toward a domain flagged as a Remote Administration Tool (RAT).
- Effort: master
SEKOIA.IO Intelligence Feed
Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team.
- Effort: elementary
Sekoia.io EICAR Detection
Detects observables in Sekoia.io CTI tagged as EICAR, which are fake samples meant to test detection.
- Effort: master
TOR Usage
Detects TOR usage, based on the IP address and the destination port (filtered on NTP). TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
TOR Usage Generic Rule
Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list.
- Effort: master
User Account Created
Detects user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this on your windows server logs and not on your DC logs. One default account defaultuser0 is excluded as only used during Windows set-up. This detection use Security Event ID 4720.
- Effort: master
User Account Deleted
Detects local user deletion
- Effort: master
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
Web logs |
Web logs coming from Clavister Next-Gen Firewall devices provide information about the connected client and the requested resource. |
DNS records |
Clavister Next-Gen Firewall provides detailed logs on handled DNS queries |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | metric |
| Category | authentication, configuration, database, network, session |
| Type | change, connection, denied, end, info, start |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "id=200002 event=alg_session_closed message=ALG session closed [alg algmod=lw-http algsesid=111111111 ]",
"event": {
"category": [
"session"
],
"code": "200002",
"reason": "ALG",
"type": [
"end"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
}
}
{
"message": "id=200001 event=alg_session_open [message=ALG session opened conndestzone=\"Zone_INTERNET\" connrecvzone=\"Zone_T0\" ][alg algmod=lw-http algsesid=111111111 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=8.7.6.5 connipproto=TCP connsrcport=53264 conndestport=443 newconnsrcport=48703 newconndestport=443 connrecvif=IF_VLAN240_T0 conndestif=AGG-VLAN_FO ]]",
"event": {
"category": [
"session"
],
"code": "200001",
"reason": "ALG session opened",
"type": [
"start"
]
},
"clavister": {
"ngfw": {
"destzone": "Zone_INTERNET",
"recvzone": "Zone_T0"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"nat": {
"ip": "8.7.6.5"
},
"port": 443
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"4.3.2.1",
"5.6.7.8",
"8.7.6.5"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"nat": {
"ip": "4.3.2.1",
"port": 48703
},
"port": 53264
}
}
{
"message": "id=7200003 event=application_end [message=Application ended. Application: microsoft. connrecvzone=\"Zone_T0\" family=web application=microsoft risk=\"Very low\" origsent=314 conndestzone=\"Zone_INTERNET\" termsent=143 ssl_inspected=no ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=58967 conndestport=443 newconnsrcport=47929 newconndestport=443 origsent=695 termsent=4.52 K connrecvif=IF_VLAN1_T0 conndestif=AGG-VLAN_FO ]]",
"event": {
"category": [
"network"
],
"code": "7200003",
"reason": "Application ended. Application: microsoft.",
"type": [
"end"
]
},
"clavister": {
"ngfw": {
"destzone": "Zone_INTERNET",
"recvzone": "Zone_T0"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 443
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"4.3.2.1",
"5.6.7.8"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"nat": {
"ip": "4.3.2.1",
"port": 47929
},
"port": 58967
}
}
{
"message": "id=7200001 event=application_identified action=allow [message=Application identified. Application: http2. application=http2 connrecvzone=\"Zone_T0\" conndestzone=\"Zone_INTERNET\" ][rules rule=Nat_APPC_MICROSOFT_443 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=58732 conndestport=443 newconnsrcport=18314 newconndestport=443 origsent=414 termsent=3.09 K connrecvif=IF_VLAN1_T0 conndestif=AGG-VLAN_FO ]]",
"event": {
"category": [
"network"
],
"code": "7200001",
"reason": "Application identified. Application: http2.",
"type": [
"end"
]
},
"clavister": {
"ngfw": {
"destzone": "Zone_INTERNET",
"recvzone": "Zone_T0"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 443
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"4.3.2.1",
"5.6.7.8"
]
},
"rule": {
"name": "Nat_APPC_MICROSOFT_443"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"nat": {
"ip": "4.3.2.1",
"port": 18314
},
"port": 58732
}
}
{
"message": "id=7200002 event=application_identified action=close [message=Application identified. Application: windows_update. application=windows_update applicationpath=\"tcp.http.akamai.windows_update\" connrecvzone=\"Zone_T0\" conndestzone=\"Zone_INTERNET\" ][rules rule=Nat_APPC_MICROSOFT_443 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=58871 conndestport=80 newconnsrcport=54739 newconndestport=80 origsent=334 termsent=52.0 connrecvif=IF_VLAN1_T0 conndestif=AGG-VLAN_FO ]]",
"event": {
"category": [
"network"
],
"code": "7200002",
"reason": "Application identified. Application: windows_update.",
"type": [
"end"
]
},
"clavister": {
"ngfw": {
"destzone": "Zone_INTERNET",
"recvzone": "Zone_T0"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 80
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"4.3.2.1",
"5.6.7.8"
]
},
"rule": {
"name": "Nat_APPC_MICROSOFT_443"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"nat": {
"ip": "4.3.2.1",
"port": 54739
},
"port": 58871
}
}
{
"message": "id=600002 event=conn_close action=close [message=Connection closed reason=\"\" connrecvzone=\"Zone_INTRA\" conndestzone=\"Zone_T0\" ][rules rule=Alw_GRP_NET-T11__EXA-T0_VB ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=UDP connsrcport=64650 conndestport=53 origsent=59.0 termsent=75.0 connrecvif=AGG-VLAN_INTRA conndestif=IF_VLAN240_T0 ]]",
"event": {
"category": [
"network"
],
"code": "600002",
"reason": "Connection closed",
"type": [
"end"
]
},
"clavister": {
"ngfw": {
"destzone": "Zone_T0",
"recvzone": "Zone_INTRA"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 53
},
"network": {
"transport": "udp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "Alw_GRP_NET-T11__EXA-T0_VB"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 64650
}
}
{
