Exportable IPS log entry fields

IPS log entry fields are described in the following table. Because the fields are exportable, the table includes the syslog export field.

Table 1. IPS log entry fields
Field Syslog export field Description
Action ACTION Action of the rule that triggered the log event.
Alert Type ALERT Type of alert.
Attacker IP IP_ATTACKER IPv4 address of the attacking host.
Blacklist executor FIREWALL_ID Firewall that blacklisted the traffic that triggered the log event.
Blacklist response BLACKLIST_RESPONSE Firewall blacklist response that triggered the log event.
Cluster ID CLUSTER_ID The identifier of the cluster to which the node that created the log entry belongs.
Component ID COMP_ID The identifier of the creator of the log entry.
Connection Analysis End CONNECTION_ANALYSIS_END The Application module could not continue analyzing the traffic stream after this event.
Connection dropped DROP_CONNECTION The connection was dropped by a Drop Response in the rule.
Content type of message body SIP_CONTENT_TYPE Content type of the SIP message body.
Correlation base component ID CORRELATION_COMP_ID The policy that decides the response after successful correlation.
Correlation begin time TIME_FRAME_BEGIN NTP stamp of the beginning of the time frame for a match to a correlation situation.
Correlation end time TIME_FRAME_END NTP stamp of the end of the time frame for a match to a correlation situation.
Creation Time TIMESTAMP Log entry creation time.
C-tag VLAN_C_TAG Customer tag in double-tagged VLAN traffic.
Data Identifier LOG_ID Data Identifier of the log entry.
Datagram dropped DROP_DATAGRAM The datagram was dropped by a Drop Response in the rule.
Destination port PORT_DEST TCP or UDP destination port in the packet header. Included only for backwards compatibility with legacy IPS engines. For other cases, use Dst Port.
DNS class DNS_CLASS DNS resource record class.
DNS hdr ancount DNS_HDR_ANCOUNT DNS answers count.
DNS hdr arcount DNS_HDR_ARCOUNT DNS additional section count.
DNS hdr flag tc DNS_HDR_FLAG_TC DNS header flag TC.
DNS hdr id DNS_HDR_ID DNS message ID.
DNS hdr is request DNS_HDR_IS_REQUEST DNS message is a request.
DNS hdr nscount DNS_HDR_NSCOUNT DNS authority section count.
DNS hdr opcode DNS_HDR_OPCODE DNS operation code.
DNS hdr qdcount DNS_HDR_QDCOUNT DNS questions count.
DNS hdr rcode DNS_HDR_RCODE DNS return code.
DNS name length DNS_NAME_LENGTH Length of DNS name in a message.
DNS offset DNS_OFFSET DNS message offset where the situation occurs.
DNS pointer DNS_POINTER Name pointer in a DNS message.
DNS qclass DNS_QCLASS Query resource record class in a DNS message.
DNS qname DNS_QNAME First queried name in a DNS message.
DNS qtype DNS_QTYPE Query type in a DNS message.
DNS section DNS_SECTION Section name in a DNS message.
DNS type DNS_TYPE DNS resource record type.
DNS UDP payload DNS_UDP_PAYLOAD UDP payload size of a DNS message.
DNS UDP payload by opt DNS_UDP_PAYLOAD_BY_OPT UDP payload advertised in a DNS OPT record.
Dst Addr DST Packet destination IP address.
Dst Port DPORT TCP or UDP destination port in the packet header.
Error Id ERROR_ID Identifier of the error that triggered the log event.
Eth frame length ETH_FRAME_LENGTH Length of the Ethernet frame.
Eth min frame length ETH_MIN_FRAME_LENGTH Minimum length for Ethernet frame.
Ethernet type ETH_TYPE Type field in Ethernet frame.
Event count EVENT_COUNT Event count in the defined time frame.
Event ID EVENT_ID Event identifier, unique within one sender.
Event update EVENT_UPDATE Event ID for which this event is an update.
Excerpt data EXCERPT Short recording of the application level data stream of the attack.
Excerpt position EXCERPT_POS Position in the attached short recording.
Facility FACILITY The firewall subsystem that created the log entry.
