45. Appendix 4 – Conditional Parameters & Dynamic Parameters¶
The columns from the tables listed below contain the following data:
45.1. Anomaly-Related¶
# |
Conditional Parameter |
Dynamic Parameter |
Data Type |
Description |
---|---|---|---|---|
1 |
Prefix |
{prefix} |
Prefix |
Returns the prefix of the anomaly. For inbound anomalies it is the target IP/subnet; for outbound anomalies it is the source IP/subnet |
2 |
IP Address |
{ip} |
Prefix |
Returns the IP of {prefix}, without the CIDR mask |
3 |
N/A |
{ip_dns} |
String |
Returns the reverse DNS of {ip}. If the DNS lookup does not return a valid DNS PTR record then it returns {ip} |
4 |
CIDR |
{cidr} |
Integer |
Returns the CIDR mask of {prefix} |
5 |
IP Group |
{ip_group} |
String |
Returns the IP Group of {prefix} |
6 |
Sensor |
{sensor} |
String |
Returns the name of the Sensor that detected the anomaly. For SNMP Sensor and Flow Sensor the format is Sensor Name [Interface Name] |
7 |
Sensor Name |
{sensor_name} |
String |
Returns the name of the Sensor that detected the anomaly. For SNMP Sensor and Flow Sensor it does not return the Interface Name |
8 |
Sensor Group |
{sensor_group} |
String |
Returns the Device Group selected in the Sensor configuration |
9 |
Sensor IP |
{sensor_ip} |
Prefix |
Returns the IP address of the server running the Sensor |
10 |
Sensor Type |
{sensor_type} |
String |
Returns the type of Sensor: Packet Sensor, Flow Sensor, SNMP Sensor or Sensor Cluster |
11 |
Sensor ID |
{sensor_id} |
Integer |
Returns the Server ID of server running the Sensor |
12 |
Flow Exporter IP |
{router_ip} |
Prefix |
Returns the IP address of the flow exporter. It is empty if the Sensor is not a Flow Sensor |
13 |
IP Zone |
{ipzone} |
String |
Returns the IP Zone used by the Sensor |
14 |
IP Zone Prefix |
{prefix_ipzone} |
String |
Returns the most specific prefix that includes the {prefix} |
15 |
Response |
{response} |
String |
Returns the Response activated by the threshold rule |
16 |
Response Actions |
{response_actions} |
String |
Returns the list of actions executed by the Response. Contains only the actions that have the parameter Record Action checked |
17 |
Threshold Template |
{template} |
String |
Returns the Threshold Template that includes the threshold rule, if it exists |
18 |
Expiration Delay |
{expiration} |
Integer |
Returns the number of seconds of inactivity that must pass before the anomaly expires |
19 |
Captured Packets |
{captured_pkts} |
Integer |
Returns the number of packets captured successfully, if the Response contains an action for capturing packets |
20 |
BGP Log Size |
{bgplog_bytes} |
Integer |
Returns the size of the BGP announcement log which is non-zero only when a BGP routing update was triggered for the anomaly |
21 |
Anomaly |
{anomaly} |
String |
Returns a description of the threshold rule that triggered the anomaly |
22 |
Anomaly # |
{anomaly_id} |
Integer |
Returns a unique identification number of the anomaly |
23 |
Anomaly Classification |
{classification} |
String |
Returns the clasification of the anomaly by Console users: Unclassified, False Positive, Possible Attack, Trivial Attack, Verified Attack or Crippling Attack |
24 |
Anomaly Comment |
{comment} |
String |
Returns the user-submitted comment about the anomaly, if it exists |
25 |
Direction |
{direction} |
String |
Returns the direction of the traffic that triggered the anomaly: incoming or outgoing |
26 |
N/A |
{direction_to_from} |
String |
Returns to for inbound anomalies and from for outbound anomalies |
27 |
N/A |
{direction_receives_sends} |
String |
Returns receives for inbound anomalies and sends for outbound anomalies |
28 |
Domain |
{domain} |
String |
Returns IP when CIDR mask is 32 for IPv4 or 128 for IPv6, subnet in all other cases |
29 |