"message": "id=600001 event=conn_open [message=Connection opened conndestzone=\"Zone_T0\" connrecvzone=\"Zone_INTRA\" ][rules rule=Alw_GRP_NET-T11__EXA-T0_VB ][conn [conn conn=Open connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=UDP connsrcport=63182 conndestport=53 connrecvif=AGG-VLAN_INTRA conndestif=IF_VLAN240_T0 ]]",
"event": {
"category": [
"network"
],
"code": "600001",
"reason": "Connection opened",
"type": [
"start"
]
},
"clavister": {
"ngfw": {
"destzone": "Zone_T0",
"recvzone": "Zone_INTRA"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 53
},
"network": {
"transport": "udp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "Alw_GRP_NET-T11__EXA-T0_VB"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 63182
}
}
{
"message": "id=6000031 event=directed_broadcasts action=drop [message=Packet directed to the broadcast address of the destination network. Dropping recvzone=\"Zone_OneConnect\" ][rules rule=DirectedBroadcasts ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=78 ipproto=UDP ttl=128 fragid=27544 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xC425 srcip=1.2.3.4 destip=255.255.255.255 ][udp packet srcport=137 destport=137 chksum=0xE3A9 iptotlen=58 ]",
"event": {
"category": [
"network"
],
"code": "6000031",
"reason": "Packet directed to the broadcast address of the destination network. Dropping",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"recvzone": "Zone_OneConnect"
}
},
"destination": {
"address": "255.255.255.255",
"ip": "255.255.255.255",
"port": 137
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"255.255.255.255"
]
},
"rule": {
"name": "DirectedBroadcasts"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 137
}
}
{
"message": "id=1200400 event=disallowed_on_sync_iface action=drop [message=Received non-HA traffic on sync iface. Dropping recvzone=\"\" ][rules rule=HA_RestrictSyncIf ][ethernet hwsender=000000000000 hwdest=111111111111 ipproto=39 ]",
"event": {
"category": [
"network"
],
"code": "1200400",
"reason": "Received non-HA traffic on sync iface. Dropping",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"ipproto": "39"
}
},
"destination": {
"mac": "111111111111"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"rule": {
"name": "HA_RestrictSyncIf"
},
"source": {
"mac": "000000000000"
}
}
{
"message": "id=3100001 event=disallowed_sender action=drop [message=Disallowed SNMP from 1.2.3.4, disallowed sender IP conndestzone=\"\" connrecvzone=\"Zone_INTERNET\" peer=1.2.3.4 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=UDP connsrcport=55506 conndestport=161 connrecvif=AGG-VLAN_FO conndestif=core ]]",
"event": {
"category": [
"network"
],
"code": "3100001",
"reason": "Disallowed SNMP from 1.2.3.4, disallowed sender IP",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"recvzone": "Zone_INTERNET"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 161
},
"network": {
"transport": "udp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 55506
}
}
{
"message": "id=8000004 event=dns_cache_freeip4entry action=ignore [message=Removing an IP address from an FQDN object. fqdn=\"example.org\" removed_address=\"5.6.7.8\" ]",
"event": {
"category": [
"database"
],
"code": "8000004",
"reason": "Removing an IP address from an FQDN object.",
"type": [
"change"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
}
}
{
"message": "id=300008 event=hwaddr_change action=allow_processing [message=1.2.3.4 has a different address 00-00-00-00-00-00 compared to the known hardware address 00-11-22-33-44-55. Allow packet for further processing. knownhw=00-11-22-33-44-55 knownip=1.2.3.4 recvzone=\"Zone_INTRA\" newhw=00-00-00-00-00-00 ][rules rule=ARPChanges ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Arp ][arp opcode=Reply hardwareAddressSpace=1 protocolAddressSpace=2048 hardwareAddressLength=6 protocolAddressLength=4 [ARP Packet Data hwsender=111111111111 hwdest=000000000000 srcip=1.2.3.4 destip=5.6.7.8 ]]",
"event": {
"category": [
"network"
],
"code": "300008",
"reason": "1.2.3.4 has a different address 00-00-00-00-00-00 compared to the known hardware address 00-11-22-33-44-55. Allow packet for further processing.",
"type": [
"info"
]
},
"clavister": {
"ngfw": {
"ipproto": "Arp",
"knownhw": "00-11-22-33-44-55",
"knownip": "1.2.3.4",
"newhw": "00-00-00-00-00-00",
"recvzone": "Zone_INTRA"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "000000000000"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "ARPChanges"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "111111111111"
}
}
{
"message": "id=1800906 event=ike_sa_deleted [message=IKE SA deleted, Local IKE peer: 1.2.3.4:500 1.2.3.4, Remote IKE peer: AGG-VLAN_FO:5.6.7.8:500 5.6.7.8. remote_behind_nat=FALSE lifetime=28800 local_port=500 local_ip=1.2.3.4 remote_id=5.6.7.8 local_behind_nat=FALSE initiator=FALSE remote_port=500 remote_ip=5.6.7.8 algorithms=aes128-cbc/hmac-sha256-128/hmac-sha256/MODP_3072 local_id=1.2.3.4 remote_ike_spi=0x6de8b28f11c541ad local_ike_spi=0x6662761c9f754ed5 ipsec_if=VPN_EXAMPLE remote_iface=AGG-VLAN_FO ]",
"event": {
"category": [
"network"
],
"code": "1800906",
"reason": "IKE SA deleted, Local IKE peer: 1.2.3.4:500 1.2.3.4, Remote IKE peer: AGG-VLAN_FO:5.6.7.8:500 5.6.7.8.",
"type": [
"info"
]
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "id=1802022 event=ike_sa_failed action=no_ike_sa [message=IKE SA negotiation failed: \"Timed out\" \"\",Local IKE peer: \"1.2.3.4:500 ID (null)\", Remote IKE peer: \"5.6.7.8:500 ID (null)\", Initiator SPI: 0x0000000000000000, Responder SPI: 0x0000000000000000. spi_i=0x0000000000000000 local_peer=\"1.2.3.4:500 ID (null)\" ipsec_if=VPN_JOHN_DOE remote_peer=\"5.6.7.8:500 ID (null)\" statusmsg=\"Timed out\" reason=\"\" spi_r=0x0000000000000000 initiator=TRUE ]",
"event": {
"category": [
"network"
],
"code": "1802022",
"reason": "IKE SA negotiation failed: \"Timed out\" \"\",Local IKE peer: \"1.2.3.4:500 ID (null)\", Remote IKE peer: \"5.6.7.8:500 ID (null)\", Initiator SPI: 0x0000000000000000, Responder SPI: 0x0000000000000000.",
"type": [
"denied"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
}
}
{
"message": "id=1800905 event=ike_sa_rekeyed [message=IKE SA rekeyed, Local IKE peer: 1.2.3.4:500 1.2.3.4, Remote IKE peer: AGG-VLAN_FO:5.6.7.8:500 5.6.7.8. remote_behind_nat=FALSE lifetime=28800 local_port=500 local_ip=1.2.3.4 remote_id=5.6.7.8 local_behind_nat=FALSE initiator=FALSE remote_port=500 remote_ip=5.6.7.8 algorithms=aes128-cbc/hmac-sha256-128/hmac-sha256/MODP_3072 local_id=1.2.3.4 remote_ike_spi=0x6de8b28f11c541ad local_ike_spi=0x6662761c9f754ed5 ipsec_if=VPN_EXAMPLE remote_iface=AGG-VLAN_FO ]",
