45. Appendix 4 – Conditional Parameters & Dynamic Parameters¶

The columns from the tables listed below contain the following data:

● Conditional Parameter is used to restrict the execution of the actions contained in Responses

● Dynamic Parameter is a placeholder token (variable) that can be used as parameter or script argument in most Response actions because, at run-time, the software translates it into the requested value. Each dynamic parameter is defined within curly brackets

● Data Type shows the returned value type and which comparison operators are accepted by the Conditional Parameter:

• String returns a variable-length string. It accepts the comparison operators:

▪ equal to - it implies a perfect match without any differences. E.g. if the Conditional Parameter is “apple” and the Value is also “apple”, then equal to is true
▪ not equal to - it implies any difference qualifies for this condition to be true. E.g. if the Conditional Parameter is “apple” and the Value is “orange”, then not equal to is true
▪ includes - the “Value” can be a part or a segment of the “Conditional Parameter”. E.g. if the Conditional Parameter is “apple pie” and the Value is “apple”, then includes is true because “apple pie” contains “apple”
▪ included in - is true if the “Value” contains the “Conditional Parameter” as a substring. This is the inverse relationship of includes. E.g. if the Conditional Parameter is “apple” and the Value is “apple pie”, then included in is true because “apple” is part of the larger string “apple pie”
▪ excludes - is true if the “Conditional Parameter” does not contain the “Value” as a substring. This indicates the absence of the “Value” within the “Conditional Parameter”. E.g. if the Conditional Parameter is “apple pie” and the Value is “cherry”, then excludes is true because “apple pie” does not contain “cherry”
▪ excluded from - is true if the “Value” does not contain the “Conditional Parameter” as a substring. This is the opposite of included in. E.g. if the Conditional Parameter is “cherry” and the Value is “apple pie”, then excluded from is true because “cherry” is not part of “apple pie”
▪ regexp - is true when the “Conditional Parameter” matches the regular expression from “Value”. E.g. when “Value” is “[A-Z]”, the precondition is true only when the “Conditional Parameter” contains an upper-case letter

• Integer returns a 64-bit unsigned integer number. It accepts the comparison operators:

▪ equal to - is true when “Conditional Parameter” and “Value” are identical
▪ not equal to - is true when “Conditional Parameter” and “Value” are not identical
▪ greater than - is true when “Conditional Parameter” is larger than “Value”
▪ less than - is true when “Conditional Parameter” is smaller than “Value”
▪ divisible by - is true when “Conditional Parameter” can be divided by “Value” without leaving a remainder

• Integer* accepts the same comparison operators as Integer. The values can be returned in multiples of 1,000 by appending “_kilo” to the dynamic parameter name. The same goes for 1,000,000 by appending “_mega” and for 1,000,000,000 by appending “_giga”. To return the value and the biggest multiplier (k, M, G) for the value, append “_prefix”. To also return the decoder before the biggest multiplier (k, M, G) value, append “_decoder_prefix”

• Float returns an unsigned floating point number when the comparison operator is greater than or less than, or an unsigned integer when the comparison operator is equal to, not equal to or divisible by

• Prefix returns a string containing a subnet or IP. It accepts the comparison operators equal to, not equal to, includes, included in, excludes and excluded from. The inclusion/exclusion operators compare prefixes, not strings

