Difference between revisions of "Event Record Fields"

From Observer GigaFlow Support | VIAVI Solutions Inc.
Jump to: navigation, search
Line 38: Line 38:
 
|eventsrc
 
|eventsrc
 
|text
 
|text
|IP address that triggered Event. If many sources contributed to the Event, this will read "many".  
+
|IP address that triggered the event. If many sources contributed to the event, this will read "many".  
 
|-
 
|-
 
|message
 
|message
 
|text
 
|text
|Message from system indicating reason for Event, e.g. "Syn Dst Unreachable Server xxx.xxx.xxx.xxx->xxx.xxx.xxx.xxx"
+
|Message from system indicating reason for the event, e.g. "Syn Dst Unreachable Server xxx.xxx.xxx.xxx->xxx.xxx.xxx.xxx"
 
|-
 
|-
 
|datatype
 
|datatype
Line 50: Line 50:
 
|data
 
|data
 
|text
 
|text
|Data output from source, e.g. Blacklist.
+
|Data output from source, e.g. blacklist.
 
|-
 
|-
 
|datasource
 
|datasource

Revision as of 10:51, 28 November 2018

See also Event Records.

In the myipfix database associated with the GigaFlow installation, the Events tables contain all the Event records. The Event record fields are:

Field Descriptions

Record Field Type Description
id integer Event identifier.
customerid integer The traffic group source identifier
device numeric(39,0) The numeric IPV6 address of the device sending us the flowsyslog records
firstseen bigint Millisecond timestamp of when this flow started
eventtype integer Types of threat identified, e.g. -11 means attempted access by blacklisted resources. See Event Records for more.
eventsrctype integer Flag indicating type of event source.
eventsrc text IP address that triggered the event. If many sources contributed to the event, this will read "many".
message text Message from system indicating reason for the event, e.g. "Syn Dst Unreachable Server xxx.xxx.xxx.xxx->xxx.xxx.xxx.xxx"
datatype integer Flag indicating data type. "1" indicates text.
data text Data output from source, e.g. blacklist.
datasource text URL of matched blacklist or other source, e.g. internal script.
confidence integer Confidence in the completeness and accuracy of the matched blacklist.
severity integer The importance (or severity) of the blacklist to your organisation.
category text Threat category, e.g. "Botnet Strong". This can be defined in GigaFlow. See Watchlists in the Reference Manual.
target text Event target host; an IP address, e.g. "xxx.xxx.xxx.xxx"
country_src text Source country code, e.g. "IE" for Ireland.
division_src text Source state/county/division, e.g. "Sligo".
latit_src numeric Source IP address latitude.
longd_src numeric Source IP address longitude.
country_dst text Destination country.
division_dst text Destination state/county/division.
latit_dst numeric Destination IP address latitude.
longd_dst numeric Destination IP address longitude.

Sample Records

Typical records from an Event table with obfuscated IP addresses and locations:

postureBlackListSrc (-11)

Cut and pasted directly from an Events table:

805729 0 "-1407899398" "1541583542242" -11 8 "xxx.xxx.208.28" "Black List Src Hit(Botnet Strong) xxx.xxx.208.28->xxx.xxx.166.159" 1 {"Application":"SSH TCP/22","Black List":"https://lists.blocklist.de/lists/strongips.txt","Black List Type":"Source","Eventer":"xxx.xxx.208.28","appid":393238,"bytes":44,"device":"xxx.xxx.40.250","domain":"","dstadd":"xx.xxx.166.159","dstport":22,"duration":0,"eventname":"Black List Src","flags":2,"fwevent":0,"fwextcode":0,"inif":14,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":13,"packets":1,"proto":6,"srcadd":"xxx.xxx.208.28","srcport":28148,"time":1541583574022,"timeH":"7-Nov-2018 09:39:34.22","tos":0,"user":""}" "https://lists.blocklist.de/lists/strongips.txt" 75 80 "Botnet Strong" "xxx.xxx.166.159" "CN" "Gansu" "0.00000000000" "0.00000000000" "IE" "County Sligo" "0.00000000000" "0.00000000000"

Arranged more neatly in a table:

