-
Notifications
You must be signed in to change notification settings - Fork 9
Attributes
Václav Bartoš edited this page Dec 8, 2022
·
11 revisions
This page lists all attributes that may occur in entity records. Some are specific for a particular entity type (list of entity types), some are generic.
Attributes that are used for multiple entity types.
| attribute name | entity types | type/format | description |
|---|---|---|---|
_id |
all | depends on entity type | Identification of entity (e.g. IP address, AS number) |
ts_added |
all | datetime, plain | Time of record creation |
ts_last_update |
all | datetime, plain | Time of last update of the record |
_nru4h |
all | datetime, plain | Time of next planned update of the record (4 hour interval). (NRU = Next Regular Update) |
_nru1d |
all | datetime, plain | Time of next planned update of the record (1 day interval). |
_nru1w |
all | datetime, plain | Time of next planned update of the record (1 week interval). |
Note: Attributes starting with an underscore (_) are for internal purposes only and are normally not shown in Web frontend as entity attributes.
Attributes specific for records of type ip.
| attribute name | type/format | description |
|---|---|---|
_id |
int | Record ID, the IP address as integer (presented to user as string in normal dotted-decimal format) |
events |
list-of-objects, key: date,cat,node
|
Number of events for each date, category and node. |
events[].date |
string YYYY-MM-DD
|
Date of events (according to DetectTime in UTC) |
events[].cat |
string | Category of events (as in IDEA format, without dots, multiple Categories in an event are joined by +, e.g. AttemptExploit+Malware) |
events[].node |
string | Name of source which reported the events (Node[-1].Name in IDEA) |
events[].n |
int | Number of events in day day with category cat and node name node
|
events_meta |
(group) | Other meta-information about reported alerts/events. |
events_meta.total |
int | Total number of events in the DB for this IP (within last 90 days by default) |
events_meta.total{1,7,30} |
int | Total number of events in last 1, 7, 30 days, respectively. (Note: events received in N previous whole days and in the current day are counted; for example, total1 may span 24 to 48 hours, depending on time of the query)
|
events_meta.types |
list of strings | Prevalent categories of events (used for tagging) |
last_activity |
datetime | Timestamp of last reported event |
_ttl |
(group) | Keep alive tokens, which are used for cleaning purposes |
_ttl.warden |
datetime | Timestamp of expiration of the IP based on alerts from Warden |
_ttl.misp |
datetime | Timestamp of expiration of the IP based on events from MISP |
_ttl.long_active |
datetime | Timestamp of expiration of the IP due to it being active for a long time |
_ttl.highly_active |
datetime | Timestamp of expiration of the IP due to high number of events |
hostname |
string | Hostname associated to IP address, acquired by PTR DNS query, None/null if the query returned NXDOMAIN or another error |
geo |
(group) | Geolocation info (based on MaxMind GeoLite2 City DB). |
geo.ctry |
string | Country code (2-letter code defined by ISO 3166). |
geo.city |
string | City |
geo.tz |
string | Timezone (as a string, e.g. Europe/Prague) |
bgppref |
string (CIDR) | Smallest BGP prefix containing the IP address (taken from asn.cymru.com) |
bl |
list-of-objects, key: n
|
Presence of IP on various blacklists at various times. |
bl[].n |
string | Name of the blacklist. |
bl[].v |
int (0 or 1) | Whether IP was present on the blacklist when last queried. |
bl[].t |
datetime | Timestamp of the last query of the blacklist. |
bl[].h |
list of datetime | Timestamps of queries with positive results, i.e. the IP was present on the blacklist. |
dbl |
list-of-object, key: n
|
Presence of a domain associated with this IP (according to CESNET's Passvie DNS database) on a domain blacklist. Format is the same as for bl. |
caida_as_class |
string, conf | Class of IP's ASN according to CAIDA AS classification dataset. May be access (transit or access network), enterprise, content or unknown. Confidence is set based on source of data (peerDB or inferred by machine learning) and whether as_maxmind.num and as_rv.num are both set and equal or not. |
hostname_class |
list of strings | Classes/tags derived from hostname, either based on well-known domain names, or on matching a configured regular expression. May be research_scanner, dynamic, nat, etc. (configurable in nerdd.cfg) |
reserved_range |
int (0 or 1) | Whether the IP address belongs to some of the IPv4 ranges reserved for special purposes. |
rep |
float | Reputation score. (Experimental) Simple computation based on non-lineraly tranformed number of events and number of nodes per day, with linearly decreasing weight of older days (up to 14 days). Currently treats all alert categories the same. |
