Exportable IPS log entry fields
IPS log entry fields are described in the following table. Because the fields are exportable, the table includes the syslog export field.
| Field | Syslog export field | Description |
|---|---|---|
| Action | ACTION | Action of the rule that triggered the log event. |
| Alert Type | ALERT | Type of alert. |
| Attacker IP | IP_ATTACKER | IPv4 address of the attacking host. |
| Blacklist executor | FIREWALL_ID | Firewall that blacklisted the traffic that triggered the log event. |
| Blacklist response | BLACKLIST_RESPONSE | Firewall blacklist response that triggered the log event. |
| Cluster ID | CLUSTER_ID | The identifier of the cluster to which the node that created the log entry belongs. |
| Component ID | COMP_ID | The identifier of the creator of the log entry. |
| Connection Analysis End | CONNECTION_ANALYSIS_END | The Application module could not continue analyzing the traffic stream after this event. |
| Connection dropped | DROP_CONNECTION | The connection was dropped by a Drop Response in the rule. |
| Content type of message body | SIP_CONTENT_TYPE | Content type of the SIP message body. |
| Correlation base component ID | CORRELATION_COMP_ID | The policy that decides the response after successful correlation. |
| Correlation begin time | TIME_FRAME_BEGIN | NTP stamp of the beginning of the time frame for a match to a correlation situation. |
| Correlation end time | TIME_FRAME_END | NTP stamp of the end of the time frame for a match to a correlation situation. |
| Creation Time | TIMESTAMP | Log entry creation time. |
| C-tag | VLAN_C_TAG | Customer tag in double-tagged VLAN traffic. |
| Data Identifier | LOG_ID | Data Identifier of the log entry. |
| Datagram dropped | DROP_DATAGRAM | The datagram was dropped by a Drop Response in the rule. |
| Destination port | PORT_DEST | TCP or UDP destination port in the packet header. Included only for backwards compatibility with legacy IPS engines. For other cases, use Dst Port. |
| DNS class | DNS_CLASS | DNS resource record class. |
| DNS hdr ancount | DNS_HDR_ANCOUNT | DNS answers count. |
| DNS hdr arcount | DNS_HDR_ARCOUNT | DNS additional section count. |
| DNS hdr flag tc | DNS_HDR_FLAG_TC | DNS header flag TC. |
| DNS hdr id | DNS_HDR_ID | DNS message ID. |
| DNS hdr is request | DNS_HDR_IS_REQUEST | DNS message is a request. |
| DNS hdr nscount | DNS_HDR_NSCOUNT | DNS authority section count. |
| DNS hdr opcode | DNS_HDR_OPCODE | DNS operation code. |
| DNS hdr qdcount | DNS_HDR_QDCOUNT | DNS questions count. |
| DNS hdr rcode | DNS_HDR_RCODE | DNS return code. |
| DNS name length | DNS_NAME_LENGTH | Length of DNS name in a message. |
| DNS offset | DNS_OFFSET | DNS message offset where the situation occurs. |
| DNS pointer | DNS_POINTER | Name pointer in a DNS message. |
| DNS qclass | DNS_QCLASS | Query resource record class in a DNS message. |
| DNS qname | DNS_QNAME | First queried name in a DNS message. |
| DNS qtype | DNS_QTYPE | Query type in a DNS message. |
| DNS section | DNS_SECTION | Section name in a DNS message. |
| DNS type | DNS_TYPE | DNS resource record type. |
| DNS UDP payload | DNS_UDP_PAYLOAD | UDP payload size of a DNS message. |
| DNS UDP payload by opt | DNS_UDP_PAYLOAD_BY_OPT | UDP payload advertised in a DNS OPT record. |
| Dst Addr | DST | Packet destination IP address. |
| Dst Port | DPORT | TCP or UDP destination port in the packet header. |
| Error Id | ERROR_ID | Identifier of the error that triggered the log event. |
