Difference between revisions of "Event Record Fields"
(→Sample Records) |
|||
(22 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
+ | [[Category:Database]] | ||
+ | [[Category:Scripts]] | ||
+ | See also [http://gigaflowsupport.viavisolutions.com/index.php/Event_Records Event Records]. | ||
+ | |||
+ | In the '''myipfix''' database associated with the GigaFlow installation, the Events tables contain all the Event records. The Event record fields are: | ||
+ | |||
= Field Descriptions = | = Field Descriptions = | ||
Line 7: | Line 13: | ||
|- | |- | ||
|id | |id | ||
+ | |integer | ||
+ | |Event identifier. | ||
|- | |- | ||
|customerid | |customerid | ||
Line 21: | Line 29: | ||
|- | |- | ||
|eventtype | |eventtype | ||
+ | |integer | ||
+ | |Types of threat identified, e.g. -11 means attempted access by blacklisted resources. See [http://gigaflowsupport.viavisolutions.com/index.php/Event_Records Event Records] for more. | ||
|- | |- | ||
|eventsrctype | |eventsrctype | ||
+ | |integer | ||
+ | |Flag indicating type of event source. | ||
|- | |- | ||
|eventsrc | |eventsrc | ||
+ | |text | ||
+ | |IP address that triggered the event. If many sources contributed to the event, this will read "many". | ||
|- | |- | ||
|message | |message | ||
+ | |text | ||
+ | |Message from system indicating reason for the event, e.g. "Syn Dst Unreachable Server xxx.xxx.xxx.xxx->xxx.xxx.xxx.xxx" | ||
|- | |- | ||
|datatype | |datatype | ||
+ | |integer | ||
+ | |Flag indicating data type. "1" indicates text. | ||
|- | |- | ||
|data | |data | ||
+ | |text | ||
+ | |Data output from source, e.g. blacklist. | ||
|- | |- | ||
|datasource | |datasource | ||
+ | |text | ||
+ | |URL of matched blacklist or other source, e.g. internal script. | ||
|- | |- | ||
|confidence | |confidence | ||
+ | |integer | ||
+ | |Confidence in the completeness and accuracy of the matched blacklist. | ||
|- | |- | ||
|severity | |severity | ||
+ | |integer | ||
+ | |The importance (or severity) of the blacklist to your organisation. | ||
|- | |- | ||
|category | |category | ||
+ | |text | ||
+ | |Threat category, e.g. "Botnet Strong". This can be defined in GigaFlow. See [http://gigaflowsupport.viavisolutions.com/manual/watchlists.html Watchlists in the Reference Manual]. | ||
|- | |- | ||
|target | |target | ||
+ | |text | ||
+ | |Event target host; an IP address, e.g. "xxx.xxx.xxx.xxx" | ||
|- | |- | ||
|country_src | |country_src | ||
+ | |text | ||
+ | |Source country code, e.g. "IE" for Ireland. | ||
|- | |- | ||
|division_src | |division_src | ||
+ | |text | ||
+ | |Source state/county/division, e.g. "Sligo". | ||
|- | |- | ||
|latit_src | |latit_src | ||
+ | |numeric | ||
+ | | Source IP address latitude. | ||
|- | |- | ||
|longd_src | |longd_src | ||
+ | |numeric | ||
+ | | Source IP address longitude. | ||
|- | |- | ||
|country_dst | |country_dst | ||
+ | |text | ||
+ | |Destination country. | ||
|- | |- | ||
|division_dst | |division_dst | ||
+ | |text | ||
+ | |Destination state/county/division. | ||
|- | |- | ||
|latit_dst | |latit_dst | ||
+ | |numeric | ||
+ | | Destination IP address latitude. | ||
|- | |- | ||
|longd_dst | |longd_dst | ||
+ | |numeric | ||
+ | | Destination IP address longitude. | ||
|} | |} | ||
Line 64: | Line 110: | ||
'''postureBlackListSrc (-11)''' | '''postureBlackListSrc (-11)''' | ||
+ | |||
