SRX

RT_FLOW APPTRACK_SESSION_VOL_UPDATE interpretation

  • 1.  RT_FLOW APPTRACK_SESSION_VOL_UPDATE interpretation

    Posted 10-16-2020 08:31

    I'm working to get security alerts set up between an SRX340 and Eventlog Analyzer SIEM.

    I've been getting alerts that look like this:

    Alert Name : Default Threat,Event Name : Application Access Update,Message : Malicious Source(s) detected : 94.229.72.116

    Log Message :
    APPTRACK_SESSION_VOL_UPDATE: AppTrack volume update: xx.xx.1.93/64280->94.229.72.116/443 junos-https UNKNOWN UNKNOWN xxx.xxx.xxx.xxx/16925->94.229.72.116/443 source-nat-rule N/A 6 Managers trust untrust 57738 1(52) 0(0) 0 N/A N/A No ,Alert Severity : Critical

    Actually, the recorded alert in the SIEM database starts with RT_FLOW.

     

    For reference: from juniper.net:
    APPTRACK_SESSION_VOL_UPDATE [user@host.1.1.1.2.129 source-address="4.0.0.1" source-port="33040" destination-address="5.0.0.1" destination-port="80" service-name="junos-http" application="HTTP" nested-application="FACEBOOK-SOCIALRSS" nat-source-address="4.0.0.1" nat-source-port="33040" nat-destination-address="5.0.0.1" nat-destination-port="80" src-nat-rule-name="N/A" dst-nat-rule-name="N/A" protocol-id="6" policy-name="permit-all" source-zone-name="trust" destination-zone-name="untrust" session-id-32="28" packets-from-client="371" bytes-from-client="19592" packets-from-server="584" bytes-from-server="686432" elapsed-time="60" username="user1" roles="DEPT1" encrypted="No" destination-interface-name=”st0.0” category=” Web” sub-category=”Social-Networking”]

     

    So, most of what I see in the alert is understandable.  Sorry to bore you with those details.  But there are a couple of important things that I don't understand:

    where does the Alert Severity : Critical come from and why?

    And,

    where does "Malicious Source(s) come from and why?