Appendix 5 – Conditional Parameters & Dynamic Parameters

The tables listed below show the following columns:

Conditional Parameter is used as a precondition for the execution of the actions listed in Configuration » Network & Policy » [Response].

Type shows whether the Conditional Parameter should be compared as a string (equal, non-equal, includes, excludes) or as a number (equal, non-equal, greater than, less than, modulo). The software returns only integers, not floating point numbers.

Dynamic Parameter is a variable defined within curly brackets “{ and }”, used as parameter or script argument in most Response actions. If its type is Number* then the values can be returned in multiples of 1,000 by appending _kilo to the dynamic parameter. The same goes for 1,000,000 by appending _mega and for 1,000,000,000 by appending _giga. To get the biggest multiplier (k, M, G) for the value, append _prefix. To also return the decoder before the biggest multiplier (k, M, G) value, append _decoder_prefix.

Anomaly Parameters

#

CONDITIONAL PARAMETER

TYPE

DYNAMIC PARAMETER

DESCRIPTION

1

IP Address

String

{ip}

IP address or block, originating or being the target of the anomaly

2

N/A

String

{ip_dns}

Reverse DNS of the anomaly IP. It is {ip} if the DNS lookup does not return a valid DNS PTR record

3

CIDR

Number

{cidr}

CIDR mask of the anomaly’s IP address or block

4

Prefix

String

{prefix}

IP/CIDR mask notation with the anomaly’s IP address or block

5

IP Group

String

{ip_group}

IP Group defined in IP Zone for the prefix

6

Sensor Name

String

{sensor}

Sensor that detected the anomaly

7

Sensor Group

String

{sensor_group}

Device Group configured for the Sensor

8

Sensor IP

String

{sensor_ip}

IP of the Sensor’s server

9

Sensor Type

String

{sensor_type}

Can be Packet Sensor, Flow Sensor, SNMP Sensor, Sensor Cluster

10

Sensor ID

Number

{sensor_id}

Unique ID of the Sensor

11

Flow Exporter IP

String

{router_ip}

IP of the flow exporter

12

IP Zone Name

String

{ipzone}

Sensor’s IP Zone

13

IP Zone Prefix

String

{prefix_ipzone}

The most specific prefix from the IP Zone

14

Response Name

String

{response}

Response activated by the anomaly

15

Response Actions

String

{response_actions}

List of actions executed by the Response. Contains only the actions that have the Record Action option enabled

16

Template Name

String

{template}

Returns the Threshold Template that includes the threshold rule, if it exists

17

Expiration Delay

String

{expiration}

Returns the number of seconds of inactivity before the anomaly expires

18

Captured Packets

Number

{captured_pkts}

When the Response contains an action for capturing packets, it contains the number of packets captured successfully

19

BGP Log Size

Number

{bgplog_bytes}

Size of the BGP announcement log. Non-zero when a BGP routing update was triggered for the anomaly

20

Unique Dynamic Parameters

String

{exclusive}

Contains dynamic parameter(s) that must be unique in all active anomalies. It can be used to avoid duplicating actions across multiple attacks. Example: “{ip} {decoder}” executes the Response action only when there is no other active anomaly to/from the same IP, using the same decoder

21

Classification

String

{classification}

Console users can manually classify anomalies in Reports » Tools » Anomalies. Returns Unclassified, False Positive, Possible Attack, Trivial Attack, Verified Attack or Crippling Attack

23

Anomaly Description

String

{anomaly}

Describes the condition that triggered the traffic anomaly

24

Anomaly ID

Number

{anomaly_id}

Unique identification number of the anomaly

25

Anomaly Comment

String

{comment}

User-submitted comment about the anomaly

26

Direction

String

{direction}

Direction of the threshold rule that triggered the anomaly. Can be incoming or outgoing

27

N/A

String

{direction_to_from}

Returns to for inbound anomalies or from for outbound anomalies

28

N/A

String

{direction_receives_sends}

Returns receives for inbound anomalies or sends for outbound anomalies

29

Domain

String

{domain}

Returns IP when CIDR mask = 32 for IPv4 or 128 for IPv6, subnet in all other cases

30

Anomaly Class

String

{class}

Returns threshold for threshold-based anomalies and profile for profiling-based anomalies

31

Threshold Type

String

{threshold_type}

Threshold-based anomalies can be defined with absolute values or as a percentage of the total traffic received by Sensor

32

Anomaly Decoder (Protocol)

String

{decoder}

Returns the traffic decoder (protocol) used to detect the anomaly

33

Comparison

String

{operation}

Returns the comparison function used by the threshold rule, over or under

34

N/A

String

{comparison}

Returns “>” for traffic rates exceeding the threshold or “<” for traffic rates under the threshold