Anomaly Class |
{class} |
String |
Returns threshold for threshold-based anomalies and profile for profiling-based anomalies |
30 |
Threshold Type |
{threshold_type} |
String |
Returns the threshold value type, which can be either absolute or percentage |
31 |
Anomaly Decoder (Protocol) |
{decoder} |
String |
Returns the decoder used to detect the anomaly |
32 |
Comparison |
{operation} |
String |
Returns the comparison function used by the threshold rule: over or under |
33 |
N/A |
{comparison} |
String |
Returns > when {operation} is over, and < when {operation} is under |
34 |
Unit |
{unit} |
String |
Returns the measurement unit of the threshold rule: pkts/s or bits/s |
35 |
Threshold Value |
{rule_value} |
Integer* |
Returns the traffic value configured as threshold |
36 |
Computed Threshold |
{computed_threshold} |
Integer* |
Returns a threshold value dynamically adjusted for profiling-based and percentage-based anomalies |
37 |
Peak Packets/s |
{anomaly_pps} |
Integer* |
Returns the highest packets/s rate observed for the anomaly |
38 |
Peak Bits/s |
{anomaly_bps} |
Integer* |
Returns the highest bits/s rate observed for the anomaly |
39 |
Latest Packets/s |
{latest_anomaly_pps} |
Integer* |
Returns the latest packets/s rate |
40 |
Latest Bits/s |
{latest_anomaly_bps} |
Integer* |
Returns the latest bits/s rate |
41 |
Peak Value |
{value} |
Integer* |
Returns the highest value of abnormal traffic, and also the {unit} |
42 |
Latest Value |
{latest_value} |
Integer* |
Returns the latest value of abnormal traffic, and also the {unit} |
43 |
Sum Value |
{sum_value} |
Integer* |
Returns the number of packets counted during the anomaly, when the {unit} is pkts/s. For bits/s thresholds it returns the number of bits counted during the anomaly |
44 |
Peak Rule Severity |
{severity} |
Float |
Returns the ratio between the peak abnormal traffic rate and the threshold value |
45 |
Latest Rule Severity |
{latest_severity} |
Integer |
Returns the ratio between the latest abnormal traffic rate and the threshold value |
46 |
Peak Link Severity |
{link_severity} |
Integer |
Returns the ratio between the peak abnormal traffic rate and the interface’s traffic rate |
47 |
Latest Link Severity |
{latest_link_severity} |
Integer |
Returns the ratio between the latest abnormal traffic rate and the interface’s traffic rate |
48 |
Latest Link Utilization |
{latest_link_utilization} |
Integer |
Returns the percentage between the latest traffic rate reported by the IP decoder for the whole interface, and the interface Speed In/Out value configured in the Sensor configuration |
49 |
N/A |
{anomaly_log_10}, {anomaly_log_50}, {anomaly_log_100}, {anomaly_log_500}, {anomaly_log_1000} |
String |
Returns the first 10/50/100/500/1000 packets (if a packet capturing action is enabled in the Response) or flows (if Flow Collector is enabled) with the anomalous traffic |
50 |
N/A |
{software_version} |
String |
Returns the Wanguard version |
51 |
Unique Dynamic Parameters |
N/A |
String |
This is used to prevent the execution of a Response action when there are other active anomalies that share the same user-defined criteria, expressed as a list of Dynamic Parameters. For example, if the Comparison is “equal to” and the Value “{ip} {decoder}” then the action will be executed only when there isn’t any other active anomaly to/from the same IP and the same decoder |
52 |
Custom Script Return Value |
N/A |
Integer |
This Conditional Parameter allows execution only when the script entered in the Value field returns status 0 after its execution. You can pass Dynamic Parameters as arguments for the script. Comparison must be set to equal to. It is important for the script to finish quickly, because it blocks the originating process |
45.2. Time-Related¶
