IPFIX Specification

This specification defines all generic and cognitix-specific events.

IPFIX Setup

The IPFIX interface is based on IETF RFC 7011. It also uses bidirectional reporting as described in RFC 5103 (esp. sections 5 and 6.3).

Additionally, cognitix defines and uses own elements for specific fields.

The implementation is based on TCP for safe transmission. UDP is also supported for IPFIX channels.

The data source sends all IPFIX templates on demand just before a message using the template is sent. The templates are resent if a certain time has passed after sending the last template.

IPFIX Records

The cognitix IPFIX templates use preassigned IANA elements, where possible. The data types follow RFC 7102. For the definitions of the IPFIX information events used by cognitix, see the IANA table.

Note

sourceIPv4Address/sourceIPv6Address and destinationIPv4Address/destinationIPv6Address describe the outermost IP addresses of an observed flow.

Fields not provided by IPFIX are described using custom fields with the cognitix IPFIX Private Enterprise Number (PEN 45480).

cognitix IPFIX Enterprise Elements

The cognitix IANA number (PEN 45480) defines the following new enterprise elements:

Property

Enterprise
Field ID

Data type

Description

cognitixDpiProtocol

10

unsigned16

This field describes the protocol of the flow as detected by the DPI engine.

cognitixDpiApplication

11

unsigned16

This field describes the application of the flow as detected by the DPI engine.

cognitixDpiSrcOS

12

unsigned16

This field describes the operating system of the source host as fingerprinted by the DPI engine.

cognitixDpiClassification

13

unsigned32

This field contains the combined values of the protocol and application of the flow as detected by the DPI engine. It represents the DPI classification of the cleartext message. The combined value is calculated using applicationID * 10,000 + protocolID.

cognitixDpiInSslClassification

14

unsigned32

This field contains the combined values of the protocol and application of the flow as detected by the DPI engine. It represents the DPI classification of the SSL encrypted message in case of SSL interception (otherwise it will be 0). The combined value is calculated using applicationID * 10,000 + protocolID. Note that this value is deprecated as SSL encryption is no longer used.

cognitixCountrySource

20

string

This field contains the 2-byte ISO 3166 country code of the flow source as detected by the GeoIP engine. If no country code could be detected, this field will contain ZZ, which is defined as private IP address range.

cognitixCountryDestination

21

string

This field contains the 2-byte ISO 3166 country code of the flow destination as detected by the GeoIP engine. If no country code could be detected, this field will contain ZZ, which is defined as private IP address range.

cognitixPolicyRuleId

30

string

The policy rule ID string describes which policy rule matched for a given flow, stating its internal unique ID.

cognitixIPSRuleId

31

unsigned32

The IPS rule ID indicates which IPS rule matched for the given flow. If it is 0, no IPS rule was hit.

cognitixIPSRuleDescription

38

string

The IPS rule description matching the IPS rule ID.

cognitixPolicyRuleName

32

string

The policy rule name variable-length string indicates which policy rule matched for a flow, stating its user-defined name.

cognitixPolicyRuleAction

33

unsigned8

The type of policy rule action. It can be:

- 0 = no action
- 1 = drop
- 2 = allow
- 3 = tear down (reject)
- 4 = redirect

cognitixPolicyId

34

string

The policy hit ID variable-length string.

cognitixPolicyName

35

string

The policy hit name variable-length string.

cognitixLogSeverity

36

unsigned8

The log severity indicates which event will be reported regarding the defined severity level. It can be:

- 0 = notice
- 1 = low
- 2 = medium
- 3 = high

cognitixScenarioHit

37

unsigned8

The scenario hit flag indicates a triggered scenario.

cognitixUrl

50

string

The hostname of the observed URL of a HTTP request as variable-length string that has been classified by the URL filter engine.

cognitixUrlCategory

51

unsigned16

The most significant category ID of a classified URL that has been classified by the URL filter engine. Obsolete.

cognitixUrlReputation

52

unsigned16

The most significant reputation ID of a classified URL that has been classified by the URL filter engine (obsolete). The URL reputation can be defined as:

- 0 = disable
- 1 = unknown
- 2 = low risk
- 3 = medium risk
- 4 = high risk

cognitixFileTransferFilename

60

string

The observed variable-length file name string of a file transfer.

cognitixIocFeedId

70

unsigned16

The ID of the hit IOC feed. Obsolete.

cognitixIocIPv4

71

unsigned32

The hit IOC IPv4. Obsolete.

cognitixIocDomain

72

string

The hit IOC domain. Obsolete.

