IPFIX Specification

This specification defines all generic and cognitix-specific events.

IPFIX Setup

The IPFIX interface is based on IETF RFC 7011. It also uses bidirectional reporting as described in RFC 5103 (esp. sections 5 and 6.3).

Additionally, cognitix defines and uses own elements for specific fields.

The implementation is based on TCP for safe transmission. It does not support UDP or SCTP.

The data source sends all IPFIX templates on demand just before a message using the template is sent. The templates are resent if a certain time has passed after sending the last template.

IPFIX Records

The cognitix IPFIX templates use preassigned IANA elements, where possible. The data types follow RFC 7102.
For the definitions of the IPFIX information events used by cognitix, see the IANA table.

sourceIPv4Address/sourceIPv6Address and destinationIPv4Address/destinationIPv6Address describe the outermost IP addresses of an observed flow.

Fields not provided by IPFIX are described using custom fields with the cognitix IPFIX Private Enterprise Number (PEN 45480).

cognitix IPFIX Enterprise Elements

The cognitix IANA number (PEN 45480) defines the following new enterprise elements:

Property Enterprise Field ID Data type Description
cognitixDpiProtocol 10 unsigned16 This field describes the protocol of the flow as detected by the DPI engine.
cognitixDpiApplication 11 unsigned16 This field describes the application of the flow as detected by the DPI engine.
cognitixDpiSrcOS 12 unsigned16 This field describes the operating system of the source host as fingerprinted by the DPI engine.
cognitixDpiClassification 13 unsigned32 This field contains the combined values of the protocol and application of the flow as detected by the DPI engine. It represents the DPI classification of the cleartext message. The combined value is calculated using applicationID * 10,000 + protocolID.
cognitixDpiInSslClassification 14 unsigned32 This field contains the combined values of the protocol and application of the flow as detected by the DPI engine. It represents the DPI classification of the SSL encrypted message in case of SSL interception (otherwise it will be 0). The combined value is calculated using applicationID * 10,000 + protocolID. Note that this value is deprecated as SSL encryption is no longer used.
cognitixCountrySource 20 string This field contains the 2-byte ISO 3166 country code of the flow source as detected by the GeoIP engine. If no country code could be detected, this field will contain ZZ, which is defined as private IP address range.
cognitixCountryDestination 21 string This field contains the 2-byte ISO 3166 country code of the flow destination as detected by the GeoIP engine. If no country code could be detected, this field will contain ZZ, which is defined as private IP address range.
cognitixPolicyRuleId 30 string The policy rule ID string describes which policy rule matched for a given flow, stating its internal unique ID.
cognitixIPSRuleId 31 unsigned32 The IPS rule ID indicates which IPS rule matched for the given flow.
cognitixPolicyRuleName 32 string The policy rule name variable-length string indicates which policy rule matched for a flow, stating its user-defined name.
cognitixPolicyRuleAction 33 unsigned8 The type of policy rule action. It can be:
  • 0 = no action
  • 1 = drop
  • 2 = allow
  • 3 = tear down (reject)
  • 4 = redirect
cognitixPolicyId 34 string The policy hit ID variable-length string.
cognitixPolicyName 35 string The policy hit name variable-length string.
cognitixLogSeverity 36 unsigned8 The log severity indicates which event will be reported regarding the defined severity level. It can be:
  • 0 = notice
  • 1 = low
  • 2 = medium
  • 3 = high
cognitixUrl 50 string The hostname of the observed URL of a HTTP request as variable-length string that has been classified by the URL filter engine.
cognitixUrlCategory 51 unsigned16 The most significant category ID of a classified URL that has been classified by the URL filter engine.
cognitixUrlReputation 52 unsigned16 The most significant reputation ID of a classified URL that has been classified by the URL filter engine. The URL reputation can be defined as:
  • 0 = disable
  • 1 = unknown
  • 2 = low risk
  • 3 = medium risk
  • 4 = high risk
cognitixFileTransferFilename 60 string The observed variable-length file name string of a file transfer.
cognitixIocFeedId 70 unsigned16 The ID of the hit IOC feed.
cognitixIocFeedName 74 string The name of a hit IOC feed.
cognitixIocValueType 75 unsigned8 The match type that hit an IOC feed. It can be:
  • 0 = none
  • 1 = source IP
  • 2 = destination IP
  • 3 = domain name
  • 4 = URL
cognitixIocValue 76 string The string representation of the IoC value being hit. Its type is given in the cognitixIocValueType field.
cognitixSrcLocation 80 unsigned8 Location of the source host as determined by the NetworkObject matching. Values are:
  • 0 = internal
  • 1 = external
cognitixDstLocation 81 unsigned8 Location of the destination host as determined by the NetworkObject matching. Values are:
  • 0 = internal
  • 1 = external
cognitixSrcAssetId 90 string The internal ID of the source asset.
cognitixDstAssetId 91 string The internal ID of the destination asset.
cognitixUserId 92 string The internal ID of the user associated with the source asset.