# |
Conditional Parameter |
Dynamic Parameter |
Data Type |
Description |
---|---|---|---|---|
1 |
From (ISO 8601) |
{from} |
String |
Returns the start time of the anomaly, in iso8601 format (YYYY-MM-DD HH:MM:SS) |
2 |
From (unixtime) |
{from_unixtime} |
Integer |
Returns the start time of the anomaly, in unixtime format (number of seconds since Jan 1st 1970) |
3 |
N/A |
{from_year},{from_month},{from_day},{from_dow},{from_hour},{from_minute} |
Integer |
Returns the start time of the anomaly, in year, month, etc. |
4 |
Until (ISO 8601) |
{until} |
String |
Returns the stop/expiration time of the anomaly, in iso8601 format (YYYY-MM-DD HH:MM:SS) |
5 |
Until (unixtime) |
{until_unixtime} |
Integer |
Returns the stop/expiration time of the anomaly, in unixtime format (number of seconds since Jan 1st 1970) |
6 |
N/A |
{until_year},{until_month},{until_day},{until_dow},{until_hour},{until_minute} |
Integer |
Returns the stop time of the anomaly, in year, month, etc. |
7 |
Duration |
{duration} |
Integer |
Returns the duration of the anomaly, expressed in seconds |
8 |
Internal Ticks |
{tick} |
Integer |
Returns the internal tick of the Sensor. By default, Packet Sensor increases the tick value once every 5 seconds. Flow Sensor increases the tick value once every X seconds, where X = the value of the Granularity parameter |
9 |
N/A |
{duration_clock} |
String |
Returns a text string describing the duration of the anomaly. Example: <5sec, 5h 4h 3s |
10 |
N/A |
{duration_clock_full} |
String |
Returns a text string describing the duration of the anomaly. Example: <5 seconds, 5 hours 4 minutes 3 seconds |
45.3. IP Traffic-Related¶
# |
Conditional Parameter |
Dynamic Parameter |
Data Type |
Description |
---|---|---|---|---|
1 |
Peak IP Pkts/s |
{total_pps} |
Integer* |
Returns the peak packets/s rate for {prefix} and the IP decoder |
2 |
Peak IP Bits/s |
{total_bps} |
Integer* |
Returns the peak bits/s rate for {prefix} and the IP decoder |
3 |
Latest IP Pkts/s |
{latest_total_pps} |
Integer* |
Returns the latest packets/s rate for {prefix} and the IP decoder |
4 |
Latest IP Bits/s |
{latest_total_bps} |
Integer* |
Returns the latest bits/s rate for {prefix} and the IP decoder |
5 |
IP Packets |
{sum_total_pkts} |
Integer* |
Returns the number of packets counted during the anomaly for the IP decoder |
6 |
IP Bits |
{sum_total_bits} |
Integer* |
Returns the number of bits counted during the anomaly for the IP decoder |
45.4. Filter-Related¶
# |
Conditional Parameter |
Dynamic Parameter |
Data Type |
Description |
---|---|---|---|---|
1 |
Number of Filters |
{filters} |
Integer |
Returns the number of Filter instances activated for the anomaly |
2 |
Filters Pkts/s |
{filters_pps} |
Integer* |
Returns the most recent packets/s rate recorded by the Filter instance(s) |
3 |
Filters Bits/s |
{filters_bps} |
Integer* |
Returns the most recent bits/s rate recorded by the Filter instance(s) |
4 |
Filters Peak Pkts/s |
{filters_max_pps} |
Integer* |
Returns the peak packets/s rate recorded by the Filter instance(s) |
5 |
Filters Peak Bits/s |
{filters_max_bps} |
Integer* |
Returns the peak bits/s rate recorded by the Filter instance(s) |
6 |
Filtered Packets |
{filters_filtered_packets} |
Integer* |
Returns the number of packets blocked by the Filter instance(s) |
7 |
Filtered Bits |
{filters_filtered_bits} |
Integer* |
Returns the number of bits blocked by the Filter instance(s) |
8 |
Filters CPU Usage |
{filters_max_cpu_usage} |
Integer |
Returns the maximum CPU% used by the Filter instance(s) |
9 |
Filters IPs (Ext.) |
{filters_ips} |
Integer |
Returns the number of external IPs detected by the Filter instance(s) in the last 5 seconds |
10 |
Number of Filtering Rules |
{filtering_rules} |
Integer |