Fields updatable FIELDS_UPDATABLE Map of updatable log fields.
Forward Rule Tag FORWARD_RULE_TAG The tag of the last matching rule when forwarding the traffic to the agent that created this log entry.
Frame dropped DROP_FRAME The frame was dropped by a Drop Response in the rule.
From address SIP_FROM SIP From address.
FTP account len FTP_ACCOUNT_LEN Length of the FTP account string.
FTP adat argument len FTP_ADAT_ARG_LEN Length of ADAT command argument.
FTP allocate size FTP_ALLOCATE_SIZE Size of FTP allocate.
FTP arg len FTP_ARG_LEN Length of the FTP command argument.
FTP auth arg len FTP_AUTH_ARG_LEN Length of the AUTH argument.
FTP Cmd Name FTP_CMD_NAME The name of the FTP command without any arguments.
FTP client state name FTP_CLIENT_STATE_NAME The detected FTP client state.
FTP clnt arg len FTP_CLNT_ARG_LEN Length of the FTP CLNT argument.
FTP command FTP_COMMAND Name of the FTP command.
FTP conf arg len FTP_CONF_ARG_LEN Length of the CONF command argument.
FTP enc arg len FTP_ENC_ARG_LEN Length of the ENC command argument.
FTP eprt arg len FTP_EPRT_ARG_LEN Length of the EPRT command argument.
FTP estp arg len FTP_ESTP_ARG_LEN Length of the ESTP command argument.
FTP help arg len FTP_HELP_ARG_LEN Length of the HELP command argument.
FTP lang arg len FTP_LANG_ARG_LEN Length of the LANG command argument.
FTP lprt arg len FTP_LPRT_ARG_LEN Length of the LPRT command argument.
FTP marker len FTP_MARKER_LEN Length of the REST command argument.
FTP mic arg len FTP_MIC_ARG_LEN Length of the MIC command argument.
FTP opts arg len FTP_OPTS_ARG_LEN Length of the OPTS command argument.
FTP password len FTP_PASSWORD_LEN Length of the detected FTP password.
FTP pathname len FTP_PATHNAME_LEN Length of the detected FTP pathname.
FTP protection buffer size FTP_PROTECTION_BUFFER_SIZE Size of the detected PBSZ protection buffer.
FTP reply FTP_REPLY The detected FTP server reply.
FTP reply code FTP_REPLY_CODE The detected FTP server reply code.
FTP reply len FTP_REPLY_LEN Length of an FTP server reply that is too long.
FTP reply line len FTP_REPLY_LINE_LEN Length of an FTP server reply line that is too long.
FTP server action FTP_SERVER_ACTION FTP server action after a suspicious client command.
FTP server banner FTP_SERVER_BANNER The detected FTP server banner.
FTP server state name FTP_SERVER_STATE_NAME The detected FTP server state.
FTP site arg len FTP_SITE_ARG_LEN Length of the SITE command argument.
FTP state name FTP_STATE_NAME The detected FTP session state.
FTP username len FTP_USERNAME_LEN Length of the detected FTP user name.
HTTP header HTTP_HEADER The detected HTTP header field.
HTTP header name HTTP_HEADER_NAME The detected HTTP header field name.
HTTP no request HTTP_NO_REQUEST The detected HTTP response could not be associated to any request.
HTTP request host HTTP_REQUEST_HOST HTTP request host.
HTTP request line HTTP_REQUEST_LINE The detected HTTP request line.
HTTP request message field name length HTTP_REQUEST_MESSAGE_FIELD_ NAME_LENGTH Length of the HTTP request header field name.
HTTP request message field value length HTTP_REQUEST_MESSAGE_FIELD_ VALUE_LENGTH Length of the HTTP request header field value.
HTTP request method HTTP_REQUEST_METHOD The detected HTTP request method.
HTTP request URI HTTP_REQUEST_URI The detected HTTP request URI.
HTTP request version HTTP_REQUEST_VERSION The detected HTTP request version.
HTTP requests not stored HTTP_REQUESTS_NOT_STORED Number of requests not stored due to HTTP pipeline overflow.
HTTP response code HTTP_RESPONSE_CODE The detected HTTP response code.
