Event Tracking Tables
Event tracking tables (ETTs) are data buffers that store combinations of attributes. They track traffic properties in order to enable behavior-based correlation. Rules can be applied based on whether and how often certain properties were encountered.
ETTs track pairs of attributes of communication events across multiple traffic flows. A communication event consists of a combination of one primary attribute and several secondary attributes. Rules enter these events in the event tracking tables.
Every entry in an ETT has an individual timeout. Therefore, changes can be tracked over time and the entries can be automatically removed once the timeout has elapsed. Rules can query the tables to check if certain attributes are present or count the number of attributes. Based on whether the evaluation condition is met, further rules are applied to the flow.
For example, you can check how many times a certain host was added to an ETT for TCP connection ports. If it was added 100 times to the ETT within a minute, the traffic of this host is dropped. Otherwise, it may operate without restrictions. See the Blocking TCP Port Scanners example for further information. This way, attributes seen in earlier communication flows determine how later flows are handled.
Event tracking tables can track and correlate any combination of flow attribute pairs. The following attribute types are available:
- Classification applications and/or protocols
- HTTP domain names
- HTTP URLs
- IDS hits
- IP addresses
- Layer 4 ports
- MAC addresses
- None (used to track only one attribute instead of attribute pairs)
- VLAN tags
The table shows useful example combinations of attributes:
|Primary Attribute Type||Secondary Attribute Type||Use|
||Stores a list of ports per IP address.|
||Counts how often a MAC address was added to an ETT.|
||Shows what URLs users visited by storing a list of accessed URLs per user.|
||Stores a list of IDS hits per asset. You can use this event tracking table to set up rules that isolate devices, which exceed a certain number of IDS hits.|
||This ETT tracks users. You can use it to create policy rules that are based on the behavior of users.|
||You can use this ETT to count the number of assets in your system and set up rules that are triggered if a certain value is exceeded.|
- For step-by-step instructions on how to create an event tracking table, see Creating an Event Tracking Table.
- For instructions on how to view or delete the contents of an event tracking table, see Viewing the Content of Event Tracking Tables.
- For further information on the settings options, see Event Tracking Tables in the interface reference.