"event": {
"category": [
"network"
],
"code": "1800905",
"reason": "IKE SA rekeyed, Local IKE peer: 1.2.3.4:500 1.2.3.4, Remote IKE peer: AGG-VLAN_FO:5.6.7.8:500 5.6.7.8.",
"type": [
"info"
]
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "id=1802023 event=ike_sa_statistics [message=IKE SA negotiations: 757130 done, 17808 successful, 739322 failed done=757130 failed=739322 success=17808 ]",
"event": {
"category": [
"network"
],
"code": "1802023",
"kind": "metric",
"reason": "IKE SA negotiations: 757130 done, 17808 successful, 739322 failed",
"type": [
"info"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
}
}
{
"message": "id=200275 event=invalid_clienthello_server_name [message=HTTPALG: HTTPS Failed to parse SNI server name from ClientHello SNI extension (\"Pointer outside buffer (15)\"). cause=\"Pointer outside buffer (15)\" algname=DATACENTERS_EXA/71_NAT_SRV1111_ connrecvzone=\"Zone_T0\" conndestzone=\"Zone_INTERNET\" ][alg algmod=lw-http algsesid=111111111 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=6.7.8.9 connipproto=TCP connsrcport=59510 conndestport=443 newconnsrcport=31616 newconndestport=443 origsent=330 termsent=60.0 connrecvif=IF_VLAN240_T0 conndestif=AGG-VLAN_FO ]]",
"event": {
"category": [
"network"
],
"code": "200275",
"reason": "HTTPALG: HTTPS Failed to parse SNI server name from ClientHello SNI extension (\"Pointer outside buffer (15)\").",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"destzone": "Zone_INTERNET",
"recvzone": "Zone_T0"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"nat": {
"ip": "6.7.8.9"
},
"port": 443
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"4.3.2.1",
"5.6.7.8",
"6.7.8.9"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"nat": {
"ip": "4.3.2.1",
"port": 31616
},
"port": 59510
}
}
{
"message": "id=200144 event=invalid_http_syntax action=close [message=HTTPALG: Invalid HTTP syntax seen in request. reason=\"invalid HTTP method\" algname=DATACENTERS_EXA/780_INTERNET type=request connrecvzone=\"Zone_T0\" conndestzone=\"Zone_INTERNET\" ][alg algmod=lw-http algsesid=111111111 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=63745 conndestport=443 newconnsrcport=15969 newconndestport=443 origsent=196 termsent=52.0 connrecvif=IF_VLAN241_T0 conndestif=AGG-VLAN_FO ]]",
"event": {
"category": [
"network"
],
"code": "200144",
"reason": "HTTPALG: Invalid HTTP syntax seen in request.",
"type": [
"info"
]
},
"clavister": {
"ngfw": {
"destzone": "Zone_INTERNET",
"recvzone": "Zone_T0"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 443
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"4.3.2.1",
"5.6.7.8"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"nat": {
"ip": "4.3.2.1",
"port": 15969
},
"port": 63745
}
}
{
"message": "id=6000070 event=ip4_address_added action=policy_updated [message=IP address 5.6.7.8 added to FQDN address FQDN_NTP used in IPPolicy dest filter. dir=dest fqdn_name=FQDN_NTP ip=5.6.7.8 ][rules rule=Nat_SRV1_FQDN-NTP_123 ]",
"event": {
"category": [
"configuration"
],
"code": "6000070",
"reason": "IP address 5.6.7.8 added to FQDN address FQDN_NTP used in IPPolicy dest filter.",
"type": [
"change"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"rule": {
"name": "Nat_SRV1_FQDN-NTP_123"
}
}
{
"message": "id=6000072 event=ip4_address_removed action=policy_updated [message=IP address 5.6.7.8 removed from FQDN address FQDN_NTP used in IPPolicy dest filter. dir=dest fqdn_name=FQDN_NTP ip=5.6.7.8 ][rules rule=Nat_SRV1_FQDN-NTP_123 ]",
"event": {
"category": [
"configuration"
],
"code": "6000072",
"reason": "IP address 5.6.7.8 removed from FQDN address FQDN_NTP used in IPPolicy dest filter.",
"type": [
"change"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"rule": {
"name": "Nat_SRV1_FQDN-NTP_123"
}
}
{
"message": "id=600120 event=ip_reputation action=none [message=IP address reputation query result. categories=\"none\" score=80 ip=5.6.7.8 connrecvzone=\"Zone_T0\" conndestzone=\"Zone_INTERNET\" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=8.7.6.5 connipproto=UDP connsrcport=59428 conndestport=53 newconnsrcport=15661 newconndestport=53 connrecvif=IF_VLAN240_T0 conndestif=AGG-VLAN_FO ]]",
"event": {
"category": [
"network"
],
"code": "600120",
"reason": "IP address reputation query result.",
"type": [
"info"
]
},
"clavister": {
"ngfw": {
"destzone": "Zone_INTERNET",
"recvzone": "Zone_T0"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"nat": {
"ip": "8.7.6.5"
},
"port": 53
},
"network": {
"transport": "udp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"4.3.2.1",
"5.6.7.8",
"8.7.6.5"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"nat": {
"ip": "4.3.2.1",
"port": 15661
},
"port": 59428
}
}
{
"message": "id=8200005 event=ipreputation_server_connect action=none [message=Connected to IP Reputation server 5.6.7.8. server=5.6.7.8 ]",
"event": {
"category": [
"session"
],
"code": "8200005",
"reason": "Connected to IP Reputation server 5.6.7.8.",
"type": [
"start"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"5.6.7.8"
]
},
"server": {
"ip": "5.6.7.8"
}
}
{
"message": "id=8200015 event=ipreputation_server_disconnect action=none [message=Disconnected from IP Reputation server 5.6.7.8. server=5.6.7.8 ]",
"event": {
"category": [
"session"
],
"code": "8200015",
"reason": "Disconnected from IP Reputation server 5.6.7.8.",
"type": [
"end"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"5.6.7.8"
]
},
"server": {
"ip": "5.6.7.8"
}
}
{
"message": "id=1800908 event=ipsec_sa_rekeyed [message=IPsec SA rekeyed, Source IP: 1.2.3.4, Destination IP: 1.2.3.4, Inbound SPI: 0x11111111, Outbound SPI: 0x22222222). dh_bits=3072 imsi=\"\" esp_spi_in=0x11111111 esp_spi_out=0x22222222 esp_mac=hmac-sha256-128 local_ip=1.2.3.4 esp_cipher=aes-cbc initiator=FALSE ike_spi_r=0x0011223344556677 esp_mac_keysize=0 old_spi=0x00000000 remote_ts=\"0.0.0.0/0\" esp_cipher_keysize=0 life_seconds=3600 ike_spi_i=0x0011223344556677 local_ts=\"0.0.0.0/0\" dh_group=15 remote_ip=1.2.3.4 life_kilobytes=0 ipsec_if=VPN_EXAMPLE_INTRANET ]",
"event": {
"category": [
"network"
],
