IdsEventFlowData
IDS event flow data specific to each IDS event. The data includes source ip, source port, destination ip, destination port, protocol, rule id, profile id, and the action.
{
"action_type": "string",
"bytes_toclient": 0,
"bytes_toserver": 0,
"client_ip": "string",
"destination_ip": "string",
"destination_port": 0,
"local_vm_ip": "string",
"profile_id": "string",
"protocol": "string",
"rule_id": 0,
"source_ip": "string",
"source_port": 0
}The action pertaining to the detected intrusion. Possible values are ALERT, DROP, REJECT, and INVALID. ALERT - If there is a signature match on the packet, it is allowed to pass but a notification is sent to the user notifying an intrusion was detected. DROP - On a signature match, the packet is silently dropped. An alert is sent to the user that an intrusion was detected. REJECT - On a signature match, the packet is dropped and TCP RST or ICMP error messages (for non-TCP pkts) are sent to the endpoints. An alert is sent to the user that an intrusion was detected. INVALID - If the action doesn't belong to any of the above mentioned categories, it is marked as INVALID.
Bytes sent to client.
Bytes sent to server.
IP address of the VM that initiated the communication.
IP address of the destination VM on the intrusion flow.
Port on the destination VM where the traffic was sent to.
IP address of VM on the host where IDS engine is running.
The IDS profile id that is associated with the IDS rule pertaining to the intrusion event detected.
Traffic protocol pertaining to the detected intrusion, could be TCP/UDP etc.
The IDS Rule id pertaining to the detected intrusion.
IP address of the source VM on the intrusion flow.
Source port through which traffic was initiated that caused the intrusion to be detected.