|
|
What is the format of "attack-list.csv"?
This article applies to: BlackICE Defender.
SUMMARY
The file "attack-list.csv" contains the list of intrusions that
the product found. The primary information lists the attack and
the suspected intruder. This article explains the file format
in more depth.
DETAILS
This file is in "CSV" (Comma Separated Value) format, and can
be imported into spreadsheets and database programs for
further processing.
The columns are, from left to right:
- severity
-
This is a number from 1-99 that indicates the severity
of an attack, where 1 is not very severe, and 99 is the
most severe attack. Unfortunately, these levels do not
have any precise meaning. Even an attack at level 1 may
result in a compromise of the machine, whereas an attack
at level 99 could be harmless. The assigned
level is just a best-guess.
- timestamp
-
This indicates the time and date of the last
time the attack occurred. Attacks are "coalesced",
meaning that if the same attack occurs multiple times,
earlier attacks are sometimes removed from the list
and simply merged with the latest one. A count of the
number of times an attack has occurred is kept
in another column. This timestamp is kept in GMT (aka UTC),
and is probably several hours off from the time you see in the user interface.
The ISP will want the time in this format so they don't have
to worry about what timezone you are in.
- "issueId"
-
A numeric identifier for this attack type. Each of
the more than 300 attacks that the intrusion-detection component detects is
assigned a unique number. This number is used
for all internal processing of events. This number
may also be pasted at the end of the URL
http://advice.networkice.com/advice/intrusions/
in order to get help on the event.
- "issueName"
-
The name of the attack. Each of the unique "issueId"
numbers has a name associated with it.
- intruder's IP address
-
The IP address of the attacker. Remember that IP addresses
can sometimes be "spoofed" (forged), or that an
intrusion may be a "false-positive", so there isn't
a 100% chance that this is actually a hostile person.
- intruder's name
-
The name of the intruder. We scan both Internet databases
like DNS as well as the attacker itself in order to
find the "best-name" of the machine, then display it here.
- victim's IP address
-
This is the IP address of who the intruder was attacking.
For example, if a user is running the product and
gets attacked on a dial-up, then this will be the IP
address assigned to that machine during that dialup
session.
- "parameters"
-
This contains some detailed information about the attack.
For example, in a "TCP port probe" scan, this will
contain a list of "ports" the attacker was scanning.
The meaning of this information is documented in
the "advICE" database.
- count
-
The number of times this attack was seen.
Network ICE is always interested in seeing customer's
"attack-list.csv" files. Feel free to e-mail a copy
to "attack-list@networkice.com". While we may not have
time to respond to your e-mail, we do appreciate it
and will save it in our database and compare it with
other such files in order to understand attack patterns
on the Internet.
Keywords: attack-list.csv
Version: 1.8.5.5
Fixed:
Modified: 1999-08-21
|