+ | Cut and pasted directly from an Events table: | ||
<code> | <code> | ||
805729 0 "-1407899398" "1541583542242" -11 8 "xxx.xxx.208.28" "Black List Src Hit(Botnet Strong) xxx.xxx.208.28->xxx.xxx.166.159" 1 {"Application":"SSH TCP/22","Black List":"https://lists.blocklist.de/lists/strongips.txt","Black List Type":"Source","Eventer":"xxx.xxx.208.28","appid":393238,"bytes":44,"device":"xxx.xxx.40.250","domain":"","dstadd":"xx.xxx.166.159","dstport":22,"duration":0,"eventname":"Black List Src","flags":2,"fwevent":0,"fwextcode":0,"inif":14,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":13,"packets":1,"proto":6,"srcadd":"xxx.xxx.208.28","srcport":28148,"time":1541583574022,"timeH":"7-Nov-2018 09:39:34.22","tos":0,"user":""}" "https://lists.blocklist.de/lists/strongips.txt" 75 80 "Botnet Strong" "xxx.xxx.166.159" "CN" "Gansu" "0.00000000000" "0.00000000000" "IE" "County Sligo" "0.00000000000" "0.00000000000" | 805729 0 "-1407899398" "1541583542242" -11 8 "xxx.xxx.208.28" "Black List Src Hit(Botnet Strong) xxx.xxx.208.28->xxx.xxx.166.159" 1 {"Application":"SSH TCP/22","Black List":"https://lists.blocklist.de/lists/strongips.txt","Black List Type":"Source","Eventer":"xxx.xxx.208.28","appid":393238,"bytes":44,"device":"xxx.xxx.40.250","domain":"","dstadd":"xx.xxx.166.159","dstport":22,"duration":0,"eventname":"Black List Src","flags":2,"fwevent":0,"fwextcode":0,"inif":14,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":13,"packets":1,"proto":6,"srcadd":"xxx.xxx.208.28","srcport":28148,"time":1541583574022,"timeH":"7-Nov-2018 09:39:34.22","tos":0,"user":""}" "https://lists.blocklist.de/lists/strongips.txt" 75 80 "Botnet Strong" "xxx.xxx.166.159" "CN" "Gansu" "0.00000000000" "0.00000000000" "IE" "County Sligo" "0.00000000000" "0.00000000000" | ||
</code> | </code> | ||
+ | |||
+ | Arranged more neatly in a table: | ||
{| class="wikitable" style="text-align: left;" | {| class="wikitable" style="text-align: left;" | ||
Line 74: | Line 124: | ||
|- | |- | ||
|id | |id | ||
+ | |805729 | ||
|- | |- | ||
|customerid | |customerid | ||
− | | | + | |0 |
− | + | ||
|- | |- | ||
|device | |device | ||
− | | | + | |"-1407899398" |
− | + | ||
|- | |- | ||
|firstseen | |firstseen | ||
− | | | + | |"1541583542242" |
− | + | ||
|- | |- | ||
|eventtype | |eventtype | ||
+ | | -11 | ||
|- | |- | ||
|eventsrctype | |eventsrctype | ||
+ | |8 | ||
|- | |- | ||
|eventsrc | |eventsrc | ||
+ | |"xxx.xxx.208.28" | ||
|- | |- | ||
|message | |message | ||
+ | |"Black List Src Hit(Botnet Strong) xxx.xxx.208.28->xxx.xxx.166.159" | ||
|- | |- | ||
|datatype | |datatype | ||
+ | |1 | ||
|- | |- | ||
|data | |data | ||
+ | |{"Application":"SSH TCP/22","Black List":"https://lists.blocklist.de/lists/strongips.txt","Black List Type":"Source","Eventer":"xxx.xxx.208.28","appid":393238,"bytes":44,"device":"xxx.xxx.40.250","domain":"","dstadd":"xx.xxx.166.159","dstport":22,"duration":0,"eventname":"Black List Src","flags":2,"fwevent":0,"fwextcode":0,"inif":14,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":13,"packets":1,"proto":6,"srcadd":"xxx.xxx.208.28","srcport":28148,"time":1541583574022,"timeH":"7-Nov-2018 09:39:34.22","tos":0,"user":""}" | ||
|- | |- | ||
|datasource | |datasource | ||
+ | |"https://lists.blocklist.de/lists/strongips.txt" | ||
|- | |- | ||
|confidence | |confidence | ||
+ | |75 | ||
|- | |- | ||
|severity | |severity | ||
+ | |80 | ||
