Application Protocol Level Attack (10190 / 20197)
Key
Field Description
Comments
NFO timestamp
Format: Mmm dd hh:mm:ss
NFO server IP address
Format: IPv4_address
NFO server NetFlow source ID
Configurable.
nfc_id
Message type identifier
“nfc_id=20197”
exp_ip
Network device (exporter) IP address
<IPv4_address>
event_type
begin | cont | end
The attack current state
dest_ip
Monitored server IP address
<IPv4_address>
dest_port
Monitored server port number
<number>
protocol
Transport Protocol (TCP = 6, UDP = 17)
<number>
t_event
NFO time of event
<number>, unix sec. NFO time at the end of the time interval when the event was identified.
t_report
NFO time of report
<number>, unix sec. NFO time to which this message pertains
attack_indicator
TCP-<protocol> |
UDP-<protocol> | TSU-<protocol>
Textual representation of the attack indicator which contributed to this report, e.g. “TCP-HTTP” (no quotes)
confidence
Confidence score
<number>, A value >= 90 indicating confidence in the event detection
trend
Trend
<string>, increasing, steady, abating
t_int
Observation time interval, msec
<number>
Last modified 2yr ago
Copy link