Skip to main content
Version: 2.11.0

Low and Slow Attack

KeyField DescriptionComments
NFO timestampFormat: Mmm dd hh:mm:ss
NFO server IP addressFormat: IPv4_address
NFO server NetFlow source IDConfigurable.
nfc_idMessage type identifier“nfc_id=20199”
exp_ipNetwork device (exporter) IP address<IPv4_address>
event_typebegin | cont | endThe attack current state
countThe number of anomalously behaving network peers<number>
t_eventNFO time of event<number>, unix sec. NFO time at the end of the time interval when the event was identified.
t_reportNFO time of report<number>, unix sec. NFO time to which this message pertains
confidenceConfidence score<number>, A value >= 90 indicating confidence in the event detection
trendTrend<string>, increasing, steady, abating
t_intObservation time interval, msec<number>