IPFIX Specification

This specification defines all generic and cognitix-specific events.

IPFIX Setup

The IPFIX interface is based on IETF RFC 7011. It also uses bidirectional reporting as described in RFC 5103 (esp. sections 5 and 6.3).

Additionally, cognitix defines and uses own elements for specific fields.

The implementation is based on TCP for safe transmission. UDP is also supported for IPFIX channels.

The data source sends all IPFIX templates on demand just before a message using the template is sent. The templates are resent if a certain time has passed after sending the last template.

IPFIX Records

The cognitix IPFIX templates use preassigned IANA elements, where possible. The data types follow RFC 7102. For the definitions of the IPFIX information events used by cognitix, see the IANA table.

Note

sourceIPv4Address/sourceIPv6Address and destinationIPv4Address/destinationIPv6Address describe the outermost IP addresses of an observed flow.

Fields not provided by IPFIX are described using custom fields with the cognitix IPFIX Private Enterprise Number (PEN 45480).

cognitix IPFIX Enterprise Elements

The cognitix IANA number (PEN 45480) defines the following new enterprise elements:

Property

Enterprise
Field ID

Data type

Description

cognitixDpiProtocol

10

unsigned16

This field describes the protocol of the flow as detected by the DPI engine.

cognitixDpiApplication

11

unsigned16

This field describes the application of the flow as detected by the DPI engine.

cognitixDpiClassification

13

unsigned32

This field contains the combined values of the protocol and application of the flow as detected by the DPI engine. It represents the DPI classification of the cleartext message. The combined value is calculated using applicationID * 10,000 + protocolID.

cognitixCountrySource

20

string

This field contains the 2-byte ISO 3166 country code of the flow source as detected by the GeoIP engine. If no country code could be detected, this field will contain ZZ, which is defined as private IP address range.

cognitixCountryDestination

21

string

This field contains the 2-byte ISO 3166 country code of the flow destination as detected by the GeoIP engine. If no country code could be detected, this field will contain ZZ, which is defined as private IP address range.

cognitixPolicyRuleId

30

string

The policy rule ID string describes which policy rule matched for a given flow, stating its internal unique ID.

cognitixIPSRuleId

31

unsigned32

The IPS rule ID indicates which IPS rule matched for the given flow. If it is 0, no IPS rule was hit.

cognitixIPSRuleDescription

38

string

The IPS rule description matching the IPS rule ID.

cognitixPolicyRuleName

32

string

The policy rule name variable-length string indicates which policy rule matched for a flow, stating its user-defined name.

cognitixPolicyRuleAction

33

unsigned8

The type of policy rule action. It can be:

  • 0 = no action

  • 1 = drop

  • 2 = allow

  • 3 = tear down (reject)

  • 4 = redirect

cognitixPolicyId

34

string

The policy hit ID variable-length string.

cognitixPolicyName

35

string

The policy hit name variable-length string.

cognitixLogSeverity

36

unsigned8

The log severity indicates which event will be reported regarding the defined severity level. It can be:

  • 0 = notice

  • 1 = low

  • 2 = medium

  • 3 = high

cognitixPolicyHit

37

unsigned8

The policy hit flag indicates that the policy was marked as an incident by the corresponding flag in the log action of a policy rule.

cognitixHostname

50

string

The hostname of the observed URL of a HTTP request as variable-length string that has been classified by the URL filter engine.

cognitixIocValueType

75

unsigned8

The match type that hit an IOC feed. It can be:

  • 0 = none

  • 1 = source IP

  • 2 = destination IP

  • 3 = domain name

  • 4 = URL

cognitixIocValue

76

string

The string representation of the IoC value being hit. Its type is given in the cognitixIocValueType field.

cognitixSrcLocation

80

unsigned8

Location of the source host as determined by the NetworkObject matching. Values are:

  • 0 = internal

  • 1 = external

cognitixDstLocation

81

unsigned8

Location of the destination host as determined by the NetworkObject matching. Values are:

  • 0 = internal

  • 1 = external

cognitixSrcAssetId

90

string

The internal ID of the source asset.

cognitixDstAssetId

91

string

The internal ID of the destination asset.

cognitixUserId

92

string

The internal ID of the user associated with the source asset.

cognitix Threat Defender IPFIX Events

All events contain IANA-defined fields (see the IANA definitions) and cognitix IPFIX Enterprise Elements. See the following sections for further information on the fields used.

Common Event Fields

The following fields are used in all cognitix IPFIX events:

Property

Data Type

sourceTransportPort

unsigned16

sourceIPv4Address

ipv4Address

destinationTransportPort

unsigned16

destinationIPv4Address

ipv4Address

sourceIPv6Address

ipv6Address

destinationIPv6Address

ipv6Address

sourceMacAddress

macAddress

destinationMacAddress

macAddress

octetTotalCount

unsigned64

octetTotalCountReverse

unsigned64

packetTotalCount

unsigned64

packetTotalCountReverse

unsigned64

flowId

unsigned64

flowStartMilliseconds

dateTimeMiliseconds

flowEndMilliseconds

dateTimeMiliseconds

firewallEvent

unsigned8

ingressPhysicalInterface

unsigned32

egressPhysicalInterface

unsigned32

cognitixSrcLocation

unsigned8

cognitixDstLocation

unsigned8

cognitixSrcAssetId

string

cognitixDstAssetId

string

cognitixUserId

string

Message Types

Messages of the types flow-update and flow-end additionally contain the following elements:

  • firewallEvent, with a value of either 2 (flow-end) or 5 (flow-update)

  • octetDeltaCount, the number of transferred bytes from client to server

  • octetDeltaCountReverse , the number of transferred bytes from server to client

  • packetDeltaCount, the number of transferred packets from client to server

  • packetDeltaCountReverse , the number of transferred packets from server to client

Messages of the type hostname additionally contain the following element:

  • cognitixHostname, an observed domain name

Messages of the type policy-rule-matched additionally contain the following elements:

  • firewallEvent, with a value of 4 (flow-alert)

  • cognitixPolicyId

  • cognitixPolicyName

  • cognitixPolicyRuleName

  • cognitixPolicyRuleId

  • cognitixPolicyRuleAction

  • httpRequestHost

  • httpRequestTarget

Messages of the types policy-hit and policy-log additionally contain the following elements:

  • firewallEvent, with a value of 4 (flow-alert)

  • cognitixPolicyId

  • cognitixPolicyName

  • cognitixPolicyRuleName

  • cognitixPolicyRuleId

  • cognitixPolicyRuleAction

  • cognitixLogSeverity

Messages of the type ips-hit additionally contain the following elements:

  • firewallEvent, with a value of 4 (flow-alert)

  • cognitixLogSeverity

  • cognitixIPSRuleId

  • cognitixIPSRuleDescription

Messages of the type ioc-hit additionally contain the following elements:

  • firewallEvent, with a value of 4 (flow-alert)

  • cognitixLogSeverity

  • cognitixIocValueType

  • cognitixIocValue