No. | Feature | Description | No. | Feature | Description |
---|---|---|---|---|---|
1 | ts | Timestamp of connection between flow identifiers | 24 | dns_rejected | DNS rejection, where the DNS queries are rejected by the server |
2 | src_ip | Source IP addresses which originate endpoints’ IP addresses | 25 | ssl_version | SSL version which is offered by the server |
3 | Src_port | Source ports which Originate endpoint’s TCP/UDP ports | 26 | ssl_cipher | SSL cipher suite which the server chose |
4 | Dst_ip | Destination IP addresses which respond to endpoint’s IP addresses | 27 | ssl_resumed | SSL flag indicates the session that can be used to initiate new connections, where T refers to the SSL connection is initiated |
5 | Dst_port | Destination ports which respond to endpoint’s TCP/UDP ports | 28 | ssl_established | SSL flag indicates establishing connections between two parties, where T refers to establishing the connection |
6 | proto | Transport layer protocols of flow connections | 29 | ssl_subject | Subject of the X.509 cert offered by the server |
7 | Service | Dynamically detected protocols, such as DNS, HTTP and SSL | 30 | ssl_issuer | Trusted owner/originator of SLL and digital certificate (certificate authority) |
8 | Duration | The time of the packet connections, which is estimated by subtracting ‘time of the last packet seen’ and ‘time of the first packet seen’ | 31 | http_trans_depth | Pipelined depth into the HTTP connection |
9 | src_bytes | Source bytes which are originated from payload bytes of TCP sequence number | 32 | http_method | HTTP request methods such as GET, POST and HEAD |
10 | dst_bytes | Destination bytes which are responded payload bytes from TCP sequence numbers | 33 | http_uri | URIs used in the HTTP request |
11 | conn_state | Various connection states, such as S0 (connection without replay), S1 (connection established), and REJ (connection attempt rejected) | 34 | http_version | The HTTP versions utilized such as V1.1 |
12 | missed_bytes | Number of missing bytes in content gaps | 35 | http_request_body_len | Actual uncompressed content sizes of the data transferred from the HTTP client |
13 | src_pkts | Number of original packets which is estimated from source systems | 36 | http_response_body_len | Actual uncompressed content sizes of the data transferred from the HTTP server |
14 | src_ip_bytes | Number of original IP bytes which is the total length of IP header field of source systems | 37 | http_status_code | Status codes returned by the HTTP server |
15 | dst_pkts | Number of destination packets which is estimated from destination systems | 38 | http_user_agent | Values of the UserAgent header in the HTTP protocol |
16 | dst_ip_bytes | Number of destination IP bytes which is the total length of IP header field of destination systems | 39 | http_orig_mime_types | Ordered vectors of mime types from source system in the HTTP protocol |
17 | dns_query | Domain name subjects of the DNS queries | 40 | http_resp_mime _types | Ordered vectors of mime types from destination system in the HTTP protocol |
18 | dns_qclass | Values which specifie the DNS query classes | 41 | weird_name | Names of anomalies/violations related to protocols that happened |
19 | dns_qtype | Value which specifies the DNS query types | 42 | weird_addl | Additional information is associated to protocol anomalies/violations |
20 | dns_rcode | Response code values in the DNS responses | 43 | weird_notice | It indicates if the violation/anomaly was turned into a notice |
21 | dns_AA | Authoritative answers of DNS, where T denotes server is authoritative for query | 44 | Label | Tag normal and attack records, where 0 indicates normal and 1 indicates attacks |
22 | dns_RD | Recursion desired of DNS, where T denotes request recursive lookup of query | 45 | Type | Tag attack categories, such as normal, DoS, DDoS and backdoor attacks, and normal records |
23 | dns_RA | Recursion available of DNS, where T denotes server supports recursive queries | Â | Â | Â |