● Description provides a short explanation of the parameter

45.1. Anomaly-Related Tokens¶

#	Conditional Parameter	Dynamic Parameter	Data Type	Description
1	Prefix	{prefix}	Prefix	Returns the prefix of the anomaly, which is the victim IP/CIDR mask for inbound anomalies, or the source IP/CIDR mask for outbound anomalies
2	IP Address	{ip}	Prefix	Returns the IP of {prefix}, without the CIDR mask
3	IP Version	{ip_version}	Prefix	Returns the IP version of {prefix}, either 4 or 6
4	N/A	{ip_dns}	String	Returns the reverse DNS of {ip}. If the DNS lookup does not return a valid DNS PTR record then it returns {ip}
5	IP AS Number	{ip_asn}	Integer	Returns the AS Number of {ip}. If the GeoIP database does not provide an AS number, it returns 0
6	CIDR	{cidr}	Integer	Returns the CIDR mask of {prefix}
7	IP Group	{ip_group}	String	Returns the IP Group of {prefix}
8	Sensor	{sensor}	String	Returns the name of the Sensor that detected the anomaly. For SNMP Sensor and Flow Sensor the format is Sensor Name [Interface Name]
9	Sensor Name	{sensor_name}	String	Returns the name of the Sensor that detected the anomaly. For SNMP Sensor and Flow Sensor it does not return the Interface Name
10	Sensor Group	{sensor_group}	String	Returns the Device Group selected in the Sensor configuration
11	Sensor IP	{sensor_ip}	Prefix	Returns the IP address of the server running the Sensor
12	Sensor Type	{sensor_type}	String	Returns the type of Sensor: Packet Sensor, Flow Sensor, SNMP Sensor or Sensor Cluster
13	Sensor ID	{sensor_id}	Integer	Returns the Server ID of server running the Sensor
14	Flow Exporter IP	{router_ip}	Prefix	Returns the IP address of the flow exporter. It is empty if the Sensor is not a Flow Sensor
15	IP Zone	{ipzone}	String	Returns the IP Zone used by the Sensor
16	IP Zone Prefix	{prefix_ipzone}	Prefix	Returns the most specific prefix that includes the {prefix}
17	IP Zone Parent Prefix	{parent_prefix_ipzone}	Prefix	Returns the parent of the most specific prefix that includes the {prefix}
18	Response	{response}	String	Returns the Response activated by the threshold rule
19	Response Actions	{response_actions}	String	Returns the list of actions executed by the Response. Contains only the actions that have the parameter Record Action checked
20	Threshold Template	{template}	String	Returns the Threshold Template that includes the threshold rule, if it exists
21	Expiration Delay	{expiration}	Integer	Returns the number of seconds of inactivity that must pass before the anomaly expires
22	Captured Packets	{captured_pkts}	Integer	Returns the number of packets captured successfully, if the Response contains an action for capturing packets
23	BGP Log Size	{bgplog_bytes}	Integer	Returns the size of the BGP announcement log which is non-zero only when a BGP routing update was triggered for the anomaly
24	Anomaly	{anomaly}	String	Returns a description of the threshold rule that triggered the anomaly
25	Anomaly #	{anomaly_id}	Integer	Returns a unique identification number of the anomaly
26	Anomaly Classification	{classification}	String	Returns the clasification of the anomaly by Console users: Unclassified, False Positive, Possible Attack, Trivial Attack, Verified Attack or Crippling Attack
27	Anomaly Comment	{comment}	String	Returns the user-submitted comment about the anomaly, if it exists
28	Direction	{direction}	String	Returns the direction of the traffic that triggered the anomaly: incoming or outgoing
29	N/A	{Direction}	String	Returns {direction} but with an upper first letter
30	N/A	{direction_to_from}	String	Returns to for inbound anomalies and from for outbound anomalies
31	N/A	{direction_receives_sends}	String	Returns receives for inbound anomalies and sends for outbound anomalies
32	Domain	{domain}	String	Returns the corresponding Domain from the threshold. It is internal IP when CIDR mask is 32 for IPv4 or 128 for IPv6, subnet in other cases, or external IP for similar thresholds set on 0.0.0.0/0
33	N/A	{Domain}	String	Returns {domain} but with an upper first letter
34	Anomaly Class	{class}	String	Returns threshold for threshold-based anomalies and profile for profiling-based anomalies
35	Threshold Type	{threshold_type}	String	Returns the threshold value type, which can be either absolute or percentage
36	Anomaly Decoder (Protocol)	{decoder}	String	Returns the decoder used to detect the anomaly
37	Comparison	{operation}	String	Returns the comparison function used by the threshold rule: over or under
38	N/A	{comparison}	String	Returns > when {operation} is over, and < when {operation} is under
39	Unit	{unit}	String	Returns the measurement unit of the threshold rule: pkts/s or bits/s
40	Threshold Value	{rule_value}	Integer*	Returns the traffic value configured as threshold
41	Computed Threshold	{computed_threshold}	Integer*	Returns a threshold value dynamically adjusted for profiling-based and percentage-based anomalies
42	Peak Packets/s	{anomaly_pps}	Integer*	Returns the highest packets/s rate observed for the anomaly
43	Peak Bits/s	{anomaly_bps}	Integer*	Returns the highest bits/s rate observed for the anomaly
44	Latest Packets/s	{latest_anomaly_pps}	Integer*	Returns the latest packets/s rate
45	Latest Bits/s	{latest_anomaly_bps}	Integer*	Returns the latest bits/s rate
46	Peak Value	{value}	Integer*	Returns the highest value of abnormal traffic, and also the {unit}
47	Latest Value	{latest_value}	Integer*	Returns the latest value of abnormal traffic, and also the {unit}
48	Sum Value	{sum_value}	Integer*	Returns the number of packets counted during the anomaly, when the {unit} is pkts/s. For bits/s thresholds it returns the number of bits counted during the anomaly
49	Peak Rule Severity	{severity}	Float	Returns the ratio between the peak abnormal traffic rate and the threshold value
50	Latest Rule Severity	{latest_severity}	Integer	Returns the ratio between the latest abnormal traffic rate and the threshold value
51	Peak Link Severity	{link_severity}	Integer	Returns the ratio between the peak abnormal traffic rate and the interface’s traffic rate
52	Latest Link Severity	{latest_link_severity}	Integer	Returns the ratio between the latest abnormal traffic rate and the interface’s traffic rate
53	Latest Link Utilization	{latest_link_utilization}	Integer	Returns the percentage between the latest traffic rate reported by the IP decoder for the whole interface, and the interface Speed In/Out value configured in the Sensor configuration
54	N/A	{anomaly_log_10}, {anomaly_log_50}, {anomaly_log_100}, {anomaly_log_500}, {anomaly_log_1000}	String	Returns the first 10/50/100/500/1000 packets (if a packet capturing action is enabled in the Response) or flows (if Flow Collector is enabled) with the anomalous traffic
55	N/A	{attacked_isp}	String	Returns the abuse mailbox or the contact email of the victim’s ISP if it can be extracted from the whois database
56	N/A	{software_version}	String	Returns the Wanguard version
57	Unique Dynamic Parameters	N/A	String	This is used to prevent the execution of a Response action when there are other active anomalies that share the same user-defined criteria, expressed as a list of Dynamic Parameters. For example, if the Comparison is “equal to” and the Value “{ip} {decoder}” then the action will be executed only when there isn’t any other active anomaly to/from the same IP and the same decoder
58	Custom Script Return Value	N/A	Integer	This Conditional Parameter allows execution only when the script entered in the Value field returns status 0 after its execution. You can pass Dynamic Parameters as arguments for the script. Comparison must be set to equal to. It is important for the script to finish quickly, because it blocks the originating process

