Event Tracking Tables

Event tracking tables (ETTs) are data buffers that store combinations of attributes. They track traffic properties in order to enable Behavior-based Correlation. Rules can be applied based on whether and how often certain properties were encountered.

ETTs track pairs of attributes of communication events across multiple traffic flows. A communication event consists of a combination of one primary attribute and several secondary attributes. Rules enter these events into the event tracking tables. Every entry in an ETT has an individual timeout. Therefore, changes can be tracked over time and the entries can be automatically removed once the timeout has elapsed. Rules can query the tables to check if certain attributes are present or count the number of attributes. Based on whether the evaluation condition is met, further rules are applied to the flow.

For example, you can check how many times a certain host was added to an ETT for TCP connection ports. If it was added 100 times to the ETT within a minute, the traffic of this host is dropped. Otherwise, it may operate without restrictions. See Creating Correlation Scenarios: Blocking TCP Port Scanners for further information. This way, attributes seen in earlier communication flows determine how later flows are handled.

Event tracking tables can track and correlate any combination of flow attribute pairs. The following attribute types are available:

  • Assets

  • Classification applications and/or protocols

  • HTTP domain names

  • HTTP URLs

  • Interfaces

  • IDS hits

  • IP addresses

  • Layer 4 ports

  • MAC addresses

  • None (used to track only one attribute instead of attribute pairs)

  • Timestamps

  • Users

  • VLAN tags

The table shows useful example combinations of attributes:

Primary Attribute Type

Secondary Attribute Type

Use

IP Address

Layer 4 port

Stores a list of ports per IP address.

MAC Address

Timestamp

Counts how often a MAC address was added to an ETT.

User

HTTP URL

Shows what URLs users visited by storing a list of accessed URLs per user.

Asset

IDS Hit

Stores a list of IDS hits per asset. You can use this event tracking table to set up rules that isolate devices, which exceed a certain number of IDS hits.

User

None

This ETT tracks users. You can use it to create policy rules that are based on the behavior of users.

None

Assets

You can use this ETT to count the number of assets in your system and set up rules that are triggered if a certain value is exceeded.

Additional References: