42. Appendix 5 – Conditional Parameters & Dynamic Parameters¶
The tables listed below show the following columns:
Conditional Parameter is used as a precondition for the execution of the actions listed in Configuration » Network & Policy » [Response].
Type shows whether the Conditional Parameter should be compared as a string (equal, non-equal, includes, excludes) or as a number (equal, non-equal, greater than, less than, modulo). The software returns only integers, not floating point numbers.
Dynamic Parameter is a variable defined within curly brackets “{ and }”, used as parameter or script argument in most Response actions. If its type is Number* then the values can be returned in multiples of 1,000 by appending _kilo to the dynamic parameter. The same goes for 1,000,000 by appending _mega and for 1,000,000,000 by appending _giga. To get the biggest multiplier (k, M, G) for the value, append _prefix. To also return the decoder before the biggest multiplier (k, M, G) value, append _decoder_prefix.
42.1. Anomaly Parameters¶
# |
CONDITIONAL PARAMETER |
TYPE |
DYNAMIC PARAMETER |
DESCRIPTION |
|---|---|---|---|---|
1 |
IP Address |
String |
{ip} |
IP address or block, originating or being the target of the anomaly |
2 |
N/A |
String |
{ip_dns} |
Reverse DNS of the anomaly IP. It is {ip} if the DNS lookup does not return a valid DNS PTR record |
3 |
CIDR |
Number |
{cidr} |
CIDR mask of the anomaly’s IP address or block |
4 |
Prefix |
String |
{prefix} |
IP/CIDR mask notation with the anomaly’s IP address or block |
5 |
IP Group |
String |
{ip_group} |
IP Group defined in IP Zone for the prefix |
6 |
Sensor Name |
String |
{sensor} |
Sensor that detected the anomaly |
7 |
Sensor Group |
String |
{sensor_group} |
Device Group configured for the Sensor |
8 |
Sensor IP |
String |
{sensor_ip} |
IP of the Sensor’s server |
9 |
Sensor Type |
String |
{sensor_type} |
Can be Packet Sensor, Flow Sensor, SNMP Sensor, Sensor Cluster |
10 |
Sensor ID |
Number |
{sensor_id} |
Unique ID of the Sensor |
11 |
Flow Exporter IP |
String |
{router_ip} |
IP of the flow exporter |
12 |
IP Zone Name |
String |
{ipzone} |
Sensor’s IP Zone |
13 |
IP Zone Prefix |
String |
{prefix_ipzone} |
The most specific prefix from the IP Zone |
14 |
Response Name |
String |
{response} |
Response activated by the anomaly |
15 |
Response Actions |
String |
{response_actions} |
List of actions executed by the Response. Contains only the actions that have the Record Action option enabled |
16 |
Template Name |
String |
{template} |
Returns the Threshold Template that includes the threshold rule, if it exists |
17 |
Expiration Delay |
String |
{expiration} |
Returns the number of seconds of inactivity before the anomaly expires |
18 |
Captured Packets |
Number |
{captured_pkts} |
When the Response contains an action for capturing packets, it contains the number of packets captured successfully |
19 |
BGP Log Size |
Number |
{bgplog_bytes} |
Size of the BGP announcement log. Non-zero when a BGP routing update was triggered for the anomaly |
20 |
Unique Dynamic Parameters |
String |
{exclusive} |
Contains dynamic parameter(s) that must be unique in all active anomalies. It can be used to avoid duplicating actions across multiple attacks. Example: “{ip} {decoder}” executes the Response action only when there is no other active anomaly to/from the same IP, using the same decoder |
21 |
Classification |
String |
{classification} |
Console users can manually classify anomalies in Reports » Tools » Anomalies. Returns Unclassified, False Positive, Possible Attack, Trivial Attack, Verified Attack or Crippling Attack |