"code": "1800908",
"reason": "IPsec SA rekeyed, Source IP: 1.2.3.4, Destination IP: 1.2.3.4, Inbound SPI: 0x11111111, Outbound SPI: 0x22222222).",
"type": [
"info"
]
},
"destination": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "id=200110 event=max_http_sessions_reached action=close [message=HTTPALG: Maximum number of HTTP sessions (200) for service reached. Closing connection max_sessions=200 ]algmod=lw-http",
"event": {
"category": [
"network"
],
"code": "200110",
"reason": "HTTPALG: Maximum number of HTTP sessions (200) for service reached. Closing connection",
"type": [
"info"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
}
}
{
"message": "id=3400019 event=mismatching_tcp_window_scale action=adjust [message=Mismatching TCP window scale shift count. Expected 8 got not_used will use not_used connrecvzone=\"Zone_EXA\" effective=not_used new=not_used old=8 conndestzone=\"Zone_EXA\" recvzone=\"Zone_INTRANET\" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=58157 conndestport=445 connrecvif=VPN_EXAMPLE conndestif=AGG-VLAN_EXA ]][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=48 ipproto=TCP ttl=127 fragid=9367 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x20BB srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=58157 destport=445 seqno=2939096905 ackno=0 chksum=0xC995 window=8192 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=28 tcpopt=8 mss=1380 NOP=NOP NOP=NOP sackpermit ]]",
"event": {
"category": [
"network"
],
"code": "3400019",
"reason": "Mismatching TCP window scale shift count. Expected 8 got not_used will use not_used",
"type": [
"info"
]
},
"clavister": {
"ngfw": {
"destzone": "Zone_EXA",
"recvzone": "Zone_INTRANET"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 445
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 58157
}
}
{
"message": "id=600012 event=no_new_conn_for_this_packet action=reject [message=State inspector would not open a new connection for this TCP packet, rejecting protocol=tcp recvzone=\"Zone_INTERNET\" ][rules rule=LogOpenFails ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=40 ipproto=TCP ttl=119 fragid=36135 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x4A8D srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=53255 destport=443 seqno=3259249701 ackno=1747743363 chksum=0xE0D8 window=0 urgentpointer=0 rsv=4 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=1 PSH=0 RST=1 SYN=0 FIN=0 dataoffset=20 ]]",
"event": {
"category": [
"network"
],
"code": "600012",
"reason": "State inspector would not open a new connection for this TCP packet, rejecting",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"ipproto": "Ip4",
"recvzone": "Zone_INTERNET"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "000000000000",
"port": 443
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "LogOpenFails"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "111111111111",
"port": 53255
}
}
{
"message": "id=300003 event=no_sender_ip action=drop [message=ARP query sender IP is 0.0.0.0. Dropping recvzone=\"Zone_T0\" ][rules rule=ARPQueryNoSenderIP ][ethernet hwsender=000000000000 hwdest=FFFFFFFFFFFF ipproto=Arp ][arp opcode=Request hardwareAddressSpace=1 protocolAddressSpace=2048 hardwareAddressLength=6 protocolAddressLength=4 [ARP Packet Data hwsender=000000000000 hwdest=FFFFFFFFFFFF srcip=0.0.0.0 destip=5.6.7.8 ]]",
"event": {
"category": [
"network"
],
"code": "300003",
"reason": "ARP query sender IP is 0.0.0.0. Dropping",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"ipproto": "Arp",
"recvzone": "Zone_T0"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "FFFFFFFFFFFF"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"0.0.0.0",
"5.6.7.8"
]
},
"rule": {
"name": "ARPQueryNoSenderIP"
},
"source": {
"address": "0.0.0.0",
"ip": "0.0.0.0",
"mac": "000000000000"
}
}
{
"message": "id=9000032 event=oneconnect_connection_attempt [message=OneConnect Client connection attempt device_id=win av_enabled=TRUE os_info=\"Microsoft Windows NT 10.0.19045.0\" oneconnect_version=3.9.9.0 ipaddr=1.2.3.4 av_updated=TRUE uid=01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b iface=IF_OneConnect arch=X64 ]",
"event": {
"category": [
"network"
],
"code": "9000032",
"outcome": "failure",
"reason": "OneConnect Client connection attempt",
"type": [
"start"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "id=9000029 event=oneconnect_dtls_conn_failed [message=OneConnect DTLS connection failed error=\"DTLS connection negotiation aborted\" iface=IF_OneConnect ipaddr=1.2.3.4 ]",
"event": {
"category": [
"network"
],
"code": "9000029",
"outcome": "failure",
"reason": "OneConnect DTLS connection failed",
"type": [
"start"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "id=9000030 event=oneconnect_dtls_read_error [message=OneConnect DTLS packet read error errors=26 first_error=2 ipaddr=1.2.3.4 ]",
"event": {
"category": [
"network"
],
"code": "9000030",
"outcome": "failure",
"reason": "OneConnect DTLS packet read error",
"type": [
"start"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
}
}
{
"message": "id=9000003 event=oneconnect_session_closed [message=OneConnect session closed at IF_OneConnect username=JDOE ipaddr=1.2.3.4 iface=IF_OneConnect connrecvzone=\"Zone_INTERNET\" conndestzone=\"\" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=31713 conndestport=443 origsent=7.62 K termsent=7.67 K connrecvif=AGG-VLAN_FO conndestif=core ]]",
"event": {
"category": [
"session"
],
"code": "9000003",
"reason": "OneConnect session closed at IF_OneConnect",
"type": [
"end"
]
},
"clavister": {
"ngfw": {
"recvzone": "Zone_INTERNET"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 443
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
],
"user": [
"JDOE"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 31713
},
"user": {
"name": "JDOE"
}
}
{
"message": "id=9000004 event=oneconnect_session_closed [message=OneConnect session closed at IF_OneConnect username=jdoe iface=IF_OneConnect ipaddr=1.2.3.4 ]",
"event": {
"category": [
"session"
],
"code": "9000004",
"reason": "OneConnect session closed at IF_OneConnect",
"type": [
"end"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"jdoe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"name": "jdoe"
}
}
{