|- | |- | ||
|category | |category | ||
+ | |"Botnet Strong" | ||
|- | |- | ||
|target | |target | ||
+ | |"xxx.xxx.166.159" | ||
|- | |- | ||
|country_src | |country_src | ||
+ | |"CN" | ||
|- | |- | ||
|division_src | |division_src | ||
+ | |"Gansu" | ||
|- | |- | ||
|latit_src | |latit_src | ||
+ | |"0.00000000000" | ||
|- | |- | ||
|longd_src | |longd_src | ||
+ | |"0.00000000000" | ||
|- | |- | ||
|country_dst | |country_dst | ||
+ | |"IE" | ||
|- | |- | ||
|division_dst | |division_dst | ||
+ | |"County Sligo" | ||
|- | |- | ||
|latit_dst | |latit_dst | ||
+ | |"0.00000000000" | ||
|- | |- | ||
|longd_dst | |longd_dst | ||
+ | |"0.00000000000" | ||
|} | |} | ||
+ | |||
+ | '''synSrc (-100)''' | ||
+ | |||
+ | <code> | ||
+ | 805752 0 "-1407899398" "1541583572146" -100 8 "xxx.xxx.86.55" "Syn Src Port Sweep xxx.xxx.86.55->xxx.xxx.85.74" 1 "{"Application":"TCP/3392","Eventer":"xxx.xxx.86.55","Syn Type":"Source","appid":396608,"bytes":40,"device":"xxx.xxx.40.250","domain":"","dstadd":"xxx.xxx.85.74","dstport":3392,"duration":0,"eventname":"Syn Src Port Sweep","flags":2,"fwevent":0,"fwextcode":0,"inif":12,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":30,"packets":1,"proto":6,"srcadd":"xxx.xxx.86.55","srcport":43017,"time":1541583603834,"timeH":"7-Nov-2018 09:40:03.834","tos":40,"user":""}" "Syn Source" 100 100 "Syn Src Port Sweep" "Many" "RU" "St.-Petersburg" "0.00000000000" "0.00000000000" "IE" "County Sligo" "0.00000000000" "0.00000000000" | ||
+ | </code> | ||
+ | |||
+ | '''synDst (-120)''' | ||
+ | |||
+ | <code> | ||
+ | 805738 0 "29885185" "1541583568627" -120 8 "Many" "Syn Dst Unreachable Server xxx.xxx.80.248->xxx.xxx..45.208" 1 "{"Application":"HTTP TCP/80","Eventer":"xxx.xxx.45.208","Syn Type":"Destination","appid":393296,"bytes":44,"device":"xxx.xxx.3.1","domain":"","dstadd":"xxx.xxx.45.208","dstport":80,"duration":0,"eventname":"Syn Dst Unreachable Server","flags":2,"fwevent":0,"fwextcode":0,"inif":8,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":3,"packets":1,"proto":6,"srcadd":"xx.xxx..80.248","srcport":54028,"time":1541583584143,"timeH":"7-Nov-2018 09:39:44.143","tos":32,"user":""}" "Syn Destination" 100 100 "Syn Dst Unreachable Server" "xxx.xxx.45.208" "CN" "Guangdong" "0.00000000000" "0.00000000000" "IE" "null" "0.00000000000" "-0.00000000000" | ||
+ | </code> | ||
+ | |||
+ | '''postureBlackListDst (-12)''' | ||
+ | |||
+ | <code> | ||
+ | 805801 0 "-1407899398" "1541583616150" -12 8 "xxx.xxx.195.7" "Black List Dst Hit(Apache(WWW) Scan/Brute) xxx.xxx.86.213->xxx.xxx.195.7" 1 "{"Application":"HTTPS TCP/443","Black List":"https://lists.blocklist.de/lists/apache.txt","Black List Type":"Destination","Eventer":"xxx.xxx.195.7","appid":393659,"bytes":104,"device":"xxx.xxx.40.250","domain":"","dstadd":"xxx.xxx.195.7","dstport":443,"duration":0,"eventname":"Black List Dst","flags":16,"fwevent":0,"fwextcode":0,"inif":30,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":12,"packets":2,"proto":6,"srcadd":"xxx.xxx.86.213","srcport":51330,"time":1541583646846,"timeH":"7-Nov-2018 09:40:46.846","tos":0,"user":""}" "https://lists.blocklist.de/lists/apache.txt" 75 25 "Apache(WWW) Scan/Brute" "xxx.xxx.86.213" "IE" "County Sligo" "0.00000000000" "0.00000000000" "US" "null" "0.00000000000" "0.00000000000" | ||
+ | </code> |
Latest revision as of 14:52, 29 November 2018
See also Event Records.
