|
|
1 |
The first two bytes of this line indicate the standard header value of 1 . The second two bytes indicate that the message is a data message (that is, message type four). |
2 |
This line indicates that the message that follows is 294 bytes long. |
3 |
The first bit of this is a flag indicating that the header is an extended header containing an archive timestamp. The next 15 bits are an optional field containing the Netmap ID for the domain on which the event was detected. The remainder of the line indicates a record type value of 400 , which represents an intrusion event record. |
4 |
This line indicates that the event record that follows is 278 bytes long. |
5 |
This line is the timestamp when the event was saved. In this case, it was saved on Wednesday, July 2, 2014 at 16:11:27. |
6 |
This line is reserved for future use and is populated with zeros. |
7 |
This line indicates that the block type is 45 , which is the block type for Intrusion Event records for version 5.4+. |
8 |
This line indicates that the data block is 278 bytes long. |
9 |
This line indicates that the event is collected from sensor number 5 . |
10 |
This line indicates that the event identification number is 65580 . |
11 |
This line indicates that the event occurred at second 1404317489 . |
12 |
This line indicates that the event occurred at microsecond 46542 . |
13 |
This line indicates that the rule ID number is 4 . |
14 |
This line indicates that the event was detected by generator ID number 119 , the rules engine. |
15 |
This line indicates that the rule revision number is 1 . |
16 |
This line indicates that the classification identification number is 1 . |
17 |
This line indicates that the priority identification number is 3 . |
18 |
This line indicates that the source IP address is 10.5.61.220 . Note that this field can contain either IPv4 or IPv6 addresses. |
19 |
This line indicates that the destination IP address is 10.5.56.133 . Note that this field can contain either IPv4 or IPv6 addresses. |
20 |
The first two bytes in this line indicate that the source port number is 33018 , and the second two bytes indicate that the destination port number is 8080 . |
21 |
This first byte in this line indicates that TCP ( 6 ) is the protocol used in the event. The second byte is the impact flag, which indicates that the event is red (vulnerable) since the second bit is 1 ; that the source or destination host is in a network monitored by the system, the source or destination host exists in the network map, and that the source or destination host is running a server on the port in the event; because the second and third flags are one, this is an orange event which is potentially vulnerable. The third byte in this line is the impact, which is 2 indicating that the event is orange and potentially vulnerable. The last byte indicates that the event was not blocked. |
22 |
This line contains the MPLS label, if present. |
23 |
The first two bytes in this line indicate that the VLAN ID is 0 . The last two bytes are reserved and set to 0 . |
24 |
This line contains the unique ID number for the intrusion policy. |
25 |
This line contains the internal identification number for the user. Since there is no applicable user, it is all zeros. |
26 |
This line contains the internal identification number for the web application, which is 847 . |
27 |
This line contains the internal identification number for the client application, which is 2000000676 . |
28 |
This line contains the internal identification number for the application protocol, which is 676 . |
29 |
This line contains the unique identifier for the access control rule, which is 1 . |
30 |
This line contains the unique identifier for the access control policy. |
31 |
This line contains the unique identifier for the ingress interface. |
32 |
This line contains unique identifier for the egress interface. Since this event was blocked. |
33 |
This line contains the unique identifier for the ingress security zone. |
34 |
This line contains the unique identifier for the egress security zone. |
35 |
This line contains the Unix timestamp of the connection event associated with the intrusion event. |
36 |
The first two bytes in this line indicate the numerical ID of the Snort instance on the managed device that generated the connection event. The remaining two bytes indicate the value used to distinguish between connection events that happen during the same second. |
37 |
The first two bytes in this line indicate the code for the country of the source host. The remaining two bytes indicate the code for the country of the destination host. |
38 |
The first two bytes of this line contain the ID number of the compromise associated with this event. The remaining two bytes contain the beginning of the ID number for the security context (virtual firewall) that the traffic passed through. |
39 |
This line contains the rest of the ID number for the security context (virtual firewall) that the traffic passed through. |
40 |
The first two bytes of this line contain the last two bytes of the security context (virtual firewall) that the traffic passed through. The second two bytes contain the beginning of the SHA1 Hash of the SSL Server certificate if SSL was used. |
41 |
This line contains the rest of the SHA1 Hash of the SSL Server certificate if SSL was used. |
42 |
The first two bytes of this line contain the last two bytes of the SHA1 Hash of the SSL Server certificate. The second two bytes contain the SSL Action which was actually taken. Since SSL was not used in this connection, this is 0. |
43 |
The first two bytes of this line contain the SSL Flow Status. Since SSL was not used in this connection, this is 0. The second two bytes contain the first two bytes of the UUID of the Network Analysis Policy associated with this event. |
44 |
This line contains the rest of the UUID of the Network Analysis Policy associated with this event. |