"message": "id=9000001 event=oneconnect_session_created [message=OneConnect Session created at IF_OneConnect connrecvzone=\"Zone_INTERNET\" ipaddr=1.2.3.4 username=jdoe iface=IF_OneConnect client_ip=4.3.2.1 conndestzone=\"\" uid=01ba4719c80b6fe911b091a7c05124b64eeece964e09c058ef8f9805daca546b ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=5181 conndestport=443 origsent=5.79 K termsent=4.95 K connrecvif=AGG-VLAN_FO conndestif=core ]]",
"event": {
"category": [
"session"
],
"code": "9000001",
"reason": "OneConnect Session created at IF_OneConnect",
"type": [
"start"
]
},
"clavister": {
"ngfw": {
"recvzone": "Zone_INTERNET"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 443
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
],
"user": [
"jdoe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 5181
},
"user": {
"name": "jdoe"
}
}
{
"message": "id=9000005 event=oneconnect_session_disconnected [message=OneConnect session disconnected at IF_OneConnect username=JDOE iface=IF_OneConnect ipaddr=1.2.3.4 ]",
"event": {
"category": [
"session"
],
"code": "9000005",
"reason": "OneConnect session disconnected at IF_OneConnect",
"type": [
"end"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"JDOE"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"name": "JDOE"
}
}
{
"message": "id=9000002 event=oneconnect_session_reconnected [message=OneConnect Session reconnected at IF_OneConnect connrecvzone=\"Zone_INTERNET\" ipaddr=1.2.3.4 username=jdoe iface=IF_OneConnect client_ip=4.3.2.1 conndestzone=\"\" ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=51249 conndestport=443 origsent=1.24 K termsent=2.86 K connrecvif=AGG-VLAN_FO conndestif=core ]]",
"event": {
"category": [
"session"
],
"code": "9000002",
"reason": "OneConnect Session reconnected at IF_OneConnect",
"type": [
"start"
]
},
"clavister": {
"ngfw": {
"recvzone": "Zone_INTERNET"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 443
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
],
"user": [
"jdoe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 51249
},
"user": {
"name": "jdoe"
}
}
{
"message": "id=3700105 event=radius_auth_timeout message=Timeout during RADIUS user authentication, contact with RADIUS server not established [userauth authrule=IF_OneConnect username=jdoe authagent=OneConnect authsrc=n/a authevent=Disallowed srcip=1.2.3.4 ]",
"event": {
"category": [
"authentication"
],
"code": "3700105",
"reason": "Timeout",
"type": [
"end"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"jdoe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"name": "jdoe"
}
}
{
"message": "id=200125 event=request_url action=allow [message=HTTPALG: Requesting URL \"aaa.example.org/\". Categories: \"whitelist\". Audit: off. Override: no. ALG name: DATACENTERS_INTRA/189_NAT_POWERSH. connrecvzone=\"Zone_T0\" categories=\"whitelist\" audit=off url=\"aaa.example.org/\" domain=example.org override=no conndestzone=\"Zone_INTERNET\" algname=DATACENTERS_EXA/189_NAT_POWERSH ][alg algmod=lw-http algsesid=132209793 ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 newconnsrcip=4.3.2.1 newconndestip=5.6.7.8 connipproto=TCP connsrcport=53879 conndestport=443 newconnsrcport=38330 newconndestport=443 origsent=337 termsent=52.0 connrecvif=IF_VLAN248_T0 conndestif=AGG-VLAN_FO ]]",
"event": {
"category": [
"network"
],
"code": "200125",
"reason": "HTTPALG: Requesting URL \"aaa.example.org/\". Categories: \"whitelist\". Audit: off. Override: no. ALG name: DATACENTERS_INTRA/189_NAT_POWERSH.",
"type": [
"info"
]
},
"clavister": {
"ngfw": {
"destzone": "Zone_INTERNET",
"recvzone": "Zone_T0"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 443
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"4.3.2.1",
"5.6.7.8"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"nat": {
"ip": "4.3.2.1",
"port": 38330
},
"port": 53879
}
}
{
"message": "id=1100002 event=route_exported_to_ospf_as [message=Route exported to OSPF AS routezone=Zone_OneConnect ][rules rule=ExportRoute-VPN-OneConnect ][dynrouting event=11111111 from=OneConnectServer to=ospfarea [route routerange=10.0.0.1-10.0.0.1 routeiface=IF_OneConnect routegw=0.0.0.0 routemetric=0 ]]",
"event": {
"category": [
"network"
],
"code": "1100002",
"reason": "Route exported to OSPF AS",
"type": [
"info"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"rule": {
"name": "ExportRoute-VPN-OneConnect"
}
}
{
"message": "id=1100003 event=route_unexported_from_ospf_as [message=Route unexported from OSPF AS routezone=Zone_OneConnect ][rules rule=ExportRoute-VPN-OneConnect ][dynrouting event=11111111 from=OneConnectServer to=ospfarea [route routerange=10.1.0.1-10.1.0.1 routeiface=IF_OneConnect routegw=0.0.0.0 routemetric=0 ]]",
"event": {
"category": [
"network"
],
"code": "1100003",
"reason": "Route unexported from OSPF AS",
"type": [
"info"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"rule": {
"name": "ExportRoute-VPN-OneConnect"
}
}
{
"message": "id=6000051 event=ruleset_drop_packet action=drop [message=Packet dropped by rule-set. Dropping recvzone=\"Zone_INTRA\" ][rules rule=Default_Rule ][ethernet hwsender=0000000000000 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Priority delay=Normal throughput=High reliability=Normal ]iptotlen=52 ipproto=TCP ttl=123 fragid=4107 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x21D8 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=57168 destport=9100 seqno=389322187 ackno=0 chksum=0xF5CB window=64240 urgentpointer=0 rsv=2 [tcpflags YMAS=1 XMAS=1 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=32 tcpopt=12 mss=1460 NOP=NOP wsopt shift=8 NOP=NOP NOP=NOP sackpermit ]]",
"event": {
"category": [
"network"
],
"code": "6000051",
"reason": "Packet dropped by rule-set. Dropping",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"ipproto": "Ip4",
"recvzone": "Zone_INTRA"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "000000000000",
"port": 9100
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "Default_Rule"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "0000000000000",
"port": 57168
}
}
{
"message": "id=4900001 event=sesmgr_session_created action=none [message=Session connected for User: jdoe1.2.3.4:54912. Database: (none). IP: 1.2.3.4. Type: Netcon. type=Netcon user=jdoe1.2.3.4:54912 ip=1.2.3.4 database=(none) ]",
"event": {
"category": [
"session"
],
