115
edits
Incidents: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 53: | Line 53: | ||
** Extra capture time: configure the number of seconds before the start of the incident and after the end of the incident. | ** Extra capture time: configure the number of seconds before the start of the incident and after the end of the incident. | ||
*** If a time span parameter is used for attributes, the capture time includes this time duration as well. | *** If a time span parameter is used for attributes, the capture time includes this time duration as well. | ||
** The traffic is automatically filtered to only contain the traffic that actually triggered the rule, i.e., an IP address or an IP group for IP rules. | ** The traffic is automatically filtered to only contain the traffic that actually triggered the rule, i.e., an IP address or an IP group for IP rules. See the list below of the available triggers for more details about the applied filter. | ||
* Trigger cooldown: Depending on the selected trigger, once the incident was activated and finished, the trigger will wait for this cooldown period before the next incident may be triggered again. Each rule will have a seperate cooldown timer. The cooldown period may be configured in seconds. | * Trigger cooldown: Depending on the selected trigger, once the incident was activated and finished, the trigger will wait for this cooldown period before the next incident may be triggered again. Each rule will have a seperate cooldown timer. The cooldown period may be configured in seconds. | ||
| Line 63: | Line 63: | ||
!Attributes | !Attributes | ||
!Attribute usage | !Attribute usage | ||
!Traffic capture filter | |||
|- | |- | ||
|ARP: MAC change for an IP<br> | |ARP: MAC change for an IP<br> | ||
| Line 69: | Line 70: | ||
|time_since_last_mac | |time_since_last_mac | ||
|optional | |optional | ||
|L2 protocol type ARP | |||
|- | |- | ||
|DNS: Server is not responding<br> | |DNS: Server is not responding<br> | ||
| Line 75: | Line 77: | ||
|time_since_first_unanswered_request | |time_since_first_unanswered_request | ||
|optional | |optional | ||
|IP address, | |||
server port 53 | |||
|- | |- | ||
|DNS: Server response error<br> | |DNS: Server response error<br> | ||
| Line 81: | Line 85: | ||
|error_type | |error_type | ||
|mandatory | |mandatory | ||
|IP address, | |||
L7 protocol DNS | |||
|- | |- | ||
|Global: Connection start<br> | |Global: Connection start<br> | ||
| Line 87: | Line 93: | ||
|l4_protocol, port_range, since_start_time | |l4_protocol, port_range, since_start_time | ||
|mandatory | |mandatory | ||
|Connection filter (src/dst IP and port) | |||
|- | |- | ||
|Global: GPS synchronization status change<br> | |Global: GPS synchronization status change<br> | ||
| Line 93: | Line 100: | ||
|gps_sync_status | |gps_sync_status | ||
|optional | |optional | ||
|n/a | |||
|- | |- | ||
|Global: Number of connections<br> | |Global: Number of connections<br> | ||
| Line 99: | Line 107: | ||
|new_connections | |new_connections | ||
|mandatory | |mandatory | ||
|no filter | |||
|- | |- | ||
|Global: Regular expressions<br> | |Global: Regular expressions<br> | ||
| Line 106: | Line 115: | ||
| | | | ||
|no attributes are available for this trigger | |no attributes are available for this trigger | ||
|Connection filter (src/dst IP and port) | |||
|- | |- | ||
|Global: Ring buffer<br> | |Global: Ring buffer<br> | ||
| Line 112: | Line 122: | ||
|used_size, bytes_captured, bytes_dropped | |used_size, bytes_captured, bytes_dropped | ||
|mandatory | |mandatory | ||
|n/a | |||
|- | |- | ||
|Global: Speed change of an interface<br> | |Global: Speed change of an interface<br> | ||
| Line 118: | Line 129: | ||
|interface_speed | |interface_speed | ||
|optional | |optional | ||
|n/a | |||
|- | |- | ||
|Global: Speed mismatch for an interface pair<br> | |Global: Speed mismatch for an interface pair<br> | ||
