Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorporating IPFIX/Netflow fields into existing ECS field sets #732

Closed
wants to merge 1 commit into from
Closed

Incorporating IPFIX/Netflow fields into existing ECS field sets #732

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions code/go/ecs/destination.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

61 changes: 61 additions & 0 deletions code/go/ecs/network.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 9 additions & 0 deletions code/go/ecs/source.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

180 changes: 180 additions & 0 deletions docs/field-details.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -631,6 +631,17 @@ type: ip



| core

// ===============================================================

| destination.ip.network_prefix
| Count of the number of high-order bits that define an IPv4 or IPv6 network address in a destination network.

type: long



| core

// ===============================================================
Expand Down Expand Up @@ -690,6 +701,19 @@ type: long



| core

// ===============================================================

| destination.port_name
| Text description for commonly used ports, e.g. dns, http, https, smtp.

The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".

type: keyword

example: `http`

| core

// ===============================================================
Expand Down Expand Up @@ -2471,6 +2495,17 @@ example: `aim`

// ===============================================================

| network.bit_rate
| Calculated by dividing the total number of bits transferred during an arbitrary period of time by that period of time. By convention, this would likely be presented in bps (bits per second).

type: float



| core

// ===============================================================

| network.bytes
| Total bytes transferred in both directions.

Expand All @@ -2480,6 +2515,17 @@ type: long

example: `368`

| core

// ===============================================================

| network.class_of_service
| In the case of IPv4 packets this would correspond to the TOS (Type of Service) field. In the case of IPv6 packets this would correspond to the Traffic Class field.

type: long



| core

// ===============================================================
Expand Down Expand Up @@ -2522,6 +2568,50 @@ type: keyword

example: `inbound`

| core

// ===============================================================

| network.dot1q_ctag
| The customer VLAN identifier in the C-TAG (Customer VLAN Tag) TCI (Tag Control Information) field as defined in IEEE 802.1Q. This could be the VLAN's numeric identifier or text description.

type: keyword



| core

// ===============================================================

| network.dot1q_vlan
| The VLAN identifier portion of the TCI (Tag Control Information) field of an Ethernet frame as defined in IEEE 802.1Q. This could be the VLAN's numeric identifier or text description.

type: keyword



| core

// ===============================================================

| network.egress_interface
| From the observation point of a network event, the network interface from which frames or packets were transmitted. For example, in the case of a switch or router this might be the port name (e.g. eth0, ge-0/1, GigabitEthernet0/0, etc.), port description, or SNMP ifIndex (e.g. 501).

type: keyword



| core

// ===============================================================

| network.egress_vlan
| From the observation point of a network event, the VLAN in which the frame was transmitted. This could be the VLAN's numeric identifier or text description.

type: keyword



| core

// ===============================================================
Expand All @@ -2533,6 +2623,17 @@ type: ip

example: `192.1.1.2`

| core

// ===============================================================

| network.fragment_identification
| The value of the fragment identification field from an IPv4 or IPv6 packet header.

type: long



| core

// ===============================================================
Expand All @@ -2548,6 +2649,39 @@ example: `6`

// ===============================================================

| network.icmp_type_code
| This could be represented using a numeric value or a text description. For example, an ICMP echo request would have "type = 8" and "code = 0", which could be represented as "0x0800" or "ICMP Echo".

type: keyword



| core

// ===============================================================

| network.ingress_interface
| From the observation point of a network event, the network interface into which frames or packets were received. For example, in the case of a switch or router this might be the port name (e.g. eth0, ge-0/1, GigabitEthernet0/0, etc.), port description, or SNMP ifIndex (e.g. 501).

type: keyword



| core

// ===============================================================

| network.ingress_vlan
| From the observation point of a network event, the VLAN in which the frame was received. This could be the VLAN's numeric identifier or text description.

type: keyword



| core

// ===============================================================

| network.name
| Name given by operators to sections of their network.

Expand All @@ -2559,6 +2693,17 @@ example: `Guest Wifi`

// ===============================================================

| network.packet_rate
| Calculated by dividing the total number of packets transferred during an arbitrary period of time by that period of time. By convention, this would likely be presented in pps (packets per second).

type: float



| core

// ===============================================================

| network.packets
| Total packets transferred in both directions.

Expand All @@ -2581,6 +2726,17 @@ type: keyword

example: `http`

| core

// ===============================================================

| network.tcp_control_bits
| This could be represented using a numeric value or text description. For example, a TCP syncrhonize flag could be represented as "0x0002" or "SYN".

type: keyword



| core

// ===============================================================
Expand Down Expand Up @@ -4146,6 +4302,17 @@ type: ip



| core

// ===============================================================

| source.ip.network_prefix
| Count of the number of high-order bits that define an IPv4 or IPv6 network address in a source network.

type: long



| core

// ===============================================================
Expand Down Expand Up @@ -4205,6 +4372,19 @@ type: long



| core

// ===============================================================

| source.port_name
| Text description for commonly used ports, e.g. dns, http, https, smtp.

The field value must be normalized to lowercase for querying. See the documentation section "Implementing ECS".

type: keyword

example: `http`

| core

// ===============================================================
Expand Down
Loading