23 |
Anomaly Description |
String |
{anomaly} |
Describes the condition that triggered the traffic anomaly |
24 |
Anomaly ID |
Number |
{anomaly_id} |
Unique identification number of the anomaly |
25 |
Anomaly Comment |
String |
{comment} |
User-submitted comment about the anomaly |
26 |
Direction |
String |
{direction} |
Direction of the threshold rule that triggered the anomaly. Can be incoming or outgoing |
27 |
N/A |
String |
{direction_to_from} |
Returns to for inbound anomalies or from for outbound anomalies |
28 |
N/A |
String |
{direction_receives_sends} |
Returns receives for inbound anomalies or sends for outbound anomalies |
29 |
Domain |
String |
{domain} |
Returns IP when CIDR mask = 32 for IPv4 or 128 for IPv6, subnet in all other cases |
30 |
Anomaly Class |
String |
{class} |
Returns threshold for threshold-based anomalies and profile for profiling-based anomalies |
31 |
Threshold Type |
String |
{threshold_type} |
Threshold-based anomalies can be defined with absolute values or as a percentage of the total traffic received by Sensor |
32 |
Anomaly Decoder (Protocol) |
String |
{decoder} |
Returns the traffic decoder (protocol) used to detect the anomaly |
33 |
Comparison |
String |
{operation} |
Returns the comparison function used by the threshold rule, over or under |
34 |
N/A |
String |
{comparison} |
Returns “>” for traffic rates exceeding the threshold or “<” for traffic rates under the threshold |
35 |
Unit |
String |
{unit} |
Returns pkts/s for threshold defined for packets per second, or bits/s for threshold defined for bits per second |
36 |
Threshold Value |
Number* |
{rule_value} |
Traffic value configured as threshold |
37 |
Computed Threshold |
Number* |
{computed_threshold} |
Value of the threshold, dynamically adjusted for profiling-based and percentage-based anomalies |
38 |
Peak Packets/s |
Number* |
{anomaly_pps} |
Highest packets/s rate of the anomaly |
39 |
Peak Bits/s |
Number* |
{anomaly_bps} |
Highest bits/s rate of the anomaly |
40 |
Latest Packets/s |
Number* |
{latest_anomaly_pps} |
Latest packets/s rate of the anomaly |
41 |
Latest Bits/s |
Number* |
{latest_anomaly_bps} |
Latest bits/s rate of the anomaly |
42 |
Peak Value |
Number* |
{value} |
Highest value of the abnormal traffic. Returns pkts/s or bits/s, depending on the threshold’s unit |
43 |
Latest Value |
Number* |
{latest_value} |
Latest value of the abnormal traffic. Returns pkts/s or bits/s, depending on the threshold’s unit |
44 |
Sum Value |
Number* |
{sum_value} |
For pkts/s thresholds returns the number of packets counted during the anomaly. For bits/s thresholds returns the number of bits counted during the anomaly |
45 |
Peak Rule Severity |
Number |
{severity} |
Returns the ratio between the peak abnormal traffic rate and the threshold value |
46 |
Latest Rule Severity |
Number |
{latest_severity} |
Returns the ratio between the latest abnormal traffic rate and the threshold value |
47 |
Peak Link Severity |
Number |
{link_severity} |
Returns the ratio between the peak abnormal traffic rate and the interface’s traffic rate |
48 |
Latest Link Severity |
Number |
{latest_link_severity} |
Returns the ratio between the latest abnormal traffic rate and the interface’s traffic rate |
49 |
Latest Link Utilization |
Number |
{latest_link_utilization} |
Returns the ratio between the latest total traffic rate and the interface’s traffic rate |
50 |
Custom Script Return Value |
Number |
n/a |
