Application Protocol Level Attack (10190 / 20197)
| Key | Field Description | Comments |
|---|---|---|
| NFO timestamp | Format: Mmm dd hh:mm:ss | |
| NFO server IP address | Format: IPv4_address | |
| NFO server NetFlow source ID | Configurable. | |
| nfc_id | Message type identifier | “nfc_id=20197” |
| exp_ip | Network device (exporter) IP address | <IPv4_address> |
| event_type | begin | cont | end | The attack current state |
| dest_ip | Monitored server IP address | <IPv4_address> |
| dest_port | Monitored server port number | <number> |
| protocol | Transport Protocol (TCP = 6, UDP = 17) | <number> |
| t_event | NFO time of event | <number>, unix sec. NFO time at the end of the time interval when the event was identified. |
| t_report | NFO time of report | <number>, unix sec. NFO time to which this message pertains |
| attack_indicator | TCP-<protocol> UDP-<protocol> TSU-<protocol> | Textual representation of the attack indicator which contributed to this report, e.g. “TCP-HTTP” (no quotes) |
| confidence | Confidence score | <number>, A value >= 90 indicating confidence in the event detection |
| trend | Trend | <string>, increasing, steady, abating |
| t_int | Observation time interval, msec | <number> |