| Eth frame length | ETH_FRAME_LENGTH | Length of the Ethernet frame. |
| Eth min frame length | ETH_MIN_FRAME_LENGTH | Minimum length for Ethernet frame. |
| Ethernet type | ETH_TYPE | Type field in Ethernet frame. |
| Event count | EVENT_COUNT | Event count in the defined time frame. |
| Event ID | EVENT_ID | Event identifier, unique within one sender. |
| Event update | EVENT_UPDATE | Event ID for which this event is an update. |
| Excerpt data | EXCERPT | Short recording of the application level data stream of the attack. |
| Excerpt position | EXCERPT_POS | Position in the attached short recording. |
| Facility | FACILITY | The firewall subsystem that created the log entry. |
| Fields updatable | FIELDS_UPDATABLE | Map of updatable log fields. |
| Forward Rule Tag | FORWARD_RULE_TAG | The tag of the last matching rule when forwarding the traffic to the agent that created this log entry. |
| Frame dropped | DROP_FRAME | The frame was dropped by a Drop Response in the rule. |
| From address | SIP_FROM | SIP From address. |
| FTP account len | FTP_ACCOUNT_LEN | Length of the FTP account string. |
| FTP adat argument len | FTP_ADAT_ARG_LEN | Length of ADAT command argument. |
| FTP allocate size | FTP_ALLOCATE_SIZE | Size of FTP allocate. |
| FTP arg len | FTP_ARG_LEN | Length of the FTP command argument. |
| FTP auth arg len | FTP_AUTH_ARG_LEN | Length of the AUTH argument. |
| FTP Cmd Name | FTP_CMD_NAME | The name of the FTP command without any arguments. |
| FTP client state name | FTP_CLIENT_STATE_NAME | The detected FTP client state. |
| FTP clnt arg len | FTP_CLNT_ARG_LEN | Length of the FTP CLNT argument. |
| FTP command | FTP_COMMAND | Name of the FTP command. |
| FTP conf arg len | FTP_CONF_ARG_LEN | Length of the CONF command argument. |
| FTP enc arg len | FTP_ENC_ARG_LEN | Length of the ENC command argument. |
| FTP eprt arg len | FTP_EPRT_ARG_LEN | Length of the EPRT command argument. |
| FTP estp arg len | FTP_ESTP_ARG_LEN | Length of the ESTP command argument. |
| FTP help arg len | FTP_HELP_ARG_LEN | Length of the HELP command argument. |
| FTP lang arg len | FTP_LANG_ARG_LEN | Length of the LANG command argument. |
| FTP lprt arg len | FTP_LPRT_ARG_LEN | Length of the LPRT command argument. |
| FTP marker len | FTP_MARKER_LEN | Length of the REST command argument. |
| FTP mic arg len | FTP_MIC_ARG_LEN | Length of the MIC command argument. |
| FTP opts arg len | FTP_OPTS_ARG_LEN | Length of the OPTS command argument. |
| FTP password len | FTP_PASSWORD_LEN | Length of the detected FTP password. |
| FTP pathname len | FTP_PATHNAME_LEN | Length of the detected FTP pathname. |
| FTP protection buffer size | FTP_PROTECTION_BUFFER_SIZE | Size of the detected PBSZ protection buffer. |
| FTP reply | FTP_REPLY | The detected FTP server reply. |
| FTP reply code | FTP_REPLY_CODE | The detected FTP server reply code. |
| FTP reply len | FTP_REPLY_LEN | Length of an FTP server reply that is too long. |
| FTP reply line len | FTP_REPLY_LINE_LEN | Length of an FTP server reply line that is too long. |
| FTP server action | FTP_SERVER_ACTION | FTP server action after a suspicious client command. |
| FTP server banner | FTP_SERVER_BANNER | The detected FTP server banner. |
| FTP server state name | FTP_SERVER_STATE_NAME | The detected FTP server state. |
| FTP site arg len | FTP_SITE_ARG_LEN | Length of the SITE command argument. |
| FTP state name | FTP_STATE_NAME | The detected FTP session state. |
| FTP username len | FTP_USERNAME_LEN | Length of the detected FTP user name. |