This conditional parameter is true only when the script entered in the Value field returns status 0 after its execution. The comparison field must be set to equal. You can pass dynamic parameters as arguments for the script |
51 |
N/A |
String |
{anomaly_log_10}, {anomaly_log_50}, {anomaly_log_100}, {anomaly_log_500}, {anomaly_log_1000} |
Returns 10/50/100/500/1000 packets (if a packet capturing action is enabled in the Response) or flows (if Flow Collector is enabled) with the anomalous traffic |
52 |
N/A |
String |
{software_version} |
Wanguard version |
42.2. Time Parameters¶
# |
CONDITIONAL PARAMETER |
TYPE |
DYNAMIC PARAMETER |
DESCRIPTION |
|---|---|---|---|---|
1 |
From |
Number |
{from_unixtime} |
Start time of the anomaly, in unixtime format (number of seconds since Jan 1st 1970) |
2 |
Until |
Number |
{until_unixtime} |
Expiration time of the anomaly, in unixtime format |
3 |
From |
String |
{from},{from_year},{from_month},{from_day},{from_dow},{from_hour},{from_minute} |
Start time of the anomaly, in iso8601 format (YYYY-MM-DD) or by year, month, etc. |
4 |
Until |
String |
{until},{until_year},{until_month},{until_day},{until_dow},{until_hour},{until_minute} |
Stop time of the anomaly, in iso8601 format (YYYY-MM-DD) or by year, month, etc. |
5 |
Duration |
Number |
{duration} |
Duration of the anomaly, expressed in seconds |
6 |
N/A |
String |
{duration_clock} |
Text string describing the duration of the anomaly. Examples: <5sec, 5h 4h 3s |
7 |
N/A |
String |
{duration_clock_full} |
Text string describing the duration of the anomaly. Examples: <5 seconds, 5 hours 4 minutes 3 seconds |
8 |
Internal Ticks |
Number |
{tick} |
Sensor’s internal tick. For Packet Sensor 1 tick = 5 seconds. For Flow Sensor 1 tick = the value of the Granularity parameter |
42.3. Overall Traffic Parameters¶
# |
CONDITIONAL PARAMETER |
TYPE |
DYNAMIC PARAMETER |
DESCRIPTION |
|---|---|---|---|---|
1 |
Peak IP Pkts/s |
Number* |
{total_pps} |
Peak IP packets/s rate for the prefix |
2 |
Peak IP Bits/s |
Number* |
{total_bps} |
Peak IP bits/s rate for the prefix |
3 |
Latest IP Pkts/s |
Number* |
{latest_total_pps} |
Latest IP packets/s rate for the prefix |
4 |
Latest IP Bits/s |
Number* |
{latest_total_bps} |
Latest IP bits/s rate for the prefix |
5 |
IP Packets |
Number* |
{sum_total_pkts} |
Number of IP packets counted during the anomaly |
6 |
IP Bits |
Number* |
{sum_total_bits} |
Number of IP bits counted during the anomaly |
42.4. Filter Parameters¶
# |
CONDITIONAL PARAMETER |
TYPE |
DYNAMIC PARAMETER |
DESCRIPTION |
|---|---|---|---|---|
1 |
Filter Name |
String |
{filter} |
Returns the name of the Filter that detected the filtering rule |
2 |
Filter ID |
Number |
{filter_id} |
Unique ID of the Filter that detected the filtering rule |
3 |
Filter Type |
String |
{filter_type} |
Type of Filter: Packet Filter, Flow Filter, Filter Cluster |
4 |
Filter Group |
String |
{filter_group} |
Device Group configured in the Filter configuration |
5 |
Number of Filters |
Number |
{filters} |
Number of Filter instances activated for the anomaly |
6 |
Filters Pkts/s |
Number* |
{filters_pps} |
Returns the most recent packets/s rate recorded by the Filter instances activated for the anomaly |
7 |
Filters Bits/s |
Number* |
{filters_bps} |
Returns the most recent bits/s rate recorded by the Filter instances activated for the anomaly |
8 |
Filters Peak Pkts/s |
Number* |
{filters_max_pps} |
Maximum packets/s rate recorded by all Filter instances activated for the anomaly |
9 |
Filters Peak Bits/s |
Number* |
{filters_max_bps} |
Maximum bits/s rate recorded by all Filter instances activated for the anomaly |