HTTP response message field name length HTTP_RESPONSE_MESSAGE_FIELD_ NAME_LENGTH Length of the HTTP response header field name.
HTTP response message field value length HTTP_RESPONSE_MESSAGE_FIELD_ VALUE_LENGTH Length of the HTTP response header field value.
HTTP URI length HTTP_URI_LENGTH Length of HTTP request URI
ICMP code ICMP_CODE ICMP code field. ICMP code provides further information about message type (for example, network unreachable). For more information, see RFC 792 andRFC 950.
ICMP expected message length ICMP_EXPECTED_MESSAGE_LENGTH Expected length of the ICMP message.
ICMP field addr entry size ICMP_FIELD_ADDR_ENTRY_SIZE Value of the detected ICMP address entry size field.
ICMP field address mask ICMP_FIELD_ADDRESS_MASK Value of detected ICMP address mask field.
ICMP field domain name ICMP_FIELD_DOMAIN_NAME Value of the detected ICMP domain name field.
ICMP field gateway IP addr ICMP_FIELD_GATEWAY_IP_ADDR Value of the detected ICMP gateway address field.
ICMP field lifetime ICMP_FIELD_LIFETIME Value of the ICMP lifetime field.
ICMP field num addrs ICMP_FIELD_NUM_ADDRS Value of the ICMP number of addresses field.
ICMP field originate timestamp ICMP_FIELD_ORIGINATE_TIMESTAMP Value of the ICMP originate time stamp field.
ICMP field outbound hop count ICMP_FIELD_OUTBOUND_HOP_COUNT Value of the ICMP outbound hop count field.
ICMP field output link mtu ICMP_FIELD_OUTPUT_LINK_MTU Value of the ICMP output link MTU field.
ICMP field output link speed ICMP_FIELD_OUTPUT_LINK_SPEED Value of the ICMP output link speed field.
ICMP field pointer ICMP_FIELD_POINTER The offset in the related datagram where the situation occurred.
ICMP field preference level ICMP_FIELD_PREFERENCE_LEVEL Value of the ICMP preference level field.
ICMP field receive timestamp ICMP_FIELD_RECEIVE_TIMESTAMP Value of the ICMP receive time stamp field.
ICMP field return hop count ICMP_FIELD_RETURN_HOP_COUNT Value of the ICMP return hop count field.
ICMP field router addr ICMP_FIELD_ROUTER_ADDRESS Value of the ICMP router address field.
ICMP field sequence num ICMP_FIELD_SEQUENCE_NUMBER Value of the ICMP sequence number field.
ICMP field traceroute id ICMP_FIELD_TRACEROUTE_ID Value of the ICMP traceroute ID field.
ICMP field transmit timestamp ICMP_FIELD_TRANSMIT_TIMESTAMP Value of the ICMP transmit time stamp field.
ICMP ID ICMP_ID The ICMP identifier recorded by the engine when ICMP packets pass through the firewall. The ICMP identifier can be used by the echo sender to aid in matching the replies with the echo requests. For example, the identifier might be used like a port in TCP or UDP to identify a session. For more information about ICMP ID and the ICMP protocol, see RFC 792 and RFC 950.
ICMP message length ICMP_MESSAGE_LENGTH Length of the ICMP message.
ICMP referenced destination IP addr ICMP_REFERENCED_DESTINATION_ IP_ADDR Destination IP address of the datagram related to the ICMP message.
ICMP referenced destination port ICMP_REFERENCED_DESTINATION_PORT Destination port of the datagram related to the ICMP message.
ICMP referenced IP proto ICMP_REFERENCED_IP_PROTO IP Protocol field of the datagram related to the ICMP message.
ICMP referenced source IP addr ICMP_REFERENCED_SOURCE_IP_ADDR Source IP address of the datagram related to the ICMP message.
ICMP referenced source port ICMP_REFERENCED_SOURCE_PORT Source port of IP datagram related to the ICMP message.
ICMP Type ICMP_TYPE The Internet Control Message Protocol is an extension to the Internet Protocol (IP) that supports packets containing error, control, and informational messages. ICMP messages are sent using the basic IP header. The first octet of the data portion of the datagram is an ICMP type field. For more information, see RFC 792 and RFC 950.