45.2. Time-Related Tokens¶

#	Conditional Parameter	Dynamic Parameter	Data Type	Description
1	From (ISO 8601)	{from}	String	Returns the start time of the anomaly, in iso8601 format (YYYY-MM-DD HH:MM:SS)
2	From (unixtime)	{from_unixtime}	Integer	Returns the start time of the anomaly, in unixtime format (number of seconds since Jan 1st 1970)
3	N/A	{from_year},{from_month},{from_day},{from_dow},{from_hour},{from_minute}	Integer	Returns the start time of the anomaly, in year, month, etc.
4	Until (ISO 8601)	{until}	String	Returns the stop/expiration time of the anomaly, in iso8601 format (YYYY-MM-DD HH:MM:SS)
5	Until (unixtime)	{until_unixtime}	Integer	Returns the stop/expiration time of the anomaly, in unixtime format (number of seconds since Jan 1st 1970)
6	N/A	{until_year},{until_month},{until_day},{until_dow},{until_hour},{until_minute}	Integer	Returns the stop time of the anomaly, in year, month, etc.
7	Duration	{duration}	Integer	Returns the duration of the anomaly, expressed in seconds
8	Internal Ticks	{tick}	Integer	Returns the internal tick of the Sensor. By default, Packet Sensor increases the tick value once every 5 seconds. Flow Sensor increases the tick value once every X seconds, where X = the value of the Granularity parameter
9	N/A	{duration_clock}	String	Returns a text string describing the duration of the anomaly. Example: <5sec, 5h 4h 3s
10	N/A	{duration_clock_full}	String	Returns a text string describing the duration of the anomaly. Example: <5 seconds, 5 hours 4 minutes 3 seconds

