|
|
|
Connection Statistics Data Block Type |
uint32 |
Initiates a Connection Statistics data block for 6.2-6.7.x. The value is always 168 . |
Connection Statistics Data Block Length |
uint32 |
Number of bytes in the Connection Statistics data block, including eight bytes for the connection statistics block type and length fields, plus the number of bytes in the connection data that follows. |
Device ID |
uint32 |
The device that detected the connection event. |
Ingress Zone |
uint8[16] |
Ingress security zone in the event that triggered the policy violation. |
Egress Zone |
uint8[16] |
Egress security zone in the event that triggered the policy violation. |
Ingress Interface |
uint8[16] |
Interface for the inbound traffic. |
Egress Interface |
uint8[16] |
Interface for the outbound traffic. |
Initiator IP Address |
uint8[16] |
IP address of the host that initiated the session described in the connection event, in IP address octets. |
Responder IP Address |
uint8[16] |
IP address of the host that responded to the initiating host, in IP address octets. |
Original Client IP Address |
uint8[16] |
IP address of the host behind the proxy that originated the request, in IP address octets. |
Policy Revision |
uint8[16] |
Revision number of the rule associated with the triggered correlation event, if applicable. |
Rule ID |
uint32 |
Internal identifier for the rule that triggered the event, if applicable. |
Tunnel Rule ID |
uint32 |
Internal identifier for the tunnel rule that triggered the event, if applicable. |
Rule Action |
uint16 |
The action selected in the user interface for that rule (allow, block, and so forth). |
Rule Reason |
uint32 |
The reason the rule triggered the event. |
Initiator Port |
uint16 |
Port used by the initiating host. |
Responder Port |
uint16 |
Port used by the responding host. |
TCP Flags |
uint16 |
Indicates any TCP flags for the connection event. |
Protocol |
uint8 |
The IANA-specified protocol number. |
NetFlow Source |
uint8[16] |
IP address of the NetFlow-enabled device that exported the data for the connection. |
Instance ID |
uint16 |
Numerical ID of the Snort instance on the managed device that generated the event. |
Connection Counter |
uint16 |
Value used to distinguish between connection events that happen during the same second. |
First Packet Timestamp |
uint32 |
UNIX timestamp of the date and time the first packet was exchanged in the session. |
Last Packet Timestamp |
uint32 |
UNIX timestamp of the date and time the last packet was exchanged in the session. |
Initiator Transmitted Packets |
uint64 |
Number of packets transmitted by the initiating host. |
Responder Transmitted Packets |
uint64 |
Number of packets transmitted by the responding host. |
Initiator Transmitted Bytes |
uint64 |
Number of bytes transmitted by the initiating host. |
Responder Transmitted Bytes |
uint64 |
Number of bytes transmitted by the responding host. |
Initiator Packets Dropped |
uint64 |
Number of packets dropped from the session initiator due to rate limiting. |
Responder Packets Dropped |
uint64 |
Number of packets dropped from the session responder due to rate limiting. |
Initiator Bytes Dropped |
uint64 |
Number of bytes dropped from the session initiator due to rate limiting. |
Responder Bytes Dropped |
uint64 |
Number of bytes dropped from the session responders due to rate limiting. |
QOS Applied Interface |
uint8[16] |
For rate-limited connections, the name of the interface on which rate limiting is applied. |
QOS Rule ID |
uint32 |
Internal ID number of the Quality of Service rule applied to the connection, if applicable. |
User ID |
uint32 |
Internal identification number for the user who last logged into the host that generated the traffic. |
Application Protocol ID |
uint32 |
Application ID of the application protocol. |
URL Category |
uint32 |
The internal identification number of the URL category. |
URL Reputation |
uint32 |
The internal identification number for the URL reputation. |
Client Application ID |
uint32 |
The internal identification number of the detected client application, if applicable. |
Web Application ID |
uint32 |
The internal identification number of the detected web application, if applicable. |
String Block Type |
uint32 |
Initiates a String data block for the client application URL. This value is always 0 . |
String Block Length |
uint32 |
Number of bytes in the client application URL String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the client application URL string. |
Client Application URL |
string |
URL the client application accessed, if applicable ( /files/index.html , for example). |
String Block Type |
uint32 |
Initiates a String data block for the host NetBIOS name. This value is always 0 . |
String Block Length |
uint32 |
Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the NetBIOS name string. |
NetBIOS Name |
