BROADCOM¶

BROADCOM

About¶

SSL Visibility Appliance is a comprehensive, extensible solution that assures high-security encryption. The SSL Visibility Appliance provides timely and complete standards support, with 100 Cipher Suites and key exchanges offered.

Product Details¶

Vendor URL: BROADCOM

Product Type: Encryption

Product Tier: Tier III

Integration Method: Syslog

Integration URL: n/a

Log Guide: n/a

Parser Details¶

Log Format: CSV

Expected Normalization Rate: near 100%

Data Label: BROADCOM_SSL_VA

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field	UDM Field
prodlogid	metadata.product_log_id
"SSL Visibility"	metadata.product_name
"Broadcom"	metadata.vendor_name
hostname	principal.hostname
pid	principal.process.pid
srcip	principal.ip
srcPort	principal.port
event_type	target.application
destip	target.ip
destport	target.port
smb_host	target.hostname
smb_uid	target.user.userid
tlsversion	network.tls_version
ciphersuite	network.tls.cipher
status	security_result.action
action	security_result.action_details
category	security_result.category
rule	security_result.rule_id
flag_list	about.resource.attribute.Flag list
segment_id	about.resource.attribute.segment_id

Product Event Types¶

Product Event	Description	UDM Event
src/destIp		NETWORK_CONNECTION
Default	All other events	GENERIC_EVENT

Log Sample¶

Oct 20 21:30:12 HOSTNAME ssldata[15726]: [A:3b0318.5] product_log_id 10.107.218.31:59478 -> 10.104.164.115:443 TLS1.2 TLS_RSA_WITH_AES_128_GCM_SHA256 miapp.schwab.com --- cert fp: 93:9B:44:3F:91:76:E3:57:28:4D:2A:17:63:CC:BF:20:E7:86:E8:C6 rule:0 cut SUCCESS (0x0000000000000000) 0x60999b56006cfeca Full x509:V V[271756]:pT[0x182666d7e0e]:eF[0x400101a0004315f7]:type[Full]:pol[P0P1]:init[TI]:SNI[Match]:dname[SAN]:dix[0]:chix[0(O)]:rfw[N]:rov[N]:isix[S0]:cver[0x0303]:ver[03.03]cat[0x0]:CF[0x104020101403]:ChF[0x1000000000811]:Cmrx[SH|SC|CReq|SHD]:Cmtx[CH]:Cocx[0x2000009271]:Cchx[0x2000009271]:Cshx[0x1001]:Chrx[0x0]:Ceex[0x0]:SF[0x2000020000002]:ShF[0x252a00000000]:Smrx[CH]:Smtx[--]:Socx[0x2000009271]:Schx[0x2000009271]:Sshx[0x1001]:Shrx[0x0]:Seex[0x0]:Pxy[---]:sint[0x0]:nt[0x0]:Corr[0x0]:ALPN[--]:css[weak]:JA3[37fbfb78323357338ae6777bda79f9d7]:S019 {"additional":[{"label":"smb_host","value":"smb_host_value"},{"label":"smb_stage1","value":"smb_stage1_value"},{"label":"smb_uid","value":"smb_uid_value"},{"label":"smb_timezone","value":"EDT"},{"label":"source_country","value":""},{"label":"source_country_name","value":""}]}

Sample Parsing¶

metadata.event_timestamp = "1666301412"
metadata.vendor_name = "Broadcom"
metadata.product_name = "SSL Visibility"
metadata.event_type = "NETWORK_CONNECTION"
metadata.product_log_id = "product_log_id"
principal.hostname = "HOSTNAME"
principal.process.pid = "15726"
principal.ip = "10.107.218.31"
principal.port = 59478
target.ip = "10.104.164.115"
target.port = 443
target.application = "ssldata"
about.resource.attribute.key = "Flag list"
about.resource.attribute.value = "(0x0000000000000000) 0x60999b56006cfeca Full x509:V V[271756]:pT[0x182666d7e0e]:eF[0x400101a0004315f7]:type[Full]:pol[P0P1]:init[TI]:SNI[Match]:dname[SAN]:dix[0]:chix[0(O)]:rfw[N]:rov[N]:isix[S0]:cver[0x0303]:ver[03.03]cat[0x0]:CF[0x104020101403]:ChF[0x1000000000811]:Cmrx[SH|SC|CReq|SHD]:Cmtx[CH]:Cocx[0x2000009271]:Cchx[0x2000009271]:Cshx[0x1001]:Chrx[0x0]:Ceex[0x0]:SF[0x2000020000002]:ShF[0x252a00000000]:Smrx[CH]:Smtx[--]:Socx[0x2000009271]:Schx[0x2000009271]:Sshx[0x1001]:Shrx[0x0]:Seex[0x0]:Pxy[---]:sint[0x0]:nt[0x0]:Corr[0x0]:ALPN[--]:css[weak]:JA3[37fbfb78323357338ae6777bda79f9d7]:S019"
about.resource.attribute.key = "segment_id"
about.resource.attribute.value = "A"
security_result.category = SOFTWARE_MALICIOUS
security_result.rule_id = "rule:0"
security_result.action = "BLOCK"
security_result.action_details = "cut"
network.tls.cipher = "TLS_RSA_WITH_AES_128_GCM_SHA256"
network.tls.version = "TLS1.2"

Parser Alerting¶

This product currently does not have any Parser-based Alerting

Rules¶

Coming Soon