| HTTP header | HTTP_HEADER | The detected HTTP header field. |
| HTTP header name | HTTP_HEADER_NAME | The detected HTTP header field name. |
| HTTP no request | HTTP_NO_REQUEST | The detected HTTP response could not be associated to any request. |
| HTTP request host | HTTP_REQUEST_HOST | HTTP request host. |
| HTTP request line | HTTP_REQUEST_LINE | The detected HTTP request line. |
| HTTP request message field name length | HTTP_REQUEST_MESSAGE_FIELD_ NAME_LENGTH | Length of the HTTP request header field name. |
| HTTP request message field value length | HTTP_REQUEST_MESSAGE_FIELD_ VALUE_LENGTH | Length of the HTTP request header field value. |
| HTTP request method | HTTP_REQUEST_METHOD | The detected HTTP request method. |
| HTTP request URI | HTTP_REQUEST_URI | The detected HTTP request URI. |
| HTTP request version | HTTP_REQUEST_VERSION | The detected HTTP request version. |
| HTTP requests not stored | HTTP_REQUESTS_NOT_STORED | Number of requests not stored due to HTTP pipeline overflow. |
| HTTP response code | HTTP_RESPONSE_CODE | The detected HTTP response code. |
| HTTP response message field name length | HTTP_RESPONSE_MESSAGE_FIELD_ NAME_LENGTH | Length of the HTTP response header field name. |
| HTTP response message field value length | HTTP_RESPONSE_MESSAGE_FIELD_ VALUE_LENGTH | Length of the HTTP response header field value. |
| HTTP URI length | HTTP_URI_LENGTH | Length of HTTP request URI |
| ICMP code | ICMP_CODE | ICMP code field. ICMP code provides further information about message type (for example, network unreachable). For more information, see RFC 792 andRFC 950. |
| ICMP expected message length | ICMP_EXPECTED_MESSAGE_LENGTH | Expected length of the ICMP message. |
| ICMP field addr entry size | ICMP_FIELD_ADDR_ENTRY_SIZE | Value of the detected ICMP address entry size field. |
| ICMP field address mask | ICMP_FIELD_ADDRESS_MASK | Value of detected ICMP address mask field. |
| ICMP field domain name | ICMP_FIELD_DOMAIN_NAME | Value of the detected ICMP domain name field. |
| ICMP field gateway IP addr | ICMP_FIELD_GATEWAY_IP_ADDR | Value of the detected ICMP gateway address field. |
| ICMP field lifetime | ICMP_FIELD_LIFETIME | Value of the ICMP lifetime field. |
| ICMP field num addrs | ICMP_FIELD_NUM_ADDRS | Value of the ICMP number of addresses field. |
| ICMP field originate timestamp | ICMP_FIELD_ORIGINATE_TIMESTAMP | Value of the ICMP originate time stamp field. |
| ICMP field outbound hop count | ICMP_FIELD_OUTBOUND_HOP_COUNT | Value of the ICMP outbound hop count field. |
| ICMP field output link mtu | ICMP_FIELD_OUTPUT_LINK_MTU | Value of the ICMP output link MTU field. |
| ICMP field output link speed | ICMP_FIELD_OUTPUT_LINK_SPEED | Value of the ICMP output link speed field. |
| ICMP field pointer | ICMP_FIELD_POINTER | The offset in the related datagram where the situation occurred. |
| ICMP field preference level | ICMP_FIELD_PREFERENCE_LEVEL | Value of the ICMP preference level field. |
| ICMP field receive timestamp | ICMP_FIELD_RECEIVE_TIMESTAMP | Value of the ICMP receive time stamp field. |
| ICMP field return hop count | ICMP_FIELD_RETURN_HOP_COUNT | Value of the ICMP return hop count field. |
| ICMP field router addr | ICMP_FIELD_ROUTER_ADDRESS | Value of the ICMP router address field. |
| ICMP field sequence num | ICMP_FIELD_SEQUENCE_NUMBER | Value of the ICMP sequence number field. |
| ICMP field traceroute id | ICMP_FIELD_TRACEROUTE_ID | Value of the ICMP traceroute ID field. |
