IDS event flow data
IDS event flow data specific to each IDS
event. The data includes source ip, source
port, destination ip, destination port,
protocol, rule id, profile id, and the
action.
Name | Description | Type | Notes |
---|---|---|---|
action_type | IDS Event action The action pertaining to the detected intrusion. Possible values are ALERT, DROP, REJECT, and INVALID. ALERT - If there is a signature match on the packet, it is allowed to pass but a notification is sent to the user notifying an intrusion was detected. DROP - On a signature match, the packet is silently dropped. An alert is sent to the user that an intrusion was detected. REJECT - On a signature match, the packet is dropped and TCP RST or ICMP error messages (for non-TCP pkts) are sent to the endpoints. An alert is sent to the user that an intrusion was detected. INVALID - If the action doesn't belong to any of the above mentioned categories, it is marked as INVALID. |
string | Readonly Enum: ALERT, DROP, REJECT, INVALID |
bytes_toclient | Bytes to client Bytes sent to client. |
integer | Readonly |
bytes_toserver | Bytes to server Bytes sent to server. |
integer | Readonly |
client_ip | IP address of the client VM IP address of the VM that initiated the communication. |
string | Readonly |
destination_ip | IP address of the destination VM IP address of the destination VM on the intrusion flow. |
string | Readonly |
destination_port | Destination port Port on the destination VM where the traffic was sent to. |
integer | Readonly |
gateway | Gateway where the intrusion was detected at Name of the gateway on which this intrusion was detected. |
string | Readonly |
gateway_tags | Tags associated with the gateway Tags associated with the gateway on which this intrusion was detected. |
array of Tag | Readonly |
host | Host where intrusion was seen Name of the host on which this intrusion was detected. |
string | Readonly |
local_vm_ip | IP address of the local VM IP address of VM on the host where IDS engine is running. |
string | Readonly |
profile_id | IDS profile id The IDS profile id that is associated with the IDS rule pertaining to the intrusion event detected. |
string | Readonly |
protocol | Traffic protocol pertaining to the intrusion Traffic protocol pertaining to the detected intrusion, could be TCP/UDP etc. |
string | Readonly |
rule_id | IDS Rule id of detected intrusion The IDS Rule id pertaining to the detected intrusion. |
integer | Readonly |
source_ip | IP address of the source VM IP address of the source VM on the intrusion flow. |
string | Readonly |
source_port | Source port Source port through which traffic was initiated that caused the intrusion to be detected. |
integer | Readonly |
traffic_type | IDS event detection source The source where the intrusion was detected. Possible values are GATEWAY and HOST. |
string | Readonly Enum: GATEWAY, HOST |