THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
| Description | Field Name | Field Value |
|---|---|---|
| Any field containing a source IP address | ip_src_ipaddr | Octets (xxx.xxx.xxx.xxx) |
| Any field containing a destination IP address | ip_dst_ipaddr | Octets (xxx.xxx.xxx.xxx) |
| Any field containing a source port | ip_src_port | Integer |
| Any field containing a destination port | ip_dst_port | Integer |
| Any field containing a protocol | protoprotocol | String as a protocol, all caps. So if protocol = 6, value should be TCP |
| Timestamp | tstimestamp | Epoch timestamp (timestamp comes from sensor, not parser) |
| Message Type | source.type | yaf|snort|bro|etc... |
| Timestamp | start_time | Epoch timestamp |
| Timestamp | end_time | Epoch timestamp |