cognitix Threat Defender IPFIX Events

cognitix Threat Defender generates several reporting events that are distributed via IPFIX:

IPFIX Event Description
Flow Start Reports the beginning of a new flow with its initial counters and values.
Flow Keepalive Reports a flow status update with its current counters and updated values. This event is sent in one second intervals for every flow.
Flow End Reports the end of a flow with its final counters, values and any additional information, if available.
Log Reports a hit of a policy rule with activated log action. It contains as much content for that hit as possible.
URL Classification Reports a hit of the URL classification engine with its analyzed values.
IPS Hit Reports a rule hit of the IPS engine.

All events contain IANA-defined fields (see the IANA definitions) and enterprise elements. See the following sections for further information on the fields used.

Common Event Fields

The following fields are used in all cognitix IPFIX events:

Property Data Type
octetDeltaCount unsigned64
octetDeltaCountReverse unsigned64
packetDeltaCount unsigned64
packetDeltaCountReverse unsigned64
sourceTransportPort unsigned16
sourceIPv4Address ipv4Address
destinationTransportPort unsigned16
destinationIPv4Address ipv4Address
sourceIPv6Address ipv6Address
destinationIPv6Address ipv6Address
sourceMacAddress macAddress
destinationMacAddress macAddress
octetTotalCount unsigned64
octetTotalCountReverse unsigned64
packetTotalCount unsigned64
packetTotalCountReverse unsigned64
flowId unsigned64
flowStartMilliseconds dateTimeMiliseconds
flowEndMilliseconds dateTimeMiliseconds
firewallEvents unsigned8
ingressPhysicalInterface unsigned32
egressPhysicalInterface unsigned32

Policy Rule Match Field

This field reports a list of all detected rule matches per flow.

Property Data Type Description
basicList basicList Contains a list of cognitixPolicyRuleId fields with a Structured Data Type Semantics of allOf, representing all policy matches of this flow that occurred since the last policy rule match report.

Log Action Fields

The rule log action event consists of the following fields:

Property Data Type
cognitixPolicyId string
cognitixPolicyName string
cognitixPolicyRuleId string
cognitixPolicyRuleName string
cognitixPolicyRuleAction unsigned8
cognitixLogSeverity unsigned8
cognitixIocFeedName string
cognitixIocValueType unsigned8
cognitixIocValue unsigned8
httpRequestHost string
httpRequestTarget string

URL Classification Fields

The URL classification event consists of the following fields:

Property Data Type
cognitixUrl string
cognitixUrlCategory unsigned16
cognitixUrlReputation unsigned16

IPS Rule Hit Field

The IPS rule hit event consists of the following field:

Property Data Type
cognitixIPSRuleId unsigned32

IPFIX Event Content

All IPFIX events contain a specific firewallEvents value and the following fields:

IPFIX Event Firewall Event Value Fields
Flow Start 1 (Flow Create) Common fields, policy rule match field
Flow Keepalive 5 (Flow Update) Common fields, policy rule match field
Flow End 2 (Flow Delete) Common fields, policy rule match field
Log 4 (Flow Alert) Common fields, log action fields
URL Classification 5 (Flow Update) Common fields, URL classification fields
IPS Hit 5 (Flow Update) Common fields, IPS rule hit field

results matching ""

    No results matching ""