SRX Services Gateway
Highlighted
SRX Services Gateway

RT_FLOW APPTRACK_SESSION_VOL_UPDATE interpretation

[ Edited ]
2 weeks ago

I'm working to get security alerts set up between an SRX340 and Eventlog Analyzer SIEM.

I've been getting alerts that look like this:

Alert Name : Default Threat,Event Name : Application Access Update,Message : Malicious Source(s) detected : 94.229.72.116

Log Message :
APPTRACK_SESSION_VOL_UPDATE: AppTrack volume update: xx.xx.1.93/64280->94.229.72.116/443 junos-https UNKNOWN UNKNOWN xxx.xxx.xxx.xxx/16925->94.229.72.116/443 source-nat-rule N/A 6 Managers trust untrust 57738 1(52) 0(0) 0 N/A N/A No ,Alert Severity : Critical

Actually, the recorded alert in the SIEM database starts with RT_FLOW.

 

For reference: from juniper.net:
APPTRACK_SESSION_VOL_UPDATE [user@host.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” category=” Web” sub-category=”Social-Networking”]

 

So, most of what I see in the alert is understandable.  Sorry to bore you with those details.  But there are a couple of important things that I don't understand:

where does the Alert Severity : Critical come from and why?

And,

where does "Malicious Source(s) come from and why?

 

Feedback