string |
Host NetBIOS name string. |
String Block Type |
uint32 |
Initiates a String data block for the client application version. This value is always 0 . |
String Block Length |
uint32 |
Number of bytes in the String data block for the client application version, including eight bytes for the string block type and length, plus the number of bytes in the version. |
Client Application Version |
string |
Client application version. |
Monitor Rule 1 |
uint32 |
The ID of the first monitor rule associated with the connection event. |
Monitor Rule 2 |
uint32 |
The ID of the second monitor rule associated with the connection event. |
Monitor Rule 3 |
uint32 |
The ID of the third monitor rule associated with the connection event. |
Monitor Rule 4 |
uint32 |
The ID of the fourth monitor rule associated with the connection event. |
Monitor Rule 5 |
uint32 |
The ID of the fifth monitor rule associated with the connection event. |
Monitor Rule 6 |
uint32 |
The ID of the sixth monitor rule associated with the connection event. |
Monitor Rule 7 |
uint32 |
The ID of the seventh monitor rule associated with the connection event. |
Monitor Rule 8 |
uint32 |
The ID of the eighth monitor rule associated with the connection event. |
Security Intelligence Source/ Destination |
uint8 |
Whether the source or destination IP address matched the IP block list. |
Security Intelligence Layer |
uint8 |
The IP layer that matched the IP block list. |
File Event Count |
uint16 |
Value used to distinguish between file events that happen during the same second. |
Intrusion Event Count |
uint16 |
Value used to distinguish between intrusion events that happen during the same second. |
Initiator Country |
uint16 |
Code for the country of the initiating host. |
Responder Country |
uint 16 |
Code for the country of the responding host. |
Original Client Country |
uint 16 |
Code for the country of the host behind the proxy which originated the request. |
IOC Number |
uint16 |
ID Number of the compromise associated with this event. |
Source Autonomous System |
uint32 |
Autonomous system number of the source, either origin or peer. |
Destination Autonomous System |
uint32 |
Autonomous system number of the destination, either origin or peer. |
SNMP Input |
uint16 |
SNMP index of the input interface. |
SNMP Output |
uint16 |
SNMP index of the output interface. |
Source TOS |
uint8 |
Type of Service byte setting for the incoming interface. |
Destination TOS |
uint8 |
Type of Service byte setting for the outgoing interface. |
Source Mask |
uint8 |
Source address prefix mask. |
Destination Mask |
uint8 |
Destination address prefix mask. |
Security Context |
uint8(16) |
ID number for the security context (virtual firewall) that the traffic passed through. Note that the system only populates this field for ASA FirePOWER devices in multi-context mode. |
VLAN ID |
uint16 |
VLAN identification number that indicates which VLAN the host is a member of. |
String Block Type |
uint32 |
Initiates a String data block containing the Referenced Host. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the Referenced Host String data block, including eight bytes for the block type and header fields plus the number of bytes in the Referenced Host field. |
Referenced Host |
string |
Host name information provided in HTTP or DNS. |
String Block Type |
uint32 |
Initiates a String data block containing the User Agent. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the User Agent String data block, including eight bytes for the block type and header fields plus the number of bytes in the User Agent field. |
User Agent |
string |
Information from the UserAgent header field in the session. |
String Block Type |
uint32 |
Initiates a String data block containing the HTTP Referrer. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the HTTP Referrer String data block, including eight bytes for the block type and header fields plus the number of bytes in the HTTP Referrer field. |
HTTP Referrer |
string |
The site from which a page originated. This is found int he Referred header information in HTTP traffic. |
SSL Certificate Fingerprint |
uint8[20] |
SHA1 hash of the SSL Server certificate. |
SSL Policy ID |
uint8[16] |
ID number of the SSL policy that handled the connection. |
SSL Rule ID |
uint32 |
ID number of the SSL rule or default action that handled the connection. |
SSL Cipher Suite |
uint16 |
Encryption suite used by the SSL connection. The value is stored in decimal format. See www.iana.org/assignments/tls-parameters/tls-parameters.xhtml for the cipher suite designated by the value. |
SSL Version |
uint8 |
The SSL or TLS protocol version used to encrypt the connection. |
SSL Server Certificate Status |
uint32 |
The status of the SSL certificate. Possible values include:
-
0 — Not checked — The server certificate status was not evaluated.