| Line 124: | Line 136: | ||
|link_speed_difference | |link_speed_difference | ||
|optional | |optional | ||
|n/a | |||
|- | |- | ||
|Global: Status change of an interface<br> | |Global: Status change of an interface<br> | ||
| Line 130: | Line 143: | ||
|interface_status | |interface_status | ||
|optional | |optional | ||
|n/a | |||
|- | |- | ||
|Global: Traffic<br> | |Global: Traffic<br> | ||
| Line 136: | Line 150: | ||
|throughput, throughput_increase, packet_rate, packet_rate_increase | |throughput, throughput_increase, packet_rate, packet_rate_increase | ||
|mandatory | |mandatory | ||
|no filter | |||
|- | |- | ||
|IEC 61850 - GOOSE: State number change<br> | |IEC 61850 - GOOSE: State number change<br> | ||
| Line 142: | Line 157: | ||
|GoCBRef | |GoCBRef | ||
|optional | |optional | ||
|MAC address pair and l7 protocol | |||
|- | |- | ||
|IEC104: Response times<br> | |IEC104: Response times<br> | ||
| Line 148: | Line 164: | ||
|response_time | |response_time | ||
|mandatory | |mandatory | ||
|Connection filter (src/dst IP and port) | |||
|- | |- | ||
|IEC104: Traffic<br> | |IEC104: Traffic<br> | ||
| Line 154: | Line 171: | ||
|percent_loss, absolute_loss, not_in_order | |percent_loss, absolute_loss, not_in_order | ||
|mandatory | |mandatory | ||
|Connection filter (src/dst IP and port) | |||
|- | |- | ||
|IP: Connection end<br> | |IP: Connection end<br> | ||
| Line 160: | Line 178: | ||
|total_packets, total_bytes, tcp_handshake_time, percent_retransmissions, zero_window_packets, duration, l7_protocol, l4_port, l4_client_port, l4_server_port | |total_packets, total_bytes, tcp_handshake_time, percent_retransmissions, zero_window_packets, duration, l7_protocol, l4_port, l4_client_port, l4_server_port | ||
|mandatory | |mandatory | ||
|Connection filter (src/dst IP and port) | |||
|- | |- | ||
|IP: Connection start<br> | |IP: Connection start<br> | ||
| Line 166: | Line 185: | ||
|new_connections, geolocation | |new_connections, geolocation | ||
|mandatory | |mandatory | ||
|Connection filter (src/dst IP and port) | |||
|- | |- | ||
|IP: Local IP with multiple MAC addresses<br> | |IP: Local IP with multiple MAC addresses<br> | ||
| Line 172: | Line 192: | ||
|mac_count | |mac_count | ||
|optional | |optional | ||
|IP filter | |||
|- | |- | ||
|IP: New local IP address<br> | |IP: New local IP address<br> | ||
| Line 178: | Line 199: | ||
|since_start_time | |since_start_time | ||
|optional | |optional | ||
|IP filter | |||
|- | |- | ||
|IP: New L7 protocol<br> | |IP: New L7 protocol<br> | ||
| Line 184: | Line 206: | ||
|since_start_time, local_ip, l7_protocol | |since_start_time, local_ip, l7_protocol | ||
|optional | |optional | ||
|IP filter | |||
|- | |- | ||
|IP: TCP handshake<br> | |IP: TCP handshake<br> | ||
| Line 190: | Line 213: | ||
|handshake_time, server_handshake_time, client_handshake_time, handshake_failed, l4_port, l4_server_port, l4_client_port, l7_protocol | |handshake_time, server_handshake_time, client_handshake_time, handshake_failed, l4_port, l4_server_port, l4_client_port, l7_protocol | ||
|mandatory | |mandatory | ||
|IP filter | |||
|- | |- | ||
|IP: Traffic on IP addresses<br> | |IP: Traffic on IP addresses<br> | ||
| Line 196: | Line 220: | ||
|throughput, throughput_increase, packet_rate, packet_rate_increase, total_packets, total_bytes, retransmission_ratio, zero_window_packets, tcp_syn_packets, tcp_fin_packets, tcp_rst_packets | |throughput, throughput_increase, packet_rate, packet_rate_increase, total_packets, total_bytes, retransmission_ratio, zero_window_packets, tcp_syn_packets, tcp_fin_packets, tcp_rst_packets | ||
|mandatory | |mandatory | ||
|IP or IP group filter | |||
|- | |- | ||
|IP: TTL change<br> | |IP: TTL change<br> | ||
| Line 202: | Line 227: | ||
|ttl_change | |ttl_change | ||
|mandatory | |mandatory | ||
| | |||
|- | |- | ||
|LACP: Status change of a channel<br> | |LACP: Status change of a channel<br> | ||
