Skip to content

FireEye AX Series

Description

Constructor: FireEye

Product: AX series

Log type(s):

Log sample

1
fenotify-562824.alert: CEF:0|FireEye|MPS|7.9.2.589127|MC|malware-callback|7|rt=Feb 27 2017 23:00:55 UTC src=1.1.1.1 cn3Label=cncPort cn3=8001 cn2Label=sid cn2=60514235 proto=tcp spt=32119 dst=1.3.1.1 cs5Label=cncHost cs5=1.3.1.1 dvchost=THX1P dvc=1.3.3.2 smac=aa:bb:cc:dd:ee:ff cn1Label=vlan cn1=2103 dpt=8001 externalId=562120 cs4Label=link cs4=https://THX1P/event_stream/events_for_bot?ev_id\=562801 act=blocked cs6Label=channel cs6=GUID\=13894115160511570911&BUILD\=2702&INFO\=PC700764 @ ESPACECPT\\charbonc&IP\=0.0.0.0&TYPE\=1&WIN\=6.1(x64) dmac=aa:bb:cc:dd:ee:ff cs1Label=sname cs1=Trojan.Hancitor devicePayloadId=046d345f-68d7-41af-81b5-542786f258d4
1
fenotify-552082.alert: CEF:0|FireEye|MPS|7.8.1.468932|MC|malware-callback|7|rt=Feb 01 2017 23:08:34 UTC src=1.2.1.223 cn3Label=cncPort cn3=8781 cn2Label=sid cn2=20005586 dvchost=THSIANSBX01P requestMethod=GET proto=tcp request=hxxp://pup.info/MHandler/RequestHandler.ashx?UID\=9cf00682-b07a-427a-93c7-edb0e58ec808&codename\=c2&version\=3&browser\=other&os\=5_1_2600_196608&mode\=check dst=1.3.4.2 cs5Label=cncHost cs5=1.3.2.2 spt=2032 dvc=1.3.2.52 smac=b3:45:20:3c:d8:d1 cn1Label=vlan cn1=2560 dpt=8089 externalId=552082 cs4Label=link cs4=https://TP/event_stream/eves_for_bot?ev_id\=552082 act=notified cs6Label=channel cs6=GET http://pup.info/MHandler/RequestHandler.ashx?UID\=9cf00842-b07a-417a-93c7-edb1e58ec808&codename\=c2&version\=3&browser\=other&os\=5_1_2600_196608&mode\=check HTTP/1.1::~~Host: pup.info::~~Proxy-Connection: Keep-Alive::~~::~~ dmac=01:09:ec:dd:11:00 cs1Label=sname cs1=Tojan.Skeeyah
1
fenotify-552429.alert: CEF:0|FireEye|MPS|7.8.1.468932|MC|malware-callback|7|rt=Feb 03 2017 23:08:35 UTC src=1.2.1.2 cn3Label=cncPort cn3=8181 cn2Label=sid cn2=20005586 dvchost=TH01P requestMethod=GET proto=tcp request=hxxp://pup.info/MHandler/RequestHandler.ashx?UID\=9cf11682-b57a-437a-23c7-edb0e58ec808&codename\=c2&version\=3&browser\=other&os\=5_1_2600_196608&mode\=check dst=1.3.2.2 cs5Label=cncHost cs5=1.3.2.2 spt=1331 dvc=1.3.2.1 smac=aa:bb:cc:dd:ee:ff cn1Label=vlan cn1=2560 dpt=8181 externalId=552429 cs4Label=link cs4=https://T01P/event_stream/events_for_bot?ev_id\=552429 act=notified cs6Label=channel cs6=GET http://pup.info/MHandler/RequestHandler.ashx?UID\=9cf11682-b07a-437a-23c7-edb0e58ec808&codename\=c2&version\=3&browser\=other&os\=5_1_2600_196608&mode\=check HTTP/1.1::~~Host: pcboostup.info::~~Proxy-Connection: Keep-Alive::~~::~~ dmac=aa:bb:cc:dd:ee:ff cs1Label=sname cs1=Tojan.Skeeyah

Parsing strategy

This parser is mainly composed from a csv. Then one field need to parse with a key/value parser.