"code": "4900001",
"reason": "Session connected for User: jdoe1.2.3.4:54912. Database: (none). IP: 1.2.3.4. Type: Netcon.",
"type": [
"start"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"user": [
"jdoe1.2.3.4:54912"
]
},
"user": {
"name": "jdoe1.2.3.4:54912"
}
}
{
"message": "id=4900003 event=sesmgr_session_removed action=none [message=Session disconnected for User: jdoe1.2.3.4:54912. Database: (none). IP: 1.2.3.4. Type: Netcon. type=Netcon user=jdoe1.2.3.4:54912 ip=1.2.3.4 database=(none) ]",
"event": {
"category": [
"session"
],
"code": "4900003",
"reason": "Session disconnected for User: jdoe1.2.3.4:54912. Database: (none). IP: 1.2.3.4. Type: Netcon.",
"type": [
"start"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"user": [
"jdoe1.2.3.4:54912"
]
},
"user": {
"name": "jdoe1.2.3.4:54912"
}
}
{
"message": "id=8800100 event=ssl_error action=close [message=Detected SSL Error. Closing down SSL connection error_code=341 client_ip=1.2.3.4 error_message=\"record layer length error\" ]",
"event": {
"category": [
"network"
],
"code": "8800100",
"outcome": "failure",
"reason": "Detected SSL Error. Closing down SSL connection",
"type": [
"info"
]
},
"client": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"nat": {
"ip": "1.2.3.4"
}
}
}
{
"message": "id=8800100 event=ssl_error action=close [message=Detected SSL Error. Closing down SSL connection error_code=352 client_ip=1.2.3.4 error_message=\"Bad ECC Peer Key\" ]",
"event": {
"category": [
"network"
],
"code": "8800100",
"outcome": "failure",
"reason": "Detected SSL Error. Closing down SSL connection",
"type": [
"info"
]
},
"client": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"nat": {
"ip": "1.2.3.4"
}
}
}
{
"message": "id=8800100 event=ssl_error action=close [message=Detected SSL Error. Closing down SSL connection error_code=501 client_ip=1.2.3.4 error_message=\"can't match cipher suite\" ]",
"event": {
"category": [
"network"
],
"code": "8800100",
"outcome": "failure",
"reason": "Detected SSL Error. Closing down SSL connection",
"type": [
"info"
]
},
"client": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4"
]
},
"source": {
"nat": {
"ip": "1.2.3.4"
}
}
}
{
"message": "id=3300004 event=tcp_flag_set action=strip_flag [message=The TCP URG flag is set. Stripping recvzone=\"Zone_T0\" bad_flag=URG ][rules rule=TCPUrg ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=41 ipproto=TCP ttl=128 fragid=11924 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xF2B9 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=64358 destport=1521 seqno=279418381 ackno=3379362693 chksum=0x4428 window=1026 urgentpointer=1 rsv=8 [tcpflags YMAS=0 XMAS=0 URG=1 ACK=1 PSH=1 RST=0 SYN=0 FIN=0 dataoffset=20 ]]",
"event": {
"category": [
"network"
],
"code": "3300004",
"reason": "The TCP URG flag is set. Stripping",
"type": [
"info"
]
},
"clavister": {
"ngfw": {
"ipproto": "Ip4",
"recvzone": "Zone_T0"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "000000000000",
"port": 1521
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "TCPUrg"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "111111111111",
"port": 64358
}
}
{
"message": "id=3300008 event=tcp_flags_set action=drop [message=The TCP SYN and URG flags are set. Dropping recvzone=\"Zone_INTERNET\" good_flag=SYN bad_flag=URG ][rules rule=TCPSynUrg ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=60 ipproto=TCP ttl=47 fragid=22760 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xC1C8 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=9751 destport=65023 seqno=3200649084 ackno=0 chksum=0x43A5 window=0 urgentpointer=20148 rsv=15 [tcpflags YMAS=0 XMAS=0 URG=1 ACK=1 PSH=1 RST=1 SYN=1 FIN=1 dataoffset=40 tcpopt=20 mss=1400 sackpermit tsopt=S:0xa349f6f7 R:0x0 NOP=NOP wsopt shift=6 ]]",
"event": {
"category": [
"network"
],
"code": "3300008",
"reason": "The TCP SYN and URG flags are set. Dropping",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"ipproto": "Ip4",
"recvzone": "Zone_INTERNET"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "000000000000",
"port": 65023
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "TCPSynUrg"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "111111111111",
"port": 9751
}
}
{
"message": "id=3400005 event=tcp_mss_above_log_level action=log [message=TCP MSS 8960 higher than log level. TCPMSSLogLevel=7000 recvzone=\"Zone_EXA\" mss=8960 mssloglevel=7000 tcpopt=2 ][rules rule=TCPMSSLogLevel ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=60 ipproto=TCP ttl=64 fragid=15048 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x94B srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=50512 destport=2051 seqno=4048667863 ackno=0 chksum=0x3CBC window=26880 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=40 tcpopt=20 mss=8960 sackpermit tsopt=S:0xcb0fe1f R:0x0 NOP=NOP wsopt shift=8 ]]",
"event": {
"category": [
"network"
],
"code": "3400005",
"reason": "TCP MSS 8960 higher than log level.",
"type": [
"info"
]
},
"clavister": {
"ngfw": {
"ipproto": "Ip4",
"recvzone": "Zone_EXA"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "000000000000",
"port": 2051
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "TCPMSSLogLevel"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "111111111111",
"port": 50512
}
}
{
"message": "id=3400007 event=tcp_option_strip action=strip [message=Packet has a type 254 TCP option. Stripping it tcpopt=254 recvzone=\"Zone_INTERNET\" ][rules rule=TCPOPT_OTHER ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=64 ipproto=TCP ttl=111 fragid=52547 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x5CE srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=22 destport=23753 seqno=2894526312 ackno=2184314881 chksum=0xDC3B window=65535 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=1 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=44 tcpopt=24 mss=1460 sackpermit tsopt=S:0x327b23c6 R:0x327b23c6 opt=254 len=4 END=END ]]",
"event": {
"category": [
"network"
],
"code": "3400007",
"reason": "Packet has a type 254 TCP option. Stripping it",
"type": [
"info"
]
},
"clavister": {
"ngfw": {
"ipproto": "Ip4",
"recvzone": "Zone_INTERNET"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "000000000000",
"port": 23753
