|
|
|
1 |
The first two bytes of this line indicate the standard header value of 1. The second two bytes indicate that the message is a data message (that is, message type four). |
2 |
This line indicates that the message that follows is 716 bytes long. |
3 |
The first bit of this is a flag indicating that the header is an extended header containing an archive timestamp. The next 15 bits are an optional field containing the Netmap ID for the domain on which the event was detected. The remainder of the line indicates a record type value of 71, which represents a connection statistics record. |
4 |
This line indicates that the event record that follows is 700 bytes long. |
5 |
This line is the timestamp when the event was saved. In this case, it was saved on Monday October 10, 2016 08:48:52 (am). |
6 |
This line is reserved for future use and is populated with zeros. |
7 |
This line gives the ID number of the device that generated the discovery event. The device ID is 1. |
8 |
This line is for the legacy (IPv4) IP address. It contains all zeros as it is not populated and the IPv4 address is stored in the IPv6 field. |
9 |
This line contains the MAC address of the host involved in the event. The MAC address is 00:00:00:00:00:00. |
10 |
The first 16 bits of this line contain the remainder of the MAC address. The next 8 bits are a flag which indicates whether the host has an IPv6 address. The last 8 bits are empty and reserved for future use. |
11 |
This line contains the Unix timestamp for when the event occurred. |
12 |
This line contains the event microsecond. In this case, that is 0. |
13 |
This line contains the event type. The type here is 1003. |
14 |
This line contains the event subtype. In this case the event subtype is 1, which in concert with the event type 1003 means it is a Connection Statistics event. |
15 |
This line is used for the File Number. It is for internal use only. |
16 |
This line is used for the File Position. It is for internal use only. |
17 |
This line contains the IPv6 address. This field is present and used if the Has IPv6 flag is set. In this case it contains the IPv6 address 0:3eb:0:1:d184:fb57:8ba:c00. |
18 |
This line contains the block type. The value is 163, indicating a Connection Statistics Data Block type. |
19 |
This line contains the length of the data block, indicating that it contains 644 bytes of data. |
20 |
This line gives the ID number of the device that generated the discovery event. The device ID is 1. |
21 |
This contains the ingress security zone. The zone is 59e4505c-4493-11e6-a62d-f1dff731a85. |
22 |
This contains the egress security zone. The zone is 60d50c80-4493-11e6-9843-84d8d6a3e008. |
23 |
This contains the ingress interface. The interface is 599126de-4493-11e6-a62d-f1dff731a85e. |
24 |
This contains the egress interface. The interface is 608d6cf4-4493-11e6-9843-84d8d6a3e008. |
25 |
This line contains the IP address of the host that initiated the session described in the connection event. This IP address is 172.16.3.5. |
26 |
This line contains the IP address of the host that responded to the initiating host. This IP address is 72.48.149.244. |
27 |
The IP address of the host behind the proxy that originated the request. This is blank in this example. |
28 |
This line contains the revision number of the rule associated with the triggered correlation event. The revision number is 00000000-0000-0000-0000-000057e9c39d. |
29 |
This contains the internal identifier of the rule that triggered the event. This rule is 268439603. |
30 |
This line contains the internal identifier for the tunnel rule that triggered the event. As this event was not triggered by a tunnel rule, the value is 0. |
31 |
The first two bytes of this line contain the action specified by the rule. In this case the value is 4, indicating that the action was Block. The last two bytes contain the rule reason, in this case 64 which means Intrusion Block. |
32 |
The first two bytes contain the rest of the rule reason. The second two bytes contain the port used by the initiator host, 43786. |
33 |
The first two bytes of this line contain the responder port, 443. The remaining two bytes contain the TCP flags. |
34 |
The first byte of this line contains the protocol, 6, which indicates this event occured over TCP. The remaining 24 bites contain the first part of the IP address of the Netflow source, which is 00000000-0000-0000-0000-000000000000 |
35 |
The first byte of this line contains the last 8 bits of the Netflow source. The next two bytes contain the identifier of the Snort instance which generated the event, 7. The remaining byte contains the connection counter. |
36 |
The first byte of this line contains the remaining portion of the connection counter. The last 24 bits contain the beginning of the Unix timestamp of the first packet exchanged in the session. This timestamp is 1476103731, indicating a time of Monday, October 10, 2016 8:48:51 AM. |
37 |
The first byte contain the rest of the First Packet Timestamp. The remaining three bytes contain the timestamp of the last packet to be exchanged in the session, which also gives a time of Monday, October 10, 2016 8:48:51 AM, showing that the session lasted less than one second. |
38 |
The first byte of this line contains the last 8 bits of the last packet timestamp. The remaining 24 bits contains the number of packets transmitted by the initiating host, 13 in this case. |
39 |
The first byte in this line is the remainder of the initiator transmitted packets. The next 24 bits contain the number of packets transmitted by the responder, 0. |
40 |
The first byte in this line is the remainder of the responder transmitted packets. The next 24 bits contain the number of bytes transmitted by the initiator, 1743. |
41 |
The first byte is the last of Initiator Transmission bytes, the remaining 24 bits begins Responder Transmission bytes, which is 0. |
42 |