| Line 208: | Line 234: | ||
|channel_status | |channel_status | ||
|optional | |optional | ||
|l2 filter for LACP protocol | |||
|- | |- | ||
|MAC: New L7 protocol<br> | |MAC: New L7 protocol<br> | ||
| Line 214: | Line 241: | ||
|since_start_time | |since_start_time | ||
|optional | |optional | ||
|MAC filter | |||
|- | |- | ||
|MAC: New MAC address<br> | |MAC: New MAC address<br> | ||
| Line 220: | Line 248: | ||
|since_start_time | |since_start_time | ||
|optional | |optional | ||
|MAC filter | |||
|- | |- | ||
|MAC: Traffic on MAC addresses<br> | |MAC: Traffic on MAC addresses<br> | ||
| Line 226: | Line 255: | ||
|broadcast_packet_rate | |broadcast_packet_rate | ||
|mandatory | |mandatory | ||
|MAC filter | |||
|- | |- | ||
|PPPoE: PPPoE Discovery traffic<br> | |PPPoE: PPPoE Discovery traffic<br> | ||
| Line 232: | Line 262: | ||
|pppoe_discovery_packets | |pppoe_discovery_packets | ||
|mandatory | |mandatory | ||
|l2 filter for PPPoE protocol | |||
|- | |- | ||
|Profinet: Traffic of Profinet devices<br> | |Profinet: Traffic of Profinet devices<br> | ||
| Line 238: | Line 269: | ||
|alarms_low, alarms_high, errors, frames_lost, frames_repeated, frames_wrong_sequence, max_jitter | |alarms_low, alarms_high, errors, frames_lost, frames_repeated, frames_wrong_sequence, max_jitter | ||
|mandatory | |mandatory | ||
|MAC address and | |||
l2 filter for PPPoE protocol | |||
|- | |- | ||
|PTP: Timestamp packet<br> | |PTP: Timestamp packet<br> | ||
| Line 244: | Line 277: | ||
|time_offset | |time_offset | ||
|mandatory | |mandatory | ||
|l7 protocol PTP | |||
|- | |- | ||
|QOS: Traffic on QoS classes<br> | |QOS: Traffic on QoS classes<br> | ||
| Line 250: | Line 284: | ||
|throughput | |throughput | ||
|mandatory | |mandatory | ||
|IP, MPLS, or VLAN QoS filter | |||
|- | |- | ||
|RTP: Traffic for RTP connections<br> | |RTP: Traffic for RTP connections<br> | ||
| Line 256: | Line 291: | ||
|jitter, percent_loss | |jitter, percent_loss | ||
|mandatory | |mandatory | ||
|RTP connection filter | |||
|- | |- | ||
|SIP: Call end<br> | |SIP: Call end<br> | ||
| Line 262: | Line 298: | ||
|duration, status, mos, percent_loss, jitter, total_packets, total_bytes, total_caller_packets, total_callee_packets, total_caller_bytes, total_callee_bytes | |duration, status, mos, percent_loss, jitter, total_packets, total_bytes, total_caller_packets, total_callee_packets, total_caller_bytes, total_callee_bytes | ||
|mandatory | |mandatory | ||
|SIP IP and call ID plus RTP connection filter | |||
|- | |- | ||
|SMB: SMB1 negotiation<br> | |SMB: SMB1 negotiation<br> | ||
| Line 270: | Line 307: | ||
| | | | ||
|none | |none | ||
|IP pair filter and l7 protocol SMB | |||
|- | |- | ||
|SMB: SMB version negotiation<br> | |SMB: SMB version negotiation<br> | ||
| Line 276: | Line 314: | ||
|version | |version | ||
|mandatory | |mandatory | ||
|IP pair filter and l7 protocol SMB | |||
|- | |- | ||
|TLS: first data packet | |TLS: first data packet | ||
| Line 282: | Line 321: | ||
|tls_first_data_time_ms | |tls_first_data_time_ms | ||
|mandatory | |mandatory | ||
|Connection filter (src/dst IP and port) | |||
|- | |- | ||
|TLS: Handshake<br> | |TLS: Handshake<br> | ||
| Line 290: | Line 330: | ||
|certificate_expires, tls_alert_level | |certificate_expires, tls_alert_level | ||
|mandatory | |mandatory | ||
|Connection filter (src/dst IP and port) | |||
|- | |- | ||
|TLS: TLS Handshake Server Hello | |TLS: TLS Handshake Server Hello | ||
| Line 298: | Line 339: | ||
|used_tls_version, tls_handshake_time_ms | |used_tls_version, tls_handshake_time_ms | ||
|mandatory | |mandatory | ||
|Connection filter (src/dst IP and port) | |||
|- | |- | ||
|WiFi: Handshake failure | |WiFi: Handshake failure | ||
| Line 304: | Line 346: | ||
|handshake_failure_type | |handshake_failure_type | ||
|mandatory | |mandatory | ||
|n/a | |||
|} | |} | ||