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "TCPOPT_OTHER"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "111111111111",
"port": 22
}
}
{
"message": "id=3300029 event=tcp_syn_data action=drop [message=SYN packet contains data. Dropping recvzone=\"Zone_INTERNET\" ][rules rule=TCP_SYN_Data ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Priority delay=Normal throughput=High reliability=Normal ]iptotlen=52 ipproto=TCP ttl=54 fragid=12818 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xD49 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=37751 destport=443 seqno=294625335 ackno=0 chksum=0x639C window=65535 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=20 ]]",
"event": {
"category": [
"network"
],
"code": "3300029",
"reason": "SYN packet contains data. Dropping",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"ipproto": "Ip4",
"recvzone": "Zone_INTERNET"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "000000000000",
"port": 443
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "TCP_SYN_Data"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "111111111111",
"port": 37751
}
}
{
"message": "id=7000014 event=ttl_low action=drop [message=Received packet with too low TTL of 1. Min TTL is 3. Dropping ttlmin=3 ttl=1 recvzone=\"Zone_OneConnect\" ][rules rule=TTLOnLowMulticast ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=60 ipproto=UDP ttl=1 fragid=13147 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0x9A66 srcip=1.2.3.4 destip=5.6.7.8 ][udp packet srcport=5353 destport=5353 chksum=0xC116 iptotlen=40 ]",
"event": {
"category": [
"network"
],
"code": "7000014",
"reason": "Received packet with too low TTL of 1. Min TTL is 3. Dropping",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"recvzone": "Zone_OneConnect"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 5353
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "TTLOnLowMulticast"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 5353
}
}
{
"message": "id=2400400 event=unable_to_find_iface_to_stub_net [message=Internal error: Unable to find my interface attached to stub network 10.0.0.1/27 stub=10.0.0.1/27 ][rules rule=ospfarea ]",
"event": {
"category": [
"network"
],
"code": "2400400",
"outcome": "failure",
"reason": "Internal error: Unable to find my interface attached to stub network 10.0.0.1/27",
"type": [
"info"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"rule": {
"name": "ospfarea"
}
}
{
"message": "id=3300010 event=unexpected_tcp_flags action=drop [message=Unexpected tcp flags \"SYN ECE CWR\" from originator during state FIN_RCVD. Dropping connrecvzone=\"Zone_EXA\" flags=\"SYN ECE CWR\" state=FIN_RCVD endpoint=originator conndestzone=\"Zone_T0\" recvzone=\"Zone_EXA\" ][rules rule=LogStateViolations ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=55080 conndestport=88 origsent=2.08 K termsent=2.09 K connrecvif=IF_VLAN1_T0 conndestif=IF_VLAN2_T0 ]][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=52 ipproto=TCP ttl=128 fragid=11369 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xEE34 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=55080 destport=88 seqno=2465177740 ackno=0 chksum=0x632F window=8192 urgentpointer=0 rsv=2 [tcpflags YMAS=1 XMAS=1 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=32 tcpopt=12 mss=1460 NOP=NOP wsopt shift=8 NOP=NOP NOP=NOP sackpermit ]]",
"event": {
"category": [
"network"
],
"code": "3300010",
"reason": "Unexpected tcp flags \"SYN ECE CWR\" from originator during state FIN_RCVD. Dropping",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"destzone": "Zone_T0",
"ipproto": "Ip4",
"recvzone": "Zone_EXA"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "000000000000",
"port": 88
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "LogStateViolations"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "111111111111",
"port": 55080
}
}
{
"message": "id=3300010 event=unexpected_tcp_flags action=drop [message=Unexpected tcp flags SYN from originator during state FIN_RCVD. Dropping connrecvzone=\"Zone_EXA\" flags=SYN state=FIN_RCVD endpoint=originator conndestzone=\"Zone_EXA\" recvzone=\"Zone_EXA\" ][rules rule=LogStateViolations ][conn [conn connsrcip=1.2.3.4 conndestip=5.6.7.8 connipproto=TCP connsrcport=61799 conndestport=58080 origsent=144 termsent=40.0 connrecvif=VPN_EXAMPLE_INTRANET conndestif=AGG-VLAN_EXAMPLE ]][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=52 ipproto=TCP ttl=127 fragid=24895 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xA2D6 srcip=1.2.3.4 destip=5.6.7.8 ][tcp srcport=61799 destport=58080 seqno=2709173819 ackno=0 chksum=0x10C2 window=64240 urgentpointer=0 rsv=2 [tcpflags YMAS=0 XMAS=0 URG=0 ACK=0 PSH=0 RST=0 SYN=1 FIN=0 dataoffset=32 tcpopt=12 mss=1380 NOP=NOP wsopt shift=8 NOP=NOP NOP=NOP sackpermit ]]",
"event": {
"category": [
"network"
],
"code": "3300010",
"reason": "Unexpected tcp flags SYN from originator during state FIN_RCVD. Dropping",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"destzone": "Zone_EXA",
"recvzone": "Zone_EXA"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"port": 58080
},
"network": {
"transport": "tcp"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "LogStateViolations"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"port": 61799
}
}
{
"message": "id=6000060 event=unhandled_local action=drop [message=Allowed but unhandled packet to the firewall. Dropping recvzone=\"Zone_INTERNET\" ][rules rule=LocalUndelivered ][ethernet hwsender=1111111111111 hwdest=000000000000 ipproto=Ip4 ][ippacket version=1 iphdrlen=20 [typeOfService precedence=Routine delay=Normal throughput=Normal reliability=Normal ]iptotlen=71 ipproto=UDP ttl=250 fragid=54321 [controlflags rf=0 df=0 mf=0 fragoffs=0 ]chksum=0xF3B4 srcip=1.2.3.4 destip=5.6.7.8 ][udp packet srcport=55506 destport=161 chksum=0x0 iptotlen=51 ]",
"event": {
"category": [
"network"
],
"code": "6000060",
"reason": "Allowed but unhandled packet to the firewall. Dropping",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"ipproto": "Ip4",
"recvzone": "Zone_INTERNET"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "000000000000",
"port": 161
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "LocalUndelivered"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "1111111111111",
"port": 55506
}
}
{