Record Field Value
id 805729
customerid 0
device "-1407899398"
firstseen "1541583542242"
eventtype -11
eventsrctype 8
eventsrc "xxx.xxx.208.28"
message "Black List Src Hit(Botnet Strong) xxx.xxx.208.28->xxx.xxx.166.159"
datatype 1
data {"Application":"SSH TCP/22","Black List":"https://lists.blocklist.de/lists/strongips.txt","Black List Type":"Source","Eventer":"xxx.xxx.208.28","appid":393238,"bytes":44,"device":"xxx.xxx.40.250","domain":"","dstadd":"xx.xxx.166.159","dstport":22,"duration":0,"eventname":"Black List Src","flags":2,"fwevent":0,"fwextcode":0,"inif":14,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":13,"packets":1,"proto":6,"srcadd":"xxx.xxx.208.28","srcport":28148,"time":1541583574022,"timeH":"7-Nov-2018 09:39:34.22","tos":0,"user":""}"
datasource "https://lists.blocklist.de/lists/strongips.txt"
confidence 75
severity 80
category "Botnet Strong"
target "xxx.xxx.166.159"
country_src "CN"
division_src "Gansu"
latit_src "0.00000000000"
longd_src "0.00000000000"
country_dst "IE"
division_dst "County Sligo"
latit_dst "0.00000000000"
longd_dst "0.00000000000"

synSrc (-100)

805752 0 "-1407899398" "1541583572146" -100 8 "xxx.xxx.86.55" "Syn Src Port Sweep xxx.xxx.86.55->xxx.xxx.85.74" 1 "{"Application":"TCP/3392","Eventer":"xxx.xxx.86.55","Syn Type":"Source","appid":396608,"bytes":40,"device":"xxx.xxx.40.250","domain":"","dstadd":"xxx.xxx.85.74","dstport":3392,"duration":0,"eventname":"Syn Src Port Sweep","flags":2,"fwevent":0,"fwextcode":0,"inif":12,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":30,"packets":1,"proto":6,"srcadd":"xxx.xxx.86.55","srcport":43017,"time":1541583603834,"timeH":"7-Nov-2018 09:40:03.834","tos":40,"user":""}" "Syn Source" 100 100 "Syn Src Port Sweep" "Many" "RU" "St.-Petersburg" "0.00000000000" "0.00000000000" "IE" "County Sligo" "0.00000000000" "0.00000000000"

synDst (-120)

805738 0 "29885185" "1541583568627" -120 8 "Many" "Syn Dst Unreachable Server xxx.xxx.80.248->xxx.xxx..45.208" 1 "{"Application":"HTTP TCP/80","Eventer":"xxx.xxx.45.208","Syn Type":"Destination","appid":393296,"bytes":44,"device":"xxx.xxx.3.1","domain":"","dstadd":"xxx.xxx.45.208","dstport":80,"duration":0,"eventname":"Syn Dst Unreachable Server","flags":2,"fwevent":0,"fwextcode":0,"inif":8,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":3,"packets":1,"proto":6,"srcadd":"xx.xxx..80.248","srcport":54028,"time":1541583584143,"timeH":"7-Nov-2018 09:39:44.143","tos":32,"user":""}" "Syn Destination" 100 100 "Syn Dst Unreachable Server" "xxx.xxx.45.208" "CN" "Guangdong" "0.00000000000" "0.00000000000" "IE" "null" "0.00000000000" "-0.00000000000"

postureBlackListDst (-12)

805801 0 "-1407899398" "1541583616150" -12 8 "xxx.xxx.195.7" "Black List Dst Hit(Apache(WWW) Scan/Brute) xxx.xxx.86.213->xxx.xxx.195.7" 1 "{"Application":"HTTPS TCP/443","Black List":"https://lists.blocklist.de/lists/apache.txt","Black List Type":"Destination","Eventer":"xxx.xxx.195.7","appid":393659,"bytes":104,"device":"xxx.xxx.40.250","domain":"","dstadd":"xxx.xxx.195.7","dstport":443,"duration":0,"eventname":"Black List Dst","flags":16,"fwevent":0,"fwextcode":0,"inif":30,"macdst":"00:00:00:00:00:00","macsrc":"00:00:00:00:00:00","outif":12,"packets":2,"proto":6,"srcadd":"xxx.xxx.86.213","srcport":51330,"time":1541583646846,"timeH":"7-Nov-2018 09:40:46.846","tos":0,"user":""}" "https://lists.blocklist.de/lists/apache.txt" 75 25 "Apache(WWW) Scan/Brute" "xxx.xxx.86.213" "IE" "County Sligo" "0.00000000000" "0.00000000000" "US" "null" "0.00000000000" "0.00000000000"