The first byte is the last of Responder Transmission bytes, the remaining 24 bits begins Initiator Packets Dropped, which is 0. |
43 |
The first byte is the last of Initiator Packets Dropped, the remaining 24 bits begins Responder Packets Dropped, which is 0. |
44 |
The first byte is the last of Responder Packets Dropped, the remaining 24 bits begins Initiator Bytes Dropped, which is 0. |
45 |
The first byte is the last of Initiator Bytes Dropped, the remaining 24 bits begins Responder Bytes Dropped, which is 0. |
46 |
The first byte is the last of Responder Bytes Dropped, the remaining 24 bits begins the name of the interface on which rate limiting is applied, which is 00000000-0000-0000-0000-000000000000. |
47 |
The first byte of this line is the remainder of the QOS Applied Interface. The rest is the QOS Rule applied to the connection; as there is not QOS rule applied to this interface, the ID is 0. |
48 |
The first byte of this line is the remainder of the QOS Rule ID. The rest is the ID number, 16466, of the last user to log in to the host that generated the traffic. |
49 |
The first byte of this line is the remainder of the User ID. The rest is the ID of the application protocol used in the connection, 1122 which indicates it is an HTTPS connection. |
50 |
The first byte of this line is the remainder of the Application Protocol ID. The rest is the URL Category. |
51 |
The first byte of this line is the remainder of the URL Category. The rest is the URL Reputation, which is 0 meaning “ Risk Unknown ”. |
52 |
The first byte of this line is the remainder of the URL Reputation. The rest is the Client Application ID, which is 1296, meaning “ SSL Client ”. |
53 |
The first byte of this line is the remainder of the Client Application ID. The rest is the Web Application ID, which is 0 meaning “ Unknown ”. |
54 |
The first byte of this line is the remainder of the Web Application ID. The rest of the line begins the block type 0, which indicates the beginning of a string block type. |
55 |
The first byte of this line is the remainder of the String Block Type. The rest is the block length, which shows that the Client Application URL contains 8 bytes including the header and length, meaning that there is no data in the Client Application URL. |
56 |
The first byte of this line is the remainder of the string block length. As there is no data in the Client Application URL, the rest of this line begins block type 0, indicating the beginning of a string block type for the NetBIOS name. |
57 |
The first byte of this line is the remainder of the String Block Type. The rest is the block length, which shows that the NetBIOS name contains 8 bytes including the header and length, meaning that there is no data in the NetBIOS name. |
58 |
The first byte of this line is the remainder of the string block length. As there is no data in the NetBIOS name, the rest of this line begins block type 0, indicating the beginning of a string block type for the Client Application Version. |
59 |
The first byte of this line is the remainder of the String Block Type. The rest is the block length, which shows that the Client Application Version contains 8 bytes including the header and length, meaning that there is no data in the Client Application Version. |
60 |
This line contains the remaining byte of the Client Application Version Block Length. The last three bytes are the ID of the first monitor rule associated with the connection event, 268439553. |
61 |
This line contains the last byte of the ID of the first monitor rule. The remaining three bytes are the ID of the second monitor rule, which is 0. |
62 |
This line contains the last byte of the ID of the second monitor rule. The remaining three bytes are the ID of the third monitor rule, which is 0. |
63 |
This line contains the last byte of the ID of the third monitor rule. The remaining three bytes are the ID of the fourth monitor rule, which is 0. |
64 |
This line contains the last byte of the ID of the fourth monitor rule. The remaining three bytes are the ID of the fifth monitor rule, which is 0. |
65 |
This line contains the last byte of the ID of the sixth monitor rule. The remaining three bytes are the ID of the seventh monitor rule, which is 0. |
66 |
This line contains the last byte of the ID of the seventh monitor rule. The remaining three bytes are the ID of the eighth monitor rule, which is 0. |
67 |
This line contains the last byte of the ID of the eighth monitor rule. The second byte in this line indicates whether the source or destination IP address matched the IP block list. The third byte in this line is the IP layer that matched the IP block list. The final byte begins the file event count, which is 0. |
68 |
The first byte of this line is the remaining file event count. The next two bytes contain the intrusion event count. The last byte contains the initiator country, in this case 0 for “ unknown ”. |
69 |
The first byte of this line is the second byte of the initiator country. The next two bytes are the responder country, 840. The last byte begins the original client country, in this case 0 for “ unknown ”. |
70 |
The first byte of this line is the end of the original client country. The Next two bytes are the IOC number, 0. The last byte is the first byte of the Source Autonomous System, which is 0. |
71 |
The first three bytes of this line are the Source Autonomous System. The last byte is the first byte of the Destination Autonomous System, which is 0. |
72 |
The first three bytes of this line are the Destination Autonomous System. The last byte is the SNMP Index of the input interface, which is 0. |
73 |
The first byte of this line is the SNMP Index of the input interface. The next two bytes are the SNMP index of the output interface, which is 0. The last byte in this line is the Type of Service setting for the incoming interface, 0. |
74 |
