Low and Slow Attack (10190 / 20199)
Key
Field Description
Comments
NFO timestamp
Format: Mmm dd hh:mm:ss
NFO server IP address
Format: IPv4_address
NFO server NetFlow source ID
Configurable.
nfc_id
Message type identifier
“nfc_id=20199”
exp_ip
Network device (exporter) IP address
<IPv4_address>
event_type
begin | cont | end
The attack current state
count
The number of anomalously behaving network peers
<number>
t_event
NFO time of event
<number>, unix sec. NFO time at the end of the time interval when the event was identified.
t_report
NFO time of report
<number>, unix sec. NFO time to which this message pertains
confidence
Confidence score
<number>, A value >= 90 indicating confidence in the event detection
trend
Trend
<string>, increasing, steady, abating
t_int
Observation time interval, msec
<number>
Last modified 2yr ago
Copy link