45.3. IP Decoder-Related Tokens¶

#	Conditional Parameter	Dynamic Parameter	Data Type	Description
1	Peak IP Pkts/s	{total_pps}	Integer*	Returns the peak packets/s rate for {prefix} and the IP decoder
2	Peak IP Bits/s	{total_bps}	Integer*	Returns the peak bits/s rate for {prefix} and the IP decoder
3	Latest IP Pkts/s	{latest_total_pps}	Integer*	Returns the latest packets/s rate for {prefix} and the IP decoder
4	Latest IP Bits/s	{latest_total_bps}	Integer*	Returns the latest bits/s rate for {prefix} and the IP decoder
5	IP Packets	{sum_total_pkts}	Integer*	Returns the number of packets counted during the anomaly for the IP decoder
6	IP Bits	{sum_total_bits}	Integer*	Returns the number of bits counted during the anomaly for the IP decoder

45.4. Filter-Related Tokens¶

#	Conditional Parameter	Dynamic Parameter	Data Type	Description
1	Number of Filters	{filters}	Integer	Returns the number of Filter instances activated for the anomaly
2	Filters Pkts/s	{filters_pps}	Integer*	Returns the most recent packets/s rate recorded by the Filter instance(s)
3	Filters Bits/s	{filters_bps}	Integer*	Returns the most recent bits/s rate recorded by the Filter instance(s)
4	Filters Peak Pkts/s	{filters_max_pps}	Integer*	Returns the peak packets/s rate recorded by the Filter instance(s)
5	Filters Peak Bits/s	{filters_max_bps}	Integer*	Returns the peak bits/s rate recorded by the Filter instance(s)
6	Filtered Packets	{filters_filtered_packets}	Integer*	Returns the number of packets blocked by the Filter instance(s)
7	Filtered Bits	{filters_filtered_bits}	Integer*	Returns the number of bits blocked by the Filter instance(s)
8	Filters CPU Usage	{filters_max_cpu_usage}	Integer	Returns the maximum CPU% used by the Filter instance(s)
9	Filters IPs (Ext.)	{filters_ips}	Integer	Returns the number of external IPs detected by the Filter instance(s) in the last 5 seconds
10	Number of Filtering Rules	{filtering_rules}	Integer	Returns the number of filtering rules detected by the Filter instance(s)