Returns the number of filtering rules detected by the Filter instance(s) |
45.5. Filtering Rule-Related¶
# |
Conditional Parameter |
Dynamic Parameter |
Data Type |
Description |
---|---|---|---|---|
1 |
Filter |
{filter} |
String |
Returns the name of the Filter that detected the filtering rule |
2 |
Filter Group |
{filter_group} |
String |
Returns the Device Group selected in the Filter configuration |
3 |
Filter Type |
{filter_type} |
String |
Returns the type of the Filter: Packet Filter, Flow Filter or Filter Cluster |
4 |
Filter ID |
{filter_id} |
Integer |
Returns a unique ID of the Filter that detected the filtering rule |
5 |
Filtering Rule # |
{filtering_rule_id} |
Integer |
Returns a unique ID of the filtering rule |
6 |
Filtering Rule Type |
{filtering_rule_type} |
String |
Returns the type of the filtering rule. The possible values are listed in Anomaly Mitigation |
7 |
Filtering Rule Value |
{filtering_rule_value} |
String |
Returns the value of the filtering rule: specific IP, port number, protocol number, etc. |
8 |
N/A |
{filtering_rule_ip_dns} |
String |
Returns the reverse DNS of the IP, when {filtering_rule_type} is IP Address |
9 |
Filtering Rule ISP |
{filtering_rule_ip_isp} |
String |
Returns the corresponding organization or Internet Service Provider of the IP, when {filtering_rule_type} is IP Address |
10 |
N/A |
{attacker_isp} |
String |
Returns the email address of {filtering_rule_ip_isp}, if it is defined and if the information can be extracted from the whois database |
11 |
Filtering Rule Country |
{filtering_rule_ip_country} |
String |
Returns the country of the IP, when {filtering_rule_type} is IP Address |
12 |
Filtering Rule Pkts/s |
{filtering_rule_pps} |
Integer* |
Returns the latest packet/s rate for the traffic matched by the filtering rule |
13 |
Filtering Rule Bits/s |
{filtering_rule_bps} |
Integer* |
Returns the latest bits/s throughput for the traffic matched by the filtering rule |
14 |
Filtering Rule Peak Pkts/s |
{filtering_rule_max_pps} |
Integer* |
Returns the peak packet/s rate for the traffic matched by the filtering rule |
15 |
Filtering Rule Peak Bits/s |
{filtering_rule_max_bps} |
Integer* |
Returns the peak bits/s throughput for the traffic matched by the filtering rule |
16 |
Filtering Rule Unit/s |
{filtering_rule_unit} |
Integer* |
Returns {filtering_rule_pps} for packets/s thresholds and {filtering_rule_bps} for bits/s thresholds |
17 |
Filtering Rule Peak Unit/s |
{filtering_rule_max_unit} |
Integer* |
Returns {filtering_rule_max_pps} or {filtering_rule_max_bps}, depending on the unit of the threshold |
18 |
Filtering Rule Severity |
{filtering_rule_severity} |
Integer |
Returns the ratio between the traffic matched by the filtering rule and the threshold value |
19 |
Filtering Rule Packets |
{filtering_rule_packets} |
Integer* |
Returns the number of packets matched by the filtering rule |
20 |
Filtering Rule Bits |
{filtering_rule_bits} |
Integer* |
Returns the number of bits matched by the filtering rule |
21 |
Filtering Rule Time Interval |
{filtering_rule_difftime} |
Integer |
Returns the duration while the filtering rule was detected |
22 |
Filtering Rule Whitelist |
{filtering_rule_whitelisted} |
Integer |
Returns 1 when the filtering rule is whitelisted, or 0 otherwise |
23 |
Filtering Rule Traffic Sample Size |
{filtering_rule_log_size} |
Integer* |
Returns the packet dump size in bytes, if a packet capturing action is enabled in the Response for the filtering rule |
24 |
N/A |
{filtering_rule_log_10}, {filtering_rule_log_50}, {filtering_rule_log_100}, {filtering_rule_log_500}, {filtering_rule_log_1000} |
String |
Returns the first 10/50/100/500/1000 packets with the traffic matched by the filtering rule, if a packet capturing action is enabled in the Response for the filtering rule |