-
1 — Unknown — The server certificate status could not be determined.
-
2 — Valid — The server certificate is valid.
-
4 — Self-signed — The server certificate is self-signed.
-
16 — Invalid Issuer — The server certificate has an invalid issuer.
-
32 — Invalid Signature — The server certificate has an invalid signature.
-
64 — Expired — The server certificate is expired.
-
128 — Not valid yet — The server certificate is not yet valid.
-
256 — Revoked — The server certificate has been revoked.
|
SSL Actual Action |
uint16 |
The action performed on the connection based on the SSL Rule. This may differ from the expected action, as the action as specified in the rule may be impossible. Possible values include:
-
0 — 'Unknown'
-
1 — 'Do Not Decrypt'
-
2 — 'Block'
-
3 — 'Block With Reset'
-
4 — 'Decrypt (Known Key)'
-
5 — 'Decrypt (Replace Key)'
-
6 — 'Decrypt (Resign)'
|
SSL Expected Action |
uint16 |
The action which should be performed on the connection based on the SSL Rule. Possible values include:
-
0 — 'Unknown'
-
1 — 'Do Not Decrypt'
-
2 — 'Block'
-
3 — 'Block With Reset'
-
4 — 'Decrypt (Known Key)'
-
5 — 'Decrypt (Replace Key)'
-
6 — 'Decrypt (Resign)'
|
SSL Flow Status |
uint16 |
Status of the SSL Flow. These values describe the reason behind the action taken or the error message seen. Possible values include:
-
0 — 'Unknown'
-
1 — 'No Match'
-
2 — 'Success'
-
3 — 'Uncached Session'
-
4 — 'Unknown Cipher Suite'
-
5 — 'Unsupported Cipher Suite'
-
6 — 'Unsupported SSL Version'
-
7 — 'SSL Compression Used'
-
8 — 'Session Undecryptable in Passive Mode'
-
9 — 'Handshake Error'
-
10 — 'Decryption Error'
-
11 — 'Pending Server Name Category Lookup'
-
12 — 'Pending Common Name Category Lookup'
-
13 — 'Internal Error'
-
14 — 'Network Parameters Unavailable'
-
15 — 'Invalid Server Certificate Handle'
-
16 — 'Server Certificate Fingerprint Unavailable'
-
17 — 'Cannot Cache Subject DN'
-
18 — 'Cannot Cache Issuer DN'
-
19 — 'Unknown SSL Version'
-
20 — 'External Certificate List Unavailable'
-
21 — 'External Certificate Fingerprint Unavailable'
-
22 — 'Internal Certificate List Invalid'
-
23 — 'Internal Certificate List Unavailable'
-
24 — 'Internal Certificate Unavailable'
-
25 — 'Internal Certificate Fingerprint Unavailable'
-
26 — 'Server Certificate Validation Unavailable'
-
27 — 'Server Certificate Validation Failure'
-
28 — 'Invalid Action'
|
SSL Flow Error |
uint32 |
Detailed SSL error code. These values may be needed for support purposes. |
SSL Flow Messages |
uint32 |
The messages exchanged between client and server during the SSL handshake. See http://tools.ietf.org/html/rfc5246 for more information.