tags |
special (TODO) | Various tags assigned to the IP. |
misp_events |
list-of-object, key: misp_instance,event_id
|
Information about MISP events containing the IP in one of its attributes. |
misp_events[].misp_instance |
string | URL of the MISP instance |
misp_events[].event_id |
string (FIXME why not int?) | MISP instance's ID of the event |
misp_events[].tlp |
string | TLP level associated with the event (normally white or green, higher levels are not pulled into NERD) |
misp_events[].tag_list |
list of objects | List of event tags, each is object with two keys - name (triple-tag string format) and colour (html format) |
misp_events[].(others) |
string/datetime/object | Other parameters copied from MISP event: info, org_created, role (IP's role, src or dst), date, last_change, threat_level, sightings
|
otx_pulses |
list-of-object, key: pulse_id
|
Pulse with information about a malicious IP address. Note: One indicator can't occur multiple times in the same pulse, even with different role (tried it, OTX doesn't allow it) |
otx_pulses[].pulse_id |
string | Unique pulse ID |
otx_pulses[].pulse_name |
string | Pulse name |
otx_pulses[].author_name |
string | The name of the pulse creator |
otx_pulses[].pulse_created |
datetime | The time when the pulse was created |
otx_pulses[].pulse_modified |
datetime | The time when the pulse was last changed |
otx_pulses[].indicator_created |
datetime | The time when the indicator was created |
otx_pulses[].indicator_expiration |
datetime | The time when the indicator expires |
otx_pulses[].indicator_role |
string | The type of threat from the IP address |
otx_pulses[].indicator_title |
string | Detailed description of the threat |
dshield |
list-of-objects, key: date
|
Data from DShield - number of reports of the IP address and number of targets that reported it (for each day). |
events[].date |
string YYYY-MM-DD
|
Date of reports |
events[].reports |
int | How many times the IP address was reported to DShield in given date |
events[].targets |
int | Number of unique targets that reported the IP address in given date |
Attributes specific for records of type asn.
| attribute name | type/format | description |
|---|---|---|
_id |
int | Record ID, the ASN as a number |
bgppref |
list of strings (CIDR format) | List of BGP prefixes announced by this ASN (only those with a record in NERD, not the complete routing information) (reference to bgppref collection) |
org |
string (rir:netname) |
Organization ID this ASN belongs to according to whois information (reference to org collection) |
rir |
string | Regional registry (RIR) this ASN belongs to (one of ripe, arin, apnic, afrinic, lacnic) |
name |
string | Name of the ASN |
circl_bgp_rank |
float | BGP Rank from CIRCL's BGPRanking service (a number expressing portion of known malicious IP addresses in the ASN) |
Records of type bgppref are just auxiliary - they mostly serve to enable mapping between IP addresses and ASNs.
Attributes specific for records of type bgppref.
| attribute name | type/format | description |
|---|---|---|
_id |
string | Record ID, IP prefix in CIDR format |
asn |
list of ints | List of ASNs announcing this prefix (only those with a record in NERD, not the complete routing information) (reference to asn collection) |
rep |
float | Reputation score of the prefix, computed as average of rep. scores of all IP addresses within it (including the ones not in DB, whose score is assumed to be 0) |
_ref_cnt |
int | Reference counter, should match the number of IPs in DB belonging to the prefix. Record is removed when counter reaches zero. |
Attributes specific for records of type ipblock.
| attribute name | type/format | description |
|---|---|---|
_id |
string | Record ID, format: ip_from - ip_to, where IPs are IP address in dotted decimal format |
rir |
string | Regional registry (RIR) this IP block belongs to (one of ripe, arin, apnic, afrinic, lacnic) |
name |
string | Name of the block in whois database |
descr |
string | Description of the block in whois database |
status |
string | Status of the block, ALLOCATED, ASSIGNED, etc. |
_ref_cnt |
int | Reference counter, should match the number of IPs in DB belonging to the block. Record is removed when counter reaches zero. |
Attributes specific for records of type org.
| attribute name | type/format | description |
|---|---|---|
_id |
string | Record ID, format: rir:whois_id, where rir is one of ripe, arin, apnic, afrinic, lacnic, and whois_id is the org identifier in corresponding whois database. |
name |
string | Organization name as present whois database |
address |
string | Organization address as present whois database |
_ref_cnt |
int | Reference counter, should match the number of IP block and ASN records in DB pointing to this organization. Record is removed when counter reaches zero. |
N/A