10 |
Filtered Packets |
Number* |
{filters_filtered_packets} |
Number of packets blocked by all Filter instances activated for the anomaly |
11 |
Filtered Bits |
Number* |
{filters_filtered_bits} |
Number of bits blocked by all Filter instances activated for the anomaly |
12 |
Filters CPU Usage |
Number |
{filters_max_cpu_usage} |
Maximum CPU% used by the Filter instances activated for the anomaly |
42.5. Filtering Rule Parameters¶
# |
CONDITIONAL PARAMETER |
TYPE |
DYNAMIC PARAMETER |
DESCRIPTION |
|---|---|---|---|---|
1 |
Filtering Rule # |
Number |
{filtering_rule_id} |
Unique ID of the filtering rule |
2 |
Filtering Rule Type |
String |
{filtering_rule_type} |
What type of filtering rule. All types are listed under Configuration » General Settings » Anomaly Mitigation |
3 |
Filtering Rule Value |
String |
{filtering_rule_value} |
Specific value of the filtering rule (specific IP, port number, protocol number, etc.) |
String |
{filtering_rule_ip_dns} |
When the filtering rule type is IP, it returns its reverse DNS |
||
4 |
Filtering Rule ISP |
String |
{filtering_rule_ip_isp} |
When the filtering rule type is IP, it returns the corresponding organization or Internet Service Provider |
5 |
Filtering Rule Country |
String |
{filtering_rule_ip_country} |
When the filtering rule type is IP, it returns its country |
6 |
Filtering Rule Pkts/s |
Number* |
{filtering_rule_pps} |
Latest packet/s rate for the traffic matched by the filtering rule |
7 |
Filtering Rule Bits/s |
Number* |
{filtering_rule_bps} |
Latest bits/s throughput for the traffic matched by the filtering rule |
8 |
Filtering Rule Peak Pkts/s |
Number* |
{filtering_rule_max_pps} |
Maximum packet/s rate for the traffic matched by the filtering rule |
9 |
Filtering Rule Peak Bits/s |
Number* |
{filtering_rule_max_bps} |
Maximum bits/s throughput for the traffic matched by the filtering rule |
10 |
Filtering Rule Unit/s |
Number* |
{filtering_rule_unit} |
Returns {filtering_rule_pps} for packets/s thresholds and {filtering_rule_bps} for bits/s thresholds |
11 |
Filtering Rule Peak Unit/s |
Number* |
{filtering_rule_max_unit} |
Returns {filtering_rule_max_pps} or {filtering_rule_max_bps} depending on the unit of the threshold |
12 |
Filtering Rule Severity |
Number |
{filtering_rule_severity} |
Returns the ratio between the traffic matched by the filtering rule and the threshold’s value |
13 |
Filtering Rule Packets |
Number* |
{filtering_rule_packets} |
Returns the number of packets matched by the filtering rule |
14 |
Filtering Rule Bits |
Number* |
{filtering_rule_bits} |
Returns the number of bits matched by the filtering rule |
15 |
Filtering Rule Time Interval |
Number |
{filtering_rule_difftime} |
Duration while the filtering rule was detected |
16 |
Filtering Rule Whitelist |
Number |
{filtering_rule_whitelisted} |
When the filtering rule is whitelisted, returns 1. Otherwise returns 0 |
17 |
Filtering Rule Traffic Sample Size |
Number* |
{filtering_rule_log_size} |
If the Response contains an action to capture the packets matched by the filtering rule, returns the packet dump’s size in bytes |
18 |
N/A |
String |
{attacker_isp} |
When the filtering rule type is IP, it returns the email address of the attacker’s ISP, if found in the whois database |
19 |
N/A |
String |
{filtering_rule_log_10}, {filtering_rule_log_50}, {filtering_rule_log_100}, {filtering_rule_log_500}, {filtering_rule_log_1000} |
Returns 10/50/100/500/1000 packets of the traffic matched by the filtering rule if the Response contains an action for capturing packets |