IPFIX Specification
This specification defines all generic and cognitix-specific events.
IPFIX Setup
The IPFIX interface is based on IETF RFC 7011. It also uses bidirectional reporting as described in RFC 5103 (esp. sections 5 and 6.3).
Additionally, cognitix defines and uses own elements for specific fields.
The implementation is based on TCP for safe transmission. UDP is also supported for IPFIX channels.
The data source sends all IPFIX templates on demand just before a message using the template is sent. The templates are resent if a certain time has passed after sending the last template.
IPFIX Records
The cognitix IPFIX templates use preassigned IANA elements, where possible. The data types follow RFC 7102. For the definitions of the IPFIX information events used by cognitix, see the IANA table.
Note
sourceIPv4Address/sourceIPv6Address
and destinationIPv4Address/destinationIPv6Address
describe the outermost IP addresses of an observed flow.
Fields not provided by IPFIX are described using custom fields with the cognitix IPFIX Private Enterprise Number (PEN 45480).
cognitix IPFIX Enterprise Elements
The cognitix IANA number (PEN 45480) defines the following new enterprise elements:
Property |
Enterprise |
Data type |
Description |
---|---|---|---|
|
10 |
unsigned16 |
This field describes the protocol of the flow as detected by the DPI engine. |
|
11 |
unsigned16 |
This field describes the application of the flow as detected by the DPI engine. |
|
13 |
unsigned32 |
This field contains the combined values of the protocol and application of the flow as detected by the DPI engine. It represents the DPI classification of the cleartext message. The combined value is calculated using |
|
20 |
string |
This field contains the 2-byte ISO 3166 country code of the flow source as detected by the GeoIP engine. If no country code could be detected, this field will contain |
|
21 |
string |
This field contains the 2-byte ISO 3166 country code of the flow destination as detected by the GeoIP engine. If no country code could be detected, this field will contain |
|
30 |
string |
The policy rule ID string describes which policy rule matched for a given flow, stating its internal unique ID. |
|
31 |
unsigned32 |
The IPS rule ID indicates which IPS rule matched for the given flow. If it is |
|
38 |
string |
The IPS rule description matching the IPS rule ID. |
|
32 |
string |
The policy rule name variable-length string indicates which policy rule matched for a flow, stating its user-defined name. |
|
33 |
unsigned8 |
The type of policy rule action. It can be:
|
|
34 |
string |
The policy hit ID variable-length string. |
|
35 |
string |
The policy hit name variable-length string. |
|
36 |
unsigned8 |
The log severity indicates which event will be reported regarding the defined severity level. It can be:
|
|
37 |
unsigned8 |
The policy hit flag indicates that the policy was marked as an incident by the corresponding flag in the log action of a policy rule. |
|
50 |
string |
The hostname of the observed URL of a HTTP request as variable-length string that has been classified by the URL filter engine. |
|
75 |
unsigned8 |
The match type that hit an IOC feed. It can be:
|
|
76 |
string |
The string representation of the IoC value being hit. Its type is given in the |
|
80 |
unsigned8 |
Location of the source host as determined by the
|
|
81 |
unsigned8 |
Location of the destination host as determined by the
|
|
90 |
string |
The internal ID of the source asset. |
|
91 |
string |
The internal ID of the destination asset. |
|
92 |
string |
The internal ID of the user associated with the source asset. |
cognitix Threat Defender IPFIX Events
All events contain IANA-defined fields (see the IANA definitions) and cognitix IPFIX Enterprise Elements. See the following sections for further information on the fields used.
Common Event Fields
The following fields are used in all cognitix IPFIX events:
Property |
Data Type |
---|---|
|
unsigned16 |
|
ipv4Address |
|
unsigned16 |
|
ipv4Address |
|
ipv6Address |
|
ipv6Address |
|
macAddress |
|
macAddress |
|
unsigned64 |
|
unsigned64 |
|
unsigned64 |
|
unsigned64 |
|
unsigned64 |
|
dateTimeMiliseconds |
|
dateTimeMiliseconds |
|
unsigned8 |
|
unsigned32 |
|
unsigned32 |
|
unsigned8 |
|
unsigned8 |
|
string |
|
string |
|
string |
Message Types
Messages of the types flow-update
and flow-end
additionally contain the following elements:
firewallEvent
, with a value of either 2 (flow-end) or 5 (flow-update)
octetDeltaCount
, the number of transferred bytes from client to server
octetDeltaCountReverse
, the number of transferred bytes from server to client
packetDeltaCount
, the number of transferred packets from client to server
packetDeltaCountReverse
, the number of transferred packets from server to client
Messages of the type hostname
additionally contain the following element:
cognitixHostname
, an observed domain name
Messages of the type policy-rule-matched
additionally contain the following elements:
firewallEvent
, with a value of 4 (flow-alert)
cognitixPolicyId
cognitixPolicyName
cognitixPolicyRuleName
cognitixPolicyRuleId
cognitixPolicyRuleAction
httpRequestHost
httpRequestTarget
Messages of the types policy-hit
and policy-log
additionally contain the following elements:
firewallEvent
, with a value of 4 (flow-alert)
cognitixPolicyId
cognitixPolicyName
cognitixPolicyRuleName
cognitixPolicyRuleId
cognitixPolicyRuleAction
cognitixLogSeverity
Messages of the type ips-hit
additionally contain the following elements:
firewallEvent
, with a value of 4 (flow-alert)
cognitixLogSeverity
cognitixIPSRuleId
cognitixIPSRuleDescription
Messages of the type ioc-hit
additionally contain the following elements:
firewallEvent
, with a value of 4 (flow-alert)
cognitixLogSeverity
cognitixIocValueType
cognitixIocValue