In the myipfix database associated with the GigaFlow installation, the Events tables contain all the Event records. The Event record fields are:
Field Descriptions
Record Field | Type | Description |
id | integer | Event identifier. |
customerid | integer | The traffic group source identifier |
device | numeric(39,0) | The numeric IPV6 address of the device sending us the flowsyslog records |
firstseen | bigint | Millisecond timestamp of when this flow started |
eventtype | integer | Types of threat identified, e.g. -11 means attempted access by blacklisted resources. See Event Records for more. |
eventsrctype | integer | Flag indicating type of event source. |
eventsrc | text | IP address that triggered the event. If many sources contributed to the event, this will read "many". |
message | text | Message from system indicating reason for the event, e.g. "Syn Dst Unreachable Server xxx.xxx.xxx.xxx->xxx.xxx.xxx.xxx" |
datatype | integer | Flag indicating data type. "1" indicates text. |
data | text | Data output from source, e.g. blacklist. |
datasource | text | URL of matched blacklist or other source, e.g. internal script. |
confidence | integer | Confidence in the completeness and accuracy of the matched blacklist. |
severity | integer | The importance (or severity) of the blacklist to your organisation. |
category | text | Threat category, e.g. "Botnet Strong". This can be defined in GigaFlow. See Watchlists in the Reference Manual. |
target | text | Event target host; an IP address, e.g. "xxx.xxx.xxx.xxx" |
country_src | text | Source country code, e.g. "IE" for Ireland. |
division_src | text | Source state/county/division, e.g. "Sligo". |
latit_src | numeric | Source IP address latitude. |
longd_src | numeric | Source IP address longitude. |
country_dst | text | Destination country. |
division_dst | text | Destination state/county/division. |
latit_dst | numeric | Destination IP address latitude. |
longd_dst | numeric | Destination IP address longitude. |
Sample Records
Typical records from an Event table with obfuscated IP addresses and locations:
postureBlackListSrc (-11)
Cut and pasted directly from an Events table:
805729 0 "-1407899398" "1541583542242" -11 8 "xxx.xxx.208.28" "Black List Src Hit(Botnet Strong) xxx.xxx.208.28->xxx.xxx.166.159" 1 {"Application":"SSH TCP/22","Black List":"https://lists.blocklist.de/lists/strongips.txt","Black List Type":"Source","Eventer":"xxx.xxx.208.28","appid":393238,"bytes":44,"device":"xxx.xxx.40.250","domain":"","dstadd":"xx.xxx.166.159","dstport":22,"duration":0,"eventname":"Black List Src","flags":2,"fwevent":0,"fwextcode":0,"inif":14,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":13,"packets":1,"proto":6,"srcadd":"xxx.xxx.208.28","srcport":28148,"time":1541583574022,"timeH":"7-Nov-2018 09:39:34.22","tos":0,"user":""}" "https://lists.blocklist.de/lists/strongips.txt" 75 80 "Botnet Strong" "xxx.xxx.166.159" "CN" "Gansu" "0.00000000000" "0.00000000000" "IE" "County Sligo" "0.00000000000" "0.00000000000"
Arranged more neatly in a table:
Record Field | Value |
id | 805729 |
customerid | 0 |
device | "-1407899398" |
firstseen | "1541583542242" |
eventtype | -11 |
eventsrctype | 8 |
eventsrc | "xxx.xxx.208.28" |
message | "Black List Src Hit(Botnet Strong) xxx.xxx.208.28->xxx.xxx.166.159" |
datatype | 1 |