cognitixIocUrl

73

unsigned32

The hit IOC URL. Obsolete.

cognitixIocFeedName

74

string

The name of a hit IOC feed.

cognitixIocValueType

75

unsigned8

The match type that hit an IOC feed. It can be:

- 0 = none
- 1 = source IP
- 2 = destination IP
- 3 = domain name
- 4 = URL

cognitixIocValue

76

string

The string representation of the IoC value being hit. Its type is given in the cognitixIocValueType field.

cognitixSrcLocation

80

unsigned8

Location of the source host as determined by the NetworkObject matching. Values are:

- 0 = internal
- 1 = external

cognitixDstLocation

81

unsigned8

Location of the destination host as determined by the NetworkObject matching. Values are:

- 0 = internal
- 1 = external

cognitixSrcAssetId

90

string

The internal ID of the source asset.

cognitixDstAssetId

91

string

The internal ID of the destination asset.

cognitixUserId

92

string

The internal ID of the user associated with the source asset.

cognitix Threat Defender IPFIX Events

cognitix Threat Defender generates several reporting events that are distributed via IPFIX:

IPFIX Event

Description

Flow Start

Reports the beginning of a new flow with its initial counters and values.

Flow Keepalive

Reports a flow status update with its current counters and updated values. This event is sent in one second intervals for every flow.

Flow End

Reports the end of a flow with its final counters, values and any additional information, if available.

Log

Reports a hit of a policy rule with activated log action. It contains as much content for that hit as possible.

URL Classification

Reports a hit of the URL classification engine with its analyzed values.

IPS Hit

Reports a rule hit of the IPS engine. Deprecated.

All events contain IANA-defined fields (see the IANA definitions) and cognitix IPFIX Enterprise Elements. See the following sections for further information on the fields used.

Common Event Fields

The following fields are used in all cognitix IPFIX events:

Property

Data Type

octetDeltaCount

unsigned64

octetDeltaCountReverse

unsigned64

packetDeltaCount

unsigned64

packetDeltaCountReverse

unsigned64

sourceTransportPort

unsigned16

sourceIPv4Address

ipv4Address

destinationTransportPort

unsigned16

destinationIPv4Address

ipv4Address

sourceIPv6Address

ipv6Address

destinationIPv6Address

ipv6Address

sourceMacAddress

macAddress

destinationMacAddress

macAddress

octetTotalCount

unsigned64

octetTotalCountReverse

unsigned64

packetTotalCount

unsigned64

packetTotalCountReverse

unsigned64

flowId

unsigned64

flowStartMilliseconds

dateTimeMiliseconds

flowEndMilliseconds

dateTimeMiliseconds

firewallEvents

unsigned8

ingressPhysicalInterface

unsigned32

egressPhysicalInterface

unsigned32

cognitixSrcLocation

unsigned8

cognitixDstLocation

unsigned8

cognitixSrcAssetId

string

cognitixDstAssetId

string

cognitixUserId

string

Policy Rule Match Field

This field reports a list of all detected rule matches per flow.

Property

Data Type

Description

basicList

basicList

Contains a list of cognitixPolicyRuleId fields with a Structured Data Type Semantics of allOf, representing all policy matches of this flow that occurred since the last policy rule match report.

Log Action Fields

The rule log action event consists of the following fields:

Property

Data Type

cognitixPolicyId

string

cognitixPolicyName

string

cognitixPolicyRuleId

string

cognitixPolicyRuleName

string

cognitixPolicyRuleAction

unsigned8

cognitixLogSeverity

unsigned8

cognitixIocFeedName

string

cognitixIocValueType

unsigned8

cognitixIocValue

string

httpRequestHost

string

httpRequestTarget

string

URL Classification Fields

The URL classification event consists of the following fields:

Property

Data Type

cognitixUrl

string

cognitixUrlCategory

unsigned16

cognitixUrlReputation

unsigned16

IPS Rule Hit Field

The IPS rule hit event consists of the following field:

Property

Data Type

cognitixIPSRuleId

unsigned32

IPFIX Event Content

All IPFIX events contain a specific firewallEvents value and the following fields:

IPFIX Event

Firewall Event Value

Fields

Flow Start

1 (Flow Create)

Common fields, policy rule match field

Flow Keepalive

5 (Flow Update)

Common fields, policy rule match field

Flow End

2 (Flow Delete)

Common fields, policy rule match field

Log

4 (Flow Alert)

Common fields, log action fields

URL Classification

5 (Flow Update)

Common fields, URL classification fields

IPS Hit

5 (Flow Update)

Common fields, IPS rule hit field