45.5. Filtering Rule-Related Tokens¶

#	Conditional Parameter	Dynamic Parameter	Data Type	Description
1	Filter	{filter}	String	Returns the name of the Filter that detected the filtering rule
2	Filter Group	{filter_group}	String	Returns the Device Group selected in the Filter configuration
3	Filter Type	{filter_type}	String	Returns the type of the Filter: Packet Filter, Flow Filter or Filter Cluster
4	Filter ID	{filter_id}	Integer	Returns a unique ID of the Filter that detected the filtering rule
5	Filtering Rule #	{filtering_rule_id}	Integer	Returns a unique ID of the filtering rule
6	Filtering Rule Type	{filtering_rule_type}	String	Returns the type of the filtering rule. The possible values are listed in Anomaly Mitigation
7	Filtering Rule Value	{filtering_rule_value}	String	Returns the value of the filtering rule: specific IP, port number, protocol number, etc.
8	N/A	{filtering_rule_ip_dns}	String	Returns the reverse DNS of the IP, when {filtering_rule_type} is IP Address
9	Filtering Rule ISP	{filtering_rule_ip_isp}	String	Returns the corresponding organization or Internet Service Provider of the IP, when {filtering_rule_type} is IP Address
10	N/A	{attacker_isp}	String	Returns the email address of {filtering_rule_ip_isp}, if it is defined and if the information can be extracted from the whois database
11	Filtering Rule Country	{filtering_rule_ip_country}	String	Returns the country of the IP, when {filtering_rule_type} is IP Address
12	Filtering Rule ASN	{filtering_rule_ip_asn}	Integer	Returns the AS number from a GeoIP database for the IP, when {filtering_rule_type} is IP Address
13	Filtering Rule Pkts/s	{filtering_rule_pps}	Integer*	Returns the latest packet/s rate for the traffic matched by the filtering rule
14	Filtering Rule Bits/s	{filtering_rule_bps}	Integer*	Returns the latest bits/s throughput for the traffic matched by the filtering rule
15	Filtering Rule Peak Pkts/s	{filtering_rule_max_pps}	Integer*	Returns the peak packet/s rate for the traffic matched by the filtering rule
16	Filtering Rule Peak Bits/s	{filtering_rule_max_bps}	Integer*	Returns the peak bits/s throughput for the traffic matched by the filtering rule
17	Filtering Rule Unit/s	{filtering_rule_unit}	Integer*	Returns {filtering_rule_pps} for packets/s thresholds and {filtering_rule_bps} for bits/s thresholds
18	Filtering Rule Peak Unit/s	{filtering_rule_max_unit}	Integer*	Returns {filtering_rule_max_pps} or {filtering_rule_max_bps}, depending on the unit of the threshold
19	Filtering Rule Severity	{filtering_rule_severity}	Integer	Returns the ratio between the traffic matched by the filtering rule and the threshold value
20	Filtering Rule Packets	{filtering_rule_packets}	Integer*	Returns the number of packets matched by the filtering rule
21	Filtering Rule Bits	{filtering_rule_bits}	Integer*	Returns the number of bits matched by the filtering rule
22	Filtering Rule Time Interval	{filtering_rule_difftime}	Integer	Returns the duration while the filtering rule was detected
23	Filtering Rule Whitelist	{filtering_rule_whitelisted}	Integer	Returns 1 when the filtering rule is whitelisted, or 0 otherwise
24	Filtering Rule Traffic Sample Size	{filtering_rule_log_size}	Integer*	Returns the packet dump size in bytes, if a packet capturing action is enabled in the Response for the filtering rule
25	N/A	{filtering_rule_log_10}, {filtering_rule_log_50}, {filtering_rule_log_100}, {filtering_rule_log_500}, {filtering_rule_log_1000}	String	Returns the first 10/50/100/500/1000 packets with the traffic matched by the filtering rule, if a packet capturing action is enabled in the Response for the filtering rule

45.6. System-Wide Tokens¶

#	Conditional Parameter	Dynamic Parameter	Data Type	Description
1	Anomalies (all Sensors, Decoders, Prefixes)	{anomalies}	Integer	Returns the total number of active anomalies from any Sensor, Decoder (incl. Unit) or Prefix
2	Anomalies (same Sensor)	{anomalies_sensor}	Integer	Returns the total number active anomalies from the same Sensor
3	Anomalies (same Decoder)	{anomalies_decoder}	Integer	Returns the total number active anomalies from the same Decoder and Unit (pkts/s or bits/s)
4	Anomalies (same Sensor, Decoder)	{anomalies_sensor_decoder}	Integer	Returns the total number active anomalies from the same Sensor and Decoder and Unit (pkts/s or bits/s)
5	Anomalies (same Sensor, Decoder, Prefix/24)	{anomalies_sensor_decoder_cidr_24}	Integer	Returns the total number active anomalies from the same Sensor, Decoder, Unit (pkts/s or bits/s) and Prefix/24