Imf encoded word IMF_ENCODED_WORD Encoded word token related to this event.
Imf header field IMF_HEADER_FIELD Contents (possibly partial) of the mail header field related to this event.
Imf header field name IMF_HEADER_FIELD_NAME Name of the mail header field related to this event.
Imf header field position IMF_HEADER_FIELD_POSITION Number of characters processed in this header field when this event was generated.
Imf token IMF_TOKEN Syntactical token in the mail body related to this event.
Imf token length IMF_TOKEN_LENGTH Length of the syntactical token in the mail body related to this event.
Information message INFO_MSG A description of the log event that further explains the entry.
IP checksum IP_CHECKSUM Value of the IP header checksum.
IP datagram length IP_DATAGRAM_LENGTH Length of the IP datagram.
IP datagram new length IP_DATAGRAM_NEW_LENGTH The new suggested length for the IP datagram.
IP destination IP_DEST Destination IP address in the packet header. Included only for backwards compatibility for legacy IPS. For other cases, use Dst Addr.
IP frag conflict range IP_FRAG_CONFLICT_RANGE Conflicting byte range in a fragment.
IP fragment offset IP_FRAGMENT_OFFSET Fragment offset in the IP header.
IP header length IP_HEADER_LENGTH Length of the IP header.
IP identification IP_IDENTIFICATION Identification field in the IP header.
IP offset IP_OFFSET Start IP offset from the beginning of the Ethernet frame.
IP option length IP_OPTION_LENGTH Length of the IP option that triggered the response.
IP option number IP_OPTION_NUMBER IP option number that triggered the response.
IP protocol PROTOCOL IP protocol of the traffic that generated the log event.
IP source IP_SOURCE Source IP address in the packet header. Included for backwards compatibility with legacy IPS. For other cases, use Src Addr.
IP total length IP_TOTAL_LENGTH Total length of the IP datagram.
IP version IP_VERSION Version field value in the IP header.
Length of message body SIP_CONTENT_LENGTH Length of the SIP message body.
Logical interface IF_LOGICAL Logical interface for a packet.
MAC destination MAC_DEST Destination MAC address in the packet header.
MAC source MAC_SOURCE Source MAC address in the packet header.
Module SENDER_MODULE_ID Sender module identification.
Node configuration NODE_CONFIGURATION Current configuration of the node that sent the log entry.
Node dynup NODE_DYNUP Dynamic update package level of the node that sent the log entry.
Node version NODE_VERSION Node version of the node that sent the log entry.
Not final value NOT_FINAL_VALUE Entry is not final.
One LAN ONE_LAN The "View interface as one LAN" option was enabled on the logical interface through which the packet was received.
Orig config id ORIG_CONFIG_ID Configuration identifier related to the Situation in the referred event.
Orig sender module version ORIG_SENDER_MODULE_VERSION Module version in the referred event.
Orig sender os ver ORIG_SENDER_OS_VER The operating system version of the sender of the referred event.
Original Alert Type ORIG_ALERT Type of alert in the referred event.
Original correlation begin time ORIG_TIME_FRAME_BEGIN NTP stamp of the beginning of the time frame in the referred event.
Original correlation end time ORIG_TIME_FRAME_END NTP stamp of the end of the time frame in the referred event.
Original event count ORIG_EVENT_COUNT Number of events in the time frame of the referred event.
Original module ORIG_SENDER_MODULE_ID Sender module identification in the referred event.
Original severity ORIG_ALERT_SEVERITY Severity of the referred event.
Original situation ORIG_SITUATION Identifier of the situation that triggered the referred event.
Original time ORIG_TIMESTAMP Creation time of the referred event.
Packet analysis end PACKET_ANALYSIS_END Module could not continue analyzing packet or datagram after this event.
Packet not seen PACKET_NOT_SEEN Flag indicating that the related packet was not seen.
Physical interface IF_PHYSICAL Physical interface for a packet.
Protocol PROTOCOL Connection IP protocol.
Protocol Agent SRVHELPER_ID Protocol Agent numerical ID code.
Reception time RECEPTION_TIME Time when the entry was received by the Log Server.