| ICMP field transmit timestamp | ICMP_FIELD_TRANSMIT_TIMESTAMP | Value of the ICMP transmit time stamp field. |
| ICMP ID | ICMP_ID | The ICMP identifier recorded by the engine when ICMP packets pass through the firewall. The ICMP identifier can be used by the echo sender to aid in matching the replies with the echo requests. For example, the identifier might be used like a port in TCP or UDP to identify a session. For more information about ICMP ID and the ICMP protocol, see RFC 792 and RFC 950. |
| ICMP message length | ICMP_MESSAGE_LENGTH | Length of the ICMP message. |
| ICMP referenced destination IP addr | ICMP_REFERENCED_DESTINATION_ IP_ADDR | Destination IP address of the datagram related to the ICMP message. |
| ICMP referenced destination port | ICMP_REFERENCED_DESTINATION_PORT | Destination port of the datagram related to the ICMP message. |
| ICMP referenced IP proto | ICMP_REFERENCED_IP_PROTO | IP Protocol field of the datagram related to the ICMP message. |
| ICMP referenced source IP addr | ICMP_REFERENCED_SOURCE_IP_ADDR | Source IP address of the datagram related to the ICMP message. |
| ICMP referenced source port | ICMP_REFERENCED_SOURCE_PORT | Source port of IP datagram related to the ICMP message. |
| ICMP Type | ICMP_TYPE | The Internet Control Message Protocol is an extension to the Internet Protocol (IP) that supports packets containing error, control, and informational messages. ICMP messages are sent using the basic IP header. The first octet of the data portion of the datagram is an ICMP type field. For more information, see RFC 792 and RFC 950. |
| Imf encoded word | IMF_ENCODED_WORD | Encoded word token related to this event. |
| Imf header field | IMF_HEADER_FIELD | Contents (possibly partial) of the mail header field related to this event. |
| Imf header field name | IMF_HEADER_FIELD_NAME | Name of the mail header field related to this event. |
| Imf header field position | IMF_HEADER_FIELD_POSITION | Number of characters processed in this header field when this event was generated. |
| Imf token | IMF_TOKEN | Syntactical token in the mail body related to this event. |
| Imf token length | IMF_TOKEN_LENGTH | Length of the syntactical token in the mail body related to this event. |
| Information message | INFO_MSG | A description of the log event that further explains the entry. |
| IP checksum | IP_CHECKSUM | Value of the IP header checksum. |
| IP datagram length | IP_DATAGRAM_LENGTH | Length of the IP datagram. |
| IP datagram new length | IP_DATAGRAM_NEW_LENGTH | The new suggested length for the IP datagram. |
| IP destination | IP_DEST | Destination IP address in the packet header. Included only for backwards compatibility for legacy IPS. For other cases, use Dst Addr. |
| IP frag conflict range | IP_FRAG_CONFLICT_RANGE | Conflicting byte range in a fragment. |
| IP fragment offset | IP_FRAGMENT_OFFSET | Fragment offset in the IP header. |
| IP header length | IP_HEADER_LENGTH | Length of the IP header. |
| IP identification | IP_IDENTIFICATION | Identification field in the IP header. |
| IP offset | IP_OFFSET | Start IP offset from the beginning of the Ethernet frame. |
| IP option length | IP_OPTION_LENGTH | Length of the IP option that triggered the response. |
| IP option number | IP_OPTION_NUMBER | IP option number that triggered the response. |
| IP protocol | PROTOCOL | IP protocol of the traffic that generated the log event. |