The first byte of this line is the Type of Service setting for the outgoing interface, 0. The second byte is the source mask, 0. The third byte is the destination mask, 0. The last byte is the beginning of the ID number for the security context which the traffic passed through. In this case the Security Context is 00000000-0000-0000-0000-000000000000. |
75 |
The first three bytes of this line are the remainder of the security context. The last byte is the VLAN ID, which is 0. |
76 |
The first byte is the VLAN ID. The last three bytes start a string block with a value of 0. This string block contains the name of the referenced host. |
77 |
The first byte is the remainder of the string block type. The last three bytes give the total length of the string block, including the bock type and length, which is 8 bytes meaning that there is no data in the string block as there is no referenced host. |
78 |
The first byte is the rest of the string block length. The last three bytes start a string block with a value of 0. This string block contains the user agent. |
79 |
The first byte is the remainder of the string block type. The last three bytes give the total length of the string block, including the block type and length, which is 8 bytes meaning that there is no data in the string block as there is no user agent. |
80 |
The first byte is the rest of the string block length. The last three bytes start a string block with a value of 0. This string block contains the HTTP referrer. |
81 |
The first byte is the remainder of the string block type. The last three bytes give the total length of the string block, including the bock type and length, which is 8 bytes meaning that there is no data in the string block as there is no HTTP referrer. |
82 |
The first byte of this line contains the last of the string block length. The last three bytes contain the SSL Certificate fingerprint, which is 00000000000000000000. |
83 |
The first byte if this line contains the last of the SSL Certificate Fingerprint ID. The rest of this line contains the SSL Policy ID, which is 00000000-0000-0000-0000-000000000000. |
84 |
The first byte of this line is the end of the SSL Policy ID. The remaining three bytes are the SSL Rule ID, which is 0. |
85 |
The first byte of this line is the rest of the SSL Rule ID. The next two bytes are the SSL Cipher Suite, which is 0, meaning TLS_NULL_WITH_NUL_NULL. The last byte is the SSL Version, which is 0. |
86 |
This line contains the SSL Server Certificate Status, which is 0, meaning Not Checked. |
87 |
The first two bytes of this line are the SSL Actual Action, which is 0 meaning Unknown. The next two bytes are the SSL Expected Action, which is 0 meaning Unknown. |
88 |
The first two bytes of this line are the SSL Flow Status, which is 0 meaning Unknown. The next two bytes are the SSL Flow Error, which is 0 meaning Unknown. |
89 |
The first two bytes of this line are the rest of the SSL Flow Error. The next two bytes are the SSL Flow Messages which are 0. |
90 |
The first two bytes of this line are the SSL Flow Messages. The next two bytes are the SSL Flow Flags, which are 0. |
91 |
The first two bytes of this line are the rest of the SSL Flow Flags. The next two bytes begin a string block, type 0, for the SSL Server name. |
92 |
The first two bytes of this line finish the string block type, the next two bytes contain the string block length. The block length is 8 including the block type and length, meaning the string block contains no data. |
93 |
The first two bytes contain the rest of the string block length. The next two bytes contain the SSL URL Category, which is 0 meaning Unknown. |
94 |
The first two bytes of this line contain the rest of the SSL URL Category. The next two bytes begin the SSL Session ID, which is 00000000000000000000000000000000. |
95 |
The first byte of this line contain the end of the SSL Session ID. The next byte contains the length of the SSL Session ID, which is 0. The next two bytes begin the SSL Ticket ID, which is 00000000000000000000. |
96 |
The first two bytes of this line contain the end of the SSL Ticket ID. The third byte contains the SSL Ticket ID length which is 0. The last byte begins the Network Analysis Policy Revision, which is 4e78cb70-7842-11e6-a99b-cdb19cb553fd. |
97 |
The first three bytes of this line contain the end of the Network Analysis Policy Revision. The last byte begins the Endpoint Profile ID, which is 0. |
98 |
The first three bytes of this line are the Endpoint Profile ID. The remaining byte begins the Security Group ID, which is 0. |
99 |
The first three bytes of this line are the Security Group ID. The remaining byte begins the Location IPv6, the IP Address of the interface communication with ISE, which is empty. |
100 |
The first three bytes of this line end the Location IPv6. The remaining byte begins the HTTP Response, which is 0 meaning there was not HTTP Response. |
101 |
The first three bytes of this line end the HTTP Response. The remaining byte begins a string block, which is type 0, for the DNS Query. |
102 |
The first three bytes complete the string block type. The remaining byte contains the string block length which is 8 bytes including the block type and length, meaning there is no data in the DNS Query. |
103 |
The first three bytes end the string block length. The remaining byte in this line begins the DNS Record Type, which is 71. |
104 |
The first byte in this line ends the DNS Record type. The next two bytes are the DNS Response Type which is 0. The last byte begins the DNS TTL. |
105 |
The first three bytes in this line are the DNS TTL. The last byte begins the Sinkhole UUID, which is 00000000-0000-0000-0000-000000000000. |
106 |
The first three bytes of this line end the Sinkhole UUID. The last byte begins the first Security Intelligence List, which is 0. |
107 |
The first three bytes in this line end the first Security Intelligence List. The last byte begins the second Security Intelligence List, which is 0. |
Feedback