Record ID RECORD_ID Identifier of the traffic recording.
Reference event ID REF_EVENT Reference to a related event.
Rule Tag RULE_ID Rule tag of the rule that triggered the log event.
Scan ICMP Echo No Reply Cnt SCAN_ICMP_ECHO_ NO_RESPONSE_ COUNTER Number of distinct ICMP Echo Request (ping) destinations that did not reply to a request.
Scan ICMP Echo Request Cnt SCAN_ICMP_ECHO_REQUEST_ COUNTER Number of distinct ICMP Echo Request (ping) destinations detected.
Scan ICMP Echo Targets SCAN_ICMP_ECHO_TARGETS List of the detected ICMP Echo Request (ping) destinations.
Scan ICMP Mask No Reply Cnt SCAN_ICMP_NETMASK_ NO_RESPONSE_ COUNTER Number of distinct ICMP Netmask Request destinations that did not reply to a request.
Scan ICMP Mask Request Cnt SCAN_ICMP_NETMASK_ REQUEST_COUNTER Number of distinct ICMP Netmask Request destinations detected.
Scan ICMP Mask Targets SCAN_ICMP_NETMASK_ TARGETS List of the detected ICMP Netmask Request destinations.
Scan ICMP No Reply Cnt SCAN_ICMP_NO_RESPONSE_COUNTER Number of the distinct ICMP request destinations for any of counted ICMP requests (Echo Request, Timestamp Request, Netmask Request) that did not reply to a request.
Scan ICMP Request Cnt SCAN_ICMP_REQUEST_COUNTER Number of the distinct ICMP request destinations for the counted ICMP requests (Echo Request, Timestamp Request, Netmask Request).
Scan ICMP Time No Reply Cnt SCAN_ICMP_TIMESTAMP_NO_RESPONSE_ COUNTER Number of the distinct ICMP Timestamp Request destinations that did not reply to a request.
Scan ICMP Time Request Cnt SCAN_ICMP_TIMESTAMP_REQUEST_ COUNTER Number of the distinct ICMP Timestamp Request destinations detected.
Scan ICMP Time Targets SCAN_ICMP_TIMESTAMP_TARGETS List of the detected ICMP Timestamp Request destinations.
Scan Start Time SCAN_START_TIME The starting time of the detected port scanning activity.
Scan TCP Negative Cnt SCAN_TCP_NEGATIVE_COUNTER Number of distinct TCP destinations that denied attempted connections with TCP RST.
Scan TCP Normal Cnt SCAN_TCP_NORMAL_COUNTER Number of distinct TCP destinations with successful connection establishment and bidirectional data transfer.
Scan TCP No Ack Cnt SCAN_TCP_NO_ACK_COUNTER Number of distinct TCP destinations targeted for illegal TCP segments.
Scan TCP No Ack Targets SCAN_TCP_NO_ACK_TARGETS List of TCP destinations targeted for illegal TCP segments.
Scan TCP No Reply Cnt SCAN_TCP_NO_RESPONSE_COUNTER Number of distinct TCP destinations that did not reply to connection attempts.
Scan TCP Positive Cnt SCAN_TCP_POSITIVE_COUNTER Number of distinct TCP destinations with successful connection establishment but no data sent by the client within the defined time limit.
Scan TCP Targets SCAN_TCP_TARGETS List of the detected TCP port scan destinations.
Scan UDP Negative Cnt SCAN_UDP_NEGATIVE_COUNTER Number of distinct destinations detected that replied with ICMP Port Unreachable (successful scan of closed UDP port).
Scan UDP Positive Cnt SCAN_UDP_POSITIVE_COUNTER Number of bi-directional UDP conversations detected.
Scan UDP Probe Cnt SCAN_UDP_PROBE_COUNTER Number of destinations that did not reply using UDP.
Scan UDP Target Cnt SCAN_UDP_TARGET_COUNTER Total number of UDP destinations detected.
Scan UDP Targets SCAN_UDP_TARGETS List of the detected UDP destinations.
Sender NODE_ID IP address of the engine or server that sent the log entry.
Sender module version SENDER_MODULE_VERSION Version of the engine module that generated the event.