35

Unit

String

{unit}

Returns pkts/s for threshold defined for packets per second, or bits/s for threshold defined for bits per second

36

Threshold Value

Number*

{rule_value}

Traffic value configured as threshold

37

Computed Threshold

Number*

{computed_threshold}

Value of the threshold, dynamically adjusted for profiling-based and percentage-based anomalies

38

Peak Packets/s

Number*

{anomaly_pps}

Highest packets/s rate of the anomaly

39

Peak Bits/s

Number*

{anomaly_bps}

Highest bits/s rate of the anomaly

40

Latest Packets/s

Number*

{latest_anomaly_pps}

Latest packets/s rate of the anomaly

41

Latest Bits/s

Number*

{latest_anomaly_bps}

Latest bits/s rate of the anomaly

42

Peak Value

Number*

{value}

Highest value of the abnormal traffic. Returns pkts/s or bits/s, depending on the threshold’s unit

43

Latest Value

Number*

{latest_value}

Latest value of the abnormal traffic. Returns pkts/s or bits/s, depending on the threshold’s unit

44

Sum Value

Number*

{sum_value}

For pkts/s thresholds returns the number of packets counted during the anomaly. For bits/s thresholds returns the number of bits counted during the anomaly

45

Peak Rule Severity

Number

{severity}

Returns the ratio between the peak abnormal traffic rate and the threshold value

46

Latest Rule Severity

Number

{latest_severity}

Returns the ratio between the latest abnormal traffic rate and the threshold value

47

Peak Link Severity

Number

{link_severity}

Returns the ratio between the peak abnormal traffic rate and the interface’s traffic rate

48

Latest Link Severity

Number

{latest_link_severity}

Returns the ratio between the latest abnormal traffic rate and the interface’s traffic rate

49

Latest Link Utilization

Number

{latest_link_utilization}

Returns the ratio between the latest total traffic rate and the interface’s traffic rate

50

Custom Script Return Value

Number

n/a

This conditional parameter is true only when the script entered in the Value field returns status 0 after its execution. The comparison field must be set to equal. You can pass dynamic parameters as arguments for the script

51

N/A

String

{anomaly_log_10}, {anomaly_log_50}, {anomaly_log_100}, {anomaly_log_500}, {anomaly_log_1000}

Returns 10/50/100/500/1000 packets (if a packet capturing action is enabled in the Response) or flows (if Flow Collector is enabled) with the anomalous traffic

52

N/A

String

{software_version}

Wanguard version

Time Parameters

#

CONDITIONAL PARAMETER

TYPE

DYNAMIC PARAMETER

DESCRIPTION

1

From

Number

{from_unixtime}

Start time of the anomaly, in unixtime format (number of seconds since Jan 1st 1970)

2

Until

Number

{until_unixtime}

Expiration time of the anomaly, in unixtime format

3

From

String

{from},{from_year},{from_month},{from_day},{from_dow},{from_hour},{from_minute}

Start time of the anomaly, in iso8601 format (YYYY-MM-DD) or by year, month, etc.

4

Until

String

{until},{until_year},{until_month},{until_day},{until_dow},{until_hour},{until_minute}

Stop time of the anomaly, in iso8601 format (YYYY-MM-DD) or by year, month, etc.

5

Duration

Number

{duration}

Duration of the anomaly, expressed in seconds

6

N/A

String

{duration_clock}

Text string describing the duration of the anomaly. Examples: <5sec, 5h 4h 3s

7

N/A

String

{duration_clock_full}

Text string describing the duration of the anomaly. Examples: <5 seconds, 5 hours 4 minutes 3 seconds

8

Internal Ticks

Number

{tick}

Sensor’s internal tick. For Packet Sensor 1 tick = 5 seconds. For Flow Sensor 1 tick = the value of the Granularity parameter

Overall Traffic Parameters

#

CONDITIONAL PARAMETER

TYPE

DYNAMIC PARAMETER

DESCRIPTION

1

Peak IP Pkts/s

Number*

{total_pps}

Peak IP packets/s rate for the prefix

2

Peak IP Bits/s

Number*

{total_bps}

Peak IP bits/s rate for the prefix

3

Latest IP Pkts/s

Number*

{latest_total_pps}

Latest IP packets/s rate for the prefix

4

Latest IP Bits/s

Number*

{latest_total_bps}

Latest IP bits/s rate for the prefix

5

IP Packets

Number*

{sum_total_pkts}

Number of IP packets counted during the anomaly

6

IP Bits

Number*

{sum_total_bits}

Number of IP bits counted during the anomaly

Filter Parameters

#

CONDITIONAL PARAMETER

TYPE

DYNAMIC PARAMETER

DESCRIPTION

1

Filter Name

String

{filter}

Returns the name of the Filter that detected the filtering rule

2

Filter ID

Number

{filter_id}

Unique ID of the Filter that detected the filtering rule

3

Filter Type

String

{filter_type}

Type of Filter: Packet Filter, Flow Filter, Filter Cluster

4

Filter Group

String

{filter_group}

Device Group configured in the Filter configuration

5

Number of Filters

Number

{filters}

Number of Filter instances activated for the anomaly

6

Filters Pkts/s

Number*

{filters_pps}

Returns the most recent packets/s rate recorded by the Filter instances activated for the anomaly