| IP source | IP_SOURCE | Source IP address in the packet header. Included for backwards compatibility with legacy IPS. For other cases, use Src Addr. |
| IP total length | IP_TOTAL_LENGTH | Total length of the IP datagram. |
| IP version | IP_VERSION | Version field value in the IP header. |
| Length of message body | SIP_CONTENT_LENGTH | Length of the SIP message body. |
| Logical interface | IF_LOGICAL | Logical interface for a packet. |
| MAC destination | MAC_DEST | Destination MAC address in the packet header. |
| MAC source | MAC_SOURCE | Source MAC address in the packet header. |
| Module | SENDER_MODULE_ID | Sender module identification. |
| Node configuration | NODE_CONFIGURATION | Current configuration of the node that sent the log entry. |
| Node dynup | NODE_DYNUP | Dynamic update package level of the node that sent the log entry. |
| Node version | NODE_VERSION | Node version of the node that sent the log entry. |
| Not final value | NOT_FINAL_VALUE | Entry is not final. |
| One LAN | ONE_LAN | The "View interface as one LAN" option was enabled on the logical interface through which the packet was received. |
| Orig config id | ORIG_CONFIG_ID | Configuration identifier related to the Situation in the referred event. |
| Orig sender module version | ORIG_SENDER_MODULE_VERSION | Module version in the referred event. |
| Orig sender os ver | ORIG_SENDER_OS_VER | The operating system version of the sender of the referred event. |
| Original Alert Type | ORIG_ALERT | Type of alert in the referred event. |
| Original correlation begin time | ORIG_TIME_FRAME_BEGIN | NTP stamp of the beginning of the time frame in the referred event. |
| Original correlation end time | ORIG_TIME_FRAME_END | NTP stamp of the end of the time frame in the referred event. |
| Original event count | ORIG_EVENT_COUNT | Number of events in the time frame of the referred event. |
| Original module | ORIG_SENDER_MODULE_ID | Sender module identification in the referred event. |
| Original severity | ORIG_ALERT_SEVERITY | Severity of the referred event. |
| Original situation | ORIG_SITUATION | Identifier of the situation that triggered the referred event. |
| Original time | ORIG_TIMESTAMP | Creation time of the referred event. |
| Packet analysis end | PACKET_ANALYSIS_END | Module could not continue analyzing packet or datagram after this event. |
| Packet not seen | PACKET_NOT_SEEN | Flag indicating that the related packet was not seen. |
| Physical interface | IF_PHYSICAL | Physical interface for a packet. |
| Protocol | PROTOCOL | Connection IP protocol. |
| Protocol Agent | SRVHELPER_ID | Protocol Agent numerical ID code. |
| Reception time | RECEPTION_TIME | Time when the entry was received by the Log Server. |
| Record ID | RECORD_ID | Identifier of the traffic recording. |
| Reference event ID | REF_EVENT | Reference to a related event. |
| Rule Tag | RULE_ID | Rule tag of the rule that triggered the log event. |
| Scan ICMP Echo No Reply Cnt | SCAN_ICMP_ECHO_ NO_RESPONSE_ COUNTER | Number of distinct ICMP Echo Request (ping) destinations that did not reply to a request. |
| Scan ICMP Echo Request Cnt | SCAN_ICMP_ECHO_REQUEST_ COUNTER | Number of distinct ICMP Echo Request (ping) destinations detected. |
| Scan ICMP Echo Targets | SCAN_ICMP_ECHO_TARGETS | List of the detected ICMP Echo Request (ping) destinations. |
| Scan ICMP Mask No Reply Cnt | SCAN_ICMP_NETMASK_ NO_RESPONSE_ COUNTER | Number of distinct ICMP Netmask Request destinations that did not reply to a request. |