Sender type SENDER_TYPE The type of engine or server that sent the log entry.
Service SERVICE Special field for filtering logs using the defined services. Does not appear in the log entry table.
Severity ALERT_SEVERITY Severity of the situation related to the alert event.
SIP call ID SIP_CALL_ID SIP call ID.
SIP contact address SIP_CONTACT SIP contact address.
SIP header field contents SIP_HEADER SIP header field contents.
SIP header field name SIP_HEADER_NAME SIP header field name.
SIP request method SIP_REQUEST_METHOD Method of the SIP request.
SIP request URI SIP_REQUEST_URI URI of the SIP request.
SIP request version SIP_REQUEST_VERSION Version of the SIP request.
SIP response reason-phrase SIP_RESPONSE_REASON_PHRASE SIP response reason-phrase.
SIP response status code SIP_RESPONSE_STATUS_CODE Status code of the SIP response.
SIP VIA address SIP_VIA SIP VIA address.
Situation SITUATION The identifier of the situation that triggered the log event.
Situation Type SIT_CATEGORY The type of the situation that triggered the log event.
SMTP command SMTP_COMMAND Suspicious SMTP command sent by the client.
SMTP mail stats SMTP_MAIL_STATS Statistics on email messages.
SMTP misplaced command SMTP_MISPLACED_COMMAND Command given in the wrong place in the command sequence.
SMTP recipient SMTP_RECIPIENT Recipient forward path in RCPT command parameter.
SMTP reply SMTP_REPLY Suspicious SMTP reply message sent by the server.
SMTP reverse path SMTP_REVERSE_PATH SMTP reverse path in MAIL FROM command parameter.
SMTP server action SMTP_SERVER_ACTION Suspicious server action after a suspicious client command.
SMTP server banner SMTP_SERVER_BANNER Banner sent by the SMTP server at the beginning of the connection.
SMTP transaction state SMTP_TRANSACTION_STATE Session state of the SMTP transaction.
Source file SOURCE_FILE Name of the source file.
Source file line SOURCE_FILE_LINE Line number in the source file.
Source port PORT_SOURCE TCP or UDP source port in the packet header. Included for backwards compatibility with legacy IPS. For other cases, see Src Port.
Src Addr SRC Packet source IP address.
Src Port SPORT TCP or UDP source port in the packet header.
Src VLAN SRC_VLAN The VLAN ID of the source VLAN.
SSH calc client crypto bit ratio SSH_CALC_CLIENT_CRYPTO_BIT_RATIO Calculated SSH client crypto bit ratio.
SSH calc server crypto bit ratio SSH_CALC_SERVER_CRYPTO_BIT_RATIO Calculated SSH server crypto bit ratio.
SSH1 host key bits SSH1_HOST_KEY_BITS Bit length of the SSHv1 host key.
SSH1 server key bits SSH1_SERVER_KEY_BITS Bit length of the SSHv1 server key.
S-tag VLAN_S_TAG Service provider tag in double-tagged VLAN traffic.
Syslog SYSLOG_TYPE Syslog is a system service used in some operating systems, for example, UNIX- and software packages. For more information about syslog and syslog types, see RFC 3164.
Syslog Facility SYSLOG_FACILITY Syslog entry facility.
Syslog Level SYSLOG_LEVEL Syslog entry level.
Syslog Message SYSLOG_MSG Syslog entry message string.
Target IP IP_TARGET IPv4 address of the target host in a detected attack.
TCP connection start time TCP_CONNECTION_START_TIME Start time of the TCP connection.
TCP handshake seen TCP_HANDSHAKE_SEEN Initial handshake of the TCP connection detected.
TCP option kind TCP_OPTION_KIND Type of the TCP option.
TCP option length TCP_OPTION_LENGTH Length of the TCP option that caused the response.
To address SIP_TO SIP To address.
UDP datagram size UDP_DATAGRAM_SIZE Size of the UDP datagram.
Vulnerability References VULNERABILITY_REFERENCES References to known vulnerabilities in a vulnerability database. Generated from situation and original situation.
Whole session seen WHOLE_SESSION_SEEN True if no data of this session has been missed up to this point.