7

Filters Bits/s

Number*

{filters_bps}

Returns the most recent bits/s rate recorded by the Filter instances activated for the anomaly

8

Filters Max Pkts/s

Number*

{filters_max_pps}

Maximum packets/s rate recorded all Filter instances activated for the anomaly

9

Filters Max Bits/s

Number*

{filters_max_bps}

Maximum bits/s rate recorded all Filter instances activated for the anomaly

10

Filtered Packets

Number*

{filters_filtered_packets}

Number of packets blocked by all Filter instances activated for the anomaly

11

Filtered Bits

Number*

{filters_filtered_bits}

Number of bits blocked by all Filter instances activated for the anomaly

12

Filters CPU Usage

Number

{filters_max_cpu_usage}

Maximum CPU% used by the Filter instances activated for the anomaly

Filtering Rule Parameters

#

CONDITIONAL PARAMETER

TYPE

DYNAMIC PARAMETER

DESCRIPTION

1

Filtering Rule #

Number

{filtering_rule_id}

Unique ID of the filtering rule

2

Filtering Rule Type

String

{filtering_rule_type}

What type of filtering rule. All types are listed under Configuration » General Settings » Anomaly Mitigation

3

Filtering Rule Value

String

{filtering_rule_value}

Specific value of the filtering rule (specific IP, port number, protocol number, etc.)

String

{filtering_rule_ip_dns}

When the filtering rule type is IP, it returns its reverse DNS

4

Filtering Rule ISP

String

{filtering_rule_ip_isp}

When the filtering rule type is IP, it returns the corresponding organization or Internet Service Provider

5

Filtering Rule Country

String

{filtering_rule_ip_country}

When the filtering rule type is IP, it returns its country

6

Filtering Rule Pkts/s

Number*

{filtering_rule_pps}

Latest packet/s rate for the traffic matched by the filtering rule

7

Filtering Rule Bits/s

Number*

{filtering_rule_bps}

Latest bits/s throughput for the traffic matched by the filtering rule

8

Filtering Rule Peak Pkts/s

Number*

{filtering_rule_max_pps}

Maximum packet/s rate for the traffic matched by the filtering rule

9

Filtering Rule Peak Bits/s

Number*

{filtering_rule_max_bps}

Maximum bits/s throughput for the traffic matched by the filtering rule

10

Filtering Rule Unit/s

Number*

{filtering_rule_unit}

Returns {filtering_rule_pps} for packets/s thresholds and {filtering_rule_bps} for bits/s thresholds

11

Filtering Rule Peak Unit/s

Number*

{filtering_rule_max_unit}

Returns {filtering_rule_max_pps} or {filtering_rule_max_bps} depending on the unit of the threshold

12

Filtering Rule Severity

Number

{filtering_rule_severity}

Returns the ratio between the traffic matched by the filtering rule and the threshold’s value

13

Filtering Rule Packets

Number*

{filtering_rule_packets}

Returns the number of packets matched by the filtering rule

14

Filtering Rule Bits

Number*

{filtering_rule_bits}

Returns the number of bits matched by the filtering rule

15

Filtering Rule Time Interval

Number

{filtering_rule_difftime}

Duration while the filtering rule was detected

16

Filtering Rule Whitelist

Number

{filtering_rule_whitelisted}

When the filtering rule is whitelisted, returns 1. Otherwise returns 0

17

Filtering Rule Traffic Sample Size

Number*

{filtering_rule_log_size}

If the Response contains an action to capture the packets matched by the filtering rule, returns the packet dump’s size in bytes

18

N/A

String

{attacker_isp}

When the filtering rule type is IP, it returns the email address of the attacker’s ISP, as found in the whois database

19

N/A

String

{filtering_rule_log_10}, {filtering_rule_log_50}, {filtering_rule_log_100}, {filtering_rule_log_500}, {filtering_rule_log_1000}

Returns 10/50/100/500/1000 packets of the traffic matched by the filtering rule if the Response contains an action for capturing packets