| Scan ICMP Mask Request Cnt | SCAN_ICMP_NETMASK_ REQUEST_COUNTER | Number of distinct ICMP Netmask Request destinations detected. |
| Scan ICMP Mask Targets | SCAN_ICMP_NETMASK_ TARGETS | List of the detected ICMP Netmask Request destinations. |
| Scan ICMP No Reply Cnt | SCAN_ICMP_NO_RESPONSE_COUNTER | Number of the distinct ICMP request destinations for any of counted ICMP requests (Echo Request, Timestamp Request, Netmask Request) that did not reply to a request. |
| Scan ICMP Request Cnt | SCAN_ICMP_REQUEST_COUNTER | Number of the distinct ICMP request destinations for the counted ICMP requests (Echo Request, Timestamp Request, Netmask Request). |
| Scan ICMP Time No Reply Cnt | SCAN_ICMP_TIMESTAMP_NO_RESPONSE_ COUNTER | Number of the distinct ICMP Timestamp Request destinations that did not reply to a request. |
| Scan ICMP Time Request Cnt | SCAN_ICMP_TIMESTAMP_REQUEST_ COUNTER | Number of the distinct ICMP Timestamp Request destinations detected. |
| Scan ICMP Time Targets | SCAN_ICMP_TIMESTAMP_TARGETS | List of the detected ICMP Timestamp Request destinations. |
| Scan Start Time | SCAN_START_TIME | The starting time of the detected port scanning activity. |
| Scan TCP Negative Cnt | SCAN_TCP_NEGATIVE_COUNTER | Number of distinct TCP destinations that denied attempted connections with TCP RST. |
| Scan TCP Normal Cnt | SCAN_TCP_NORMAL_COUNTER | Number of distinct TCP destinations with successful connection establishment and bidirectional data transfer. |
| Scan TCP No Ack Cnt | SCAN_TCP_NO_ACK_COUNTER | Number of distinct TCP destinations targeted for illegal TCP segments. |
| Scan TCP No Ack Targets | SCAN_TCP_NO_ACK_TARGETS | List of TCP destinations targeted for illegal TCP segments. |
| Scan TCP No Reply Cnt | SCAN_TCP_NO_RESPONSE_COUNTER | Number of distinct TCP destinations that did not reply to connection attempts. |
| Scan TCP Positive Cnt | SCAN_TCP_POSITIVE_COUNTER | Number of distinct TCP destinations with successful connection establishment but no data sent by the client within the defined time limit. |
| Scan TCP Targets | SCAN_TCP_TARGETS | List of the detected TCP port scan destinations. |
| Scan UDP Negative Cnt | SCAN_UDP_NEGATIVE_COUNTER | Number of distinct destinations detected that replied with ICMP Port Unreachable (successful scan of closed UDP port). |
| Scan UDP Positive Cnt | SCAN_UDP_POSITIVE_COUNTER | Number of bi-directional UDP conversations detected. |
| Scan UDP Probe Cnt | SCAN_UDP_PROBE_COUNTER | Number of destinations that did not reply using UDP. |
| Scan UDP Target Cnt | SCAN_UDP_TARGET_COUNTER | Total number of UDP destinations detected. |
| Scan UDP Targets | SCAN_UDP_TARGETS | List of the detected UDP destinations. |
| Sender | NODE_ID | IP address of the engine or server that sent the log entry. |
| Sender module version | SENDER_MODULE_VERSION | Version of the engine module that generated the event. |
| Sender type | SENDER_TYPE | The type of engine or server that sent the log entry. |
| Service | SERVICE | Special field for filtering logs using the defined services. Does not appear in the log entry table. |
| Severity | ALERT_SEVERITY | Severity of the situation related to the alert event. |
| SIP call ID | SIP_CALL_ID | SIP call ID. |
| SIP contact address | SIP_CONTACT | SIP contact address. |
| SIP header field contents | SIP_HEADER | SIP header field contents. |
| SIP header field name | SIP_HEADER_NAME | SIP header field name. |
| SIP request method | SIP_REQUEST_METHOD | Method of the SIP request. |