-
0x00000001 — NSE_MT__HELLO_REQUEST
-
0x00000002 — NSE_MT__CLIENT_ALERT
-
0x00000004 — NSE_MT__SERVER_ALERT
-
0x00000008 — NSE_MT__CLIENT_HELLO
-
0x00000010 — NSE_MT__SERVER_HELLO
-
0x00000020 — NSE_MT__SERVER_CERTIFICATE
-
0x00000040 — NSE_MT__SERVER_KEY_EXCHANGE
-
0x00000080 — NSE_MT__CERTIFICATE_REQUEST
-
0x00000100 — NSE_MT__SERVER_HELLO_DONE
-
0x00000200 — NSE_MT__CLIENT_CERTIFICATE
-
0x00000400 — NSE_MT__CLIENT_KEY_EXCHANGE
-
0x00000800 — NSE_MT__CERTIFICATE_VERIFY
-
0x00001000 — NSE_MT__CLIENT_CHANGE_CIPHER_SPEC
-
0x00002000 — NSE_MT__CLIENT_FINISHED
-
0x00004000 — NSE_MT__SERVER_CHANGE_CIPHER_SPEC
-
0x00008000 — NSE_MT__SERVER_FINISHED
-
0x00010000 — NSE_MT__NEW_SESSION_TICKET
-
0x00020000 — NSE_MT__HANDSHAKE_OTHER
-
0x00040000 — NSE_MT__APP_DATA_FROM_CLIENT
-
0x00080000 — NSE_MT__APP_DATA_FROM_SERVER
|
SSL Flow Flags |
uint64 |
The debugging level flags for an encrypted connection. Possible values include:
-
0x00000001 — NSE_FLOW__VALID - must be set for other fields to be valid
-
0x00000002 — NSE_FLOW__INITIALIZED - internal structures ready for processing
-
0x00000004 — NSE_FLOW__INTERCEPT - SSL session has been intercepted
|
String Block Type |
uint32 |
Initiates a String data block containing the SSL Server Name. This value is always 0 . |
String Block Length |
uint32 |
The number of bytes included in the SSL Server Name String data block, including eight bytes for the block type and header fields plus the number of bytes in the SSL Server Name field. |
SSL Server Name |
string |
Name provided in the server name indication in the SSL Client Hello. |
SSL URL Category |
uint32 |
Category of the flow as identified from the server name and certificate common name. |
SSL Session ID |
uint8[32] |
Value of the session ID used during the SSL handshake when the client and server agree to do session reuse |
SSL Session ID Length |
uint8 |
Length of the SSL Session ID. While the session ID cannot exceed 32 bytes, it may be less than 32 bytes. |
SSL Ticket ID |
uint8[20] |
Hash of the session ticket used when the client and server agree to use a session ticket. |
SSL Ticket ID Length |
uint8 |
Length of the SSL Ticket ID. While the ticket ID cannot exceed 20 bytes, it may be less than 20 bytes. |
Network Analysis Policy revision |
uint8[16] |
Revision of the Network Analysis Policy associated with the connection event. |
Endpoint Profile ID |
uint32 |
ID number of the type of device used by the connection endpoint as identified by ISE. This is unique for each DC and resolved in metadata. |
Security Group ID |
uint32 |
ID number assigned to the user by ISE based on policy. |
Location IPv6 |
uint8[16] |
IP address of the interface communicating with ISE. Can be IPv4 or IPv6. |
HTTP Response |
uint32 |
Response code of the HTTP Request. |
String Block Type |
uint32 |
Initiates a String data block for the DNS query. This value is always 0 . |
String Block Length |
uint32 |
Number of bytes in the String data block, including eight bytes for the string block type and length fields, plus the number of bytes in the DNS query string. |
DNS Query |
string |
The content of the query sent to the DNS server. |
DNS Record Type |
uint16 |
The numerical value for the type of DNS record. |
DNS Response Type |
uint16 |
The numerical value for the type of DNS response. |
DNS TTL |
uint32 |
The time to live for the DNS response, in seconds. |
Sinkhole UUID |
uin8[16] |
Revision UUID associated with this sinkhole object. |
Security Intelligence List 1 |
uint32 |
Security Intelligence List associated with the event. This maps to a Security Intelligence list in associated metadata. There may be three Security Intelligence lists associated with the connection. |
Security Intelligence List 2 |
uint32 |
Security Intelligence List associated with the event. This maps to a Security Intelligence list in associated metadata. There may be three Security Intelligence lists associated with the connection. |
Security Intelligence List 3 |
uint32 |
Security Intelligence List associated with the event. This maps to a Security Intelligence list in associated metadata. There may be three Security Intelligence lists associated with the connection. |