data | {"Application":"SSH TCP/22","Black List":"https://lists.blocklist.de/lists/strongips.txt","Black List Type":"Source","Eventer":"xxx.xxx.208.28","appid":393238,"bytes":44,"device":"xxx.xxx.40.250","domain":"","dstadd":"xx.xxx.166.159","dstport":22,"duration":0,"eventname":"Black List Src","flags":2,"fwevent":0,"fwextcode":0,"inif":14,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":13,"packets":1,"proto":6,"srcadd":"xxx.xxx.208.28","srcport":28148,"time":1541583574022,"timeH":"7-Nov-2018 09:39:34.22","tos":0,"user":""}" |
datasource | "https://lists.blocklist.de/lists/strongips.txt" |
confidence | 75 |
severity | 80 |
category | "Botnet Strong" |
target | "xxx.xxx.166.159" |
country_src | "CN" |
division_src | "Gansu" |
latit_src | "0.00000000000" |
longd_src | "0.00000000000" |
country_dst | "IE" |
division_dst | "County Sligo" |
latit_dst | "0.00000000000" |
longd_dst | "0.00000000000" |
synSrc (-100)
805752 0 "-1407899398" "1541583572146" -100 8 "xxx.xxx.86.55" "Syn Src Port Sweep xxx.xxx.86.55->xxx.xxx.85.74" 1 "{"Application":"TCP/3392","Eventer":"xxx.xxx.86.55","Syn Type":"Source","appid":396608,"bytes":40,"device":"xxx.xxx.40.250","domain":"","dstadd":"xxx.xxx.85.74","dstport":3392,"duration":0,"eventname":"Syn Src Port Sweep","flags":2,"fwevent":0,"fwextcode":0,"inif":12,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":30,"packets":1,"proto":6,"srcadd":"xxx.xxx.86.55","srcport":43017,"time":1541583603834,"timeH":"7-Nov-2018 09:40:03.834","tos":40,"user":""}" "Syn Source" 100 100 "Syn Src Port Sweep" "Many" "RU" "St.-Petersburg" "0.00000000000" "0.00000000000" "IE" "County Sligo" "0.00000000000" "0.00000000000"
synDst (-120)
805738 0 "29885185" "1541583568627" -120 8 "Many" "Syn Dst Unreachable Server xxx.xxx.80.248->xxx.xxx..45.208" 1 "{"Application":"HTTP TCP/80","Eventer":"xxx.xxx.45.208","Syn Type":"Destination","appid":393296,"bytes":44,"device":"xxx.xxx.3.1","domain":"","dstadd":"xxx.xxx.45.208","dstport":80,"duration":0,"eventname":"Syn Dst Unreachable Server","flags":2,"fwevent":0,"fwextcode":0,"inif":8,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":3,"packets":1,"proto":6,"srcadd":"xx.xxx..80.248","srcport":54028,"time":1541583584143,"timeH":"7-Nov-2018 09:39:44.143","tos":32,"user":""}" "Syn Destination" 100 100 "Syn Dst Unreachable Server" "xxx.xxx.45.208" "CN" "Guangdong" "0.00000000000" "0.00000000000" "IE" "null" "0.00000000000" "-0.00000000000"
postureBlackListDst (-12)
805801 0 "-1407899398" "1541583616150" -12 8 "xxx.xxx.195.7" "Black List Dst Hit(Apache(WWW) Scan/Brute) xxx.xxx.86.213->xxx.xxx.195.7" 1 "{"Application":"HTTPS TCP/443","Black List":"https://lists.blocklist.de/lists/apache.txt","Black List Type":"Destination","Eventer":"xxx.xxx.195.7","appid":393659,"bytes":104,"device":"xxx.xxx.40.250","domain":"","dstadd":"xxx.xxx.195.7","dstport":443,"duration":0,"eventname":"Black List Dst","flags":16,"fwevent":0,"fwextcode":0,"inif":30,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":12,"packets":2,"proto":6,"srcadd":"xxx.xxx.86.213","srcport":51330,"time":1541583646846,"timeH":"7-Nov-2018 09:40:46.846","tos":0,"user":""}" "https://lists.blocklist.de/lists/apache.txt" 75 25 "Apache(WWW) Scan/Brute" "xxx.xxx.86.213" "IE" "County Sligo" "0.00000000000" "0.00000000000" "US" "null" "0.00000000000" "0.00000000000"