| SIP request URI | SIP_REQUEST_URI | URI of the SIP request. |
| SIP request version | SIP_REQUEST_VERSION | Version of the SIP request. |
| SIP response reason-phrase | SIP_RESPONSE_REASON_PHRASE | SIP response reason-phrase. |
| SIP response status code | SIP_RESPONSE_STATUS_CODE | Status code of the SIP response. |
| SIP VIA address | SIP_VIA | SIP VIA address. |
| Situation | SITUATION | The identifier of the situation that triggered the log event. |
| Situation Type | SIT_CATEGORY | The type of the situation that triggered the log event. |
| SMTP command | SMTP_COMMAND | Suspicious SMTP command sent by the client. |
| SMTP mail stats | SMTP_MAIL_STATS | Statistics on email messages. |
| SMTP misplaced command | SMTP_MISPLACED_COMMAND | Command given in the wrong place in the command sequence. |
| SMTP recipient | SMTP_RECIPIENT | Recipient forward path in RCPT command parameter. |
| SMTP reply | SMTP_REPLY | Suspicious SMTP reply message sent by the server. |
| SMTP reverse path | SMTP_REVERSE_PATH | SMTP reverse path in MAIL FROM command parameter. |
| SMTP server action | SMTP_SERVER_ACTION | Suspicious server action after a suspicious client command. |
| SMTP server banner | SMTP_SERVER_BANNER | Banner sent by the SMTP server at the beginning of the connection. |
| SMTP transaction state | SMTP_TRANSACTION_STATE | Session state of the SMTP transaction. |
| Source file | SOURCE_FILE | Name of the source file. |
| Source file line | SOURCE_FILE_LINE | Line number in the source file. |
| Source port | PORT_SOURCE | TCP or UDP source port in the packet header. Included for backwards compatibility with legacy IPS. For other cases, see Src Port. |
| Src Addr | SRC | Packet source IP address. |
| Src Port | SPORT | TCP or UDP source port in the packet header. |
| Src VLAN | SRC_VLAN | The VLAN ID of the source VLAN. |
| SSH calc client crypto bit ratio | SSH_CALC_CLIENT_CRYPTO_BIT_RATIO | Calculated SSH client crypto bit ratio. |
| SSH calc server crypto bit ratio | SSH_CALC_SERVER_CRYPTO_BIT_RATIO | Calculated SSH server crypto bit ratio. |
| SSH1 host key bits | SSH1_HOST_KEY_BITS | Bit length of the SSHv1 host key. |
| SSH1 server key bits | SSH1_SERVER_KEY_BITS | Bit length of the SSHv1 server key. |
| S-tag | VLAN_S_TAG | Service provider tag in double-tagged VLAN traffic. |
| Syslog | SYSLOG_TYPE | Syslog is a system service used in some operating systems, for example, UNIX- and software packages. For more information about syslog and syslog types, see RFC 3164. |
| Syslog Facility | SYSLOG_FACILITY | Syslog entry facility. |
| Syslog Level | SYSLOG_LEVEL | Syslog entry level. |
| Syslog Message | SYSLOG_MSG | Syslog entry message string. |
| Target IP | IP_TARGET | IPv4 address of the target host in a detected attack. |
| TCP connection start time | TCP_CONNECTION_START_TIME | Start time of the TCP connection. |
| TCP handshake seen | TCP_HANDSHAKE_SEEN | Initial handshake of the TCP connection detected. |
| TCP option kind | TCP_OPTION_KIND | Type of the TCP option. |
| TCP option length | TCP_OPTION_LENGTH | Length of the TCP option that caused the response. |
| To address | SIP_TO | SIP To address. |
| UDP datagram size | UDP_DATAGRAM_SIZE | Size of the UDP datagram. |
| Vulnerability References | VULNERABILITY_REFERENCES | References to known vulnerabilities in a vulnerability database. Generated from situation and original situation. |
| Whole session seen | WHOLE_SESSION_SEEN | True if no data of this session has been missed up to this point. |