"message": "id=6000040 event=unknown_vlantag action=drop [message=Received VLAN packet with unknown type0x8100 and VLAN ID 271. Dropping vlanid=271 type=0x8100 recvzone=\"\" ][rules rule=UnknownVLANTags ][ethernet hwsender=000000000000 hwdest=111111111111 ipproto=Vlan ]",
"event": {
"category": [
"network"
],
"code": "6000040",
"reason": "Received VLAN packet with unknown type0x8100 and VLAN ID 271. Dropping",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"ipproto": "Vlan"
}
},
"destination": {
"mac": "111111111111"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"rule": {
"name": "UnknownVLANTags"
},
"source": {
"mac": "000000000000"
}
}
{
"message": "id=300001 event=unsolicited_reply_drop [message=Unsolicited ARP reply received and dropped recvzone=\"Zone_INTRA\" ][rules rule=UnsolicitedARPReplies ][ethernet hwsender=111111111111 hwdest=000000000000 ipproto=Arp ][arp opcode=Reply hardwareAddressSpace=1 protocolAddressSpace=2048 hardwareAddressLength=6 protocolAddressLength=4 [ARP Packet Data hwsender=111111111111 hwdest=000000000000 srcip=1.2.3.4 destip=5.6.7.8 ]]",
"event": {
"category": [
"network"
],
"code": "300001",
"reason": "Unsolicited ARP reply received and dropped",
"type": [
"denied"
]
},
"clavister": {
"ngfw": {
"ipproto": "Arp",
"recvzone": "Zone_INTRA"
}
},
"destination": {
"address": "5.6.7.8",
"ip": "5.6.7.8",
"mac": "000000000000"
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4",
"5.6.7.8"
]
},
"rule": {
"name": "UnsolicitedARPReplies"
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4",
"mac": "111111111111"
}
}
{
"message": "id=9000011 event=user_disconnected [message=User JDOE is forcibly disconnected. Client: 1.2.3.4 username=JDOE client_ip=4.3.2.1 ipaddr=1.2.3.4 ]",
"event": {
"category": [
"authentication"
],
"code": "9000011",
"reason": "User JDOE is forcibly disconnected. Client: 1.2.3.4",
"type": [
"end"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"JDOE"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"name": "JDOE"
}
}
{
"message": "id=3700102 event=user_login [message=User logged in. Idle timeout: 1800, Session timeout: 0 groups=\"GROUP1,GROUP2\" idle_timeout=1800 session_timeout=0 ][userauth authrule=IF_OneConnect username=jdoe authagent=OneConnect authsrc=n/a authevent=Login srcip=1.2.3.4 ]",
"event": {
"category": [
"authentication"
],
"code": "3700102",
"reason": "User logged in. Idle timeout: 1800, Session timeout: 0",
"type": [
"start"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"jdoe"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"name": "jdoe"
}
}
{
"message": "id=3700110 event=user_logout message=User logged out [userauth authrule=IF_OneConnect username=JDOE authagent=OneConnect authsrc=n/a authevent=Logout srcip=1.2.3.4 ]",
"event": {
"category": [
"authentication"
],
"code": "3700110",
"reason": "User",
"type": [
"end"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"JDOE"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"name": "JDOE"
}
}
{
"message": "id=3700020 event=user_timeout action=user_removed message=User timeout expired, user is automatically logged out [userauth authrule=IF_OneConnect username=JDOE authagent=OneConnect authsrc=n/a authevent=Logout srcip=1.2.3.4 ]",
"event": {
"category": [
"authentication"
],
"code": "3700020",
"reason": "User",
"type": [
"end"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"1.2.3.4"
],
"user": [
"JDOE"
]
},
"source": {
"address": "1.2.3.4",
"ip": "1.2.3.4"
},
"user": {
"name": "JDOE"
}
}
{
"message": "id=200122 event=wcf_connecting action=connecting [message=HTTPALG:Connecting to web content server 5.6.7.8 server=5.6.7.8 ]algmod=http",
"event": {
"category": [
"network"
],
"code": "200122",
"reason": "HTTPALG:Connecting to web content server 5.6.7.8",
"type": [
"connection"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"5.6.7.8"
]
},
"server": {
"ip": "5.6.7.8"
}
}
{
"message": "id=200123 event=wcf_server_connected action=none [message=HTTPALG: Web content server 5.6.7.8 connected server=5.6.7.8 ]algmod=http",
"event": {
"category": [
"network"
],
"code": "200123",
"reason": "HTTPALG: Web content server 5.6.7.8 connected",
"type": [
"start"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"5.6.7.8"
]
},
"server": {
"ip": "5.6.7.8"
}
}
{
"message": "id=200134 event=wcf_server_disconnected action=none [message=HTTPALG: Web content server 164.132.83.85 disconnected server=164.132.83.85 ]algmod=http",
"event": {
"category": [
"network"
],
"code": "200134",
"reason": "HTTPALG: Web content server 164.132.83.85 disconnected",
"type": [
"end"
]
},
"observer": {
"product": "NGFW",
"vendor": "Clavister"
},
"related": {
"ip": [
"164.132.83.85"
]
},
"server": {
"ip": "164.132.83.85"
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
| Name | Type | Description |
|---|---|---|
clavister.ngfw.destzone |
keyword |
Destination zone |
clavister.ngfw.ipproto |
keyword |
Data link layer protocol |
clavister.ngfw.knownhw |
keyword |
Known hardware |
clavister.ngfw.knownip |
keyword |
Known IP |
clavister.ngfw.newhw |
keyword |
New hardware |
clavister.ngfw.recvzone |
keyword |
Receive zone |
client.ip |
ip |
IP address of the client. |
destination.ip |
ip |
IP address of the destination. |
destination.mac |
keyword |
MAC address of the destination. |
destination.nat.ip |
ip |
Destination NAT ip |
destination.nat.port |
long |
Destination NAT Port |
destination.port |
long |
Port of the destination. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.code |
keyword |
Identification code for this event. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.outcome |
keyword |
The outcome of the event. The lowest level categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
network.transport |
keyword |
Protocol Name corresponding to the field iana_number. |
observer.product |
keyword |
The product name of the observer. |
observer.vendor |
keyword |
Vendor name of the observer. |
rule.name |
keyword |
Rule name |
server.ip |
ip |
IP address of the server. |
source.ip |
ip |
IP address of the source. |
source.mac |
keyword |
MAC address of the source. |
source.nat.ip |
ip |
Source NAT ip |
source.nat.port |
long |
Source NAT port |
source.port |
long |
Port of the source. |
user.name |
keyword |
Short name or login of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.