45. Appendix 4 – Attributes & Tokens

The columns from the tables listed below contain the following data:

● Attribute is the left operand used in Response preconditions. In older Wanguard versions the term used was “Conditional Parameter”

● Token is a placeholder that can be used as parameter or script argument in most Response actions because, at run-time, the software translates it into the requested value. Each token is defined within curly brackets. In older Wanguard versions the term used was “dynamic parameters”

● Data Type shows the returned value type and which comparison operators are accepted by the Attribute:

• String returns a variable-length string. It accepts the comparison operators:

▪ equal to - it implies a perfect match without any differences. E.g. if the Attribute is “apple” and the Value is also “apple”, then equal to is true

▪ not equal to - it implies any difference qualifies for this condition to be true. E.g. if the Attribute is “apple” and the Value is “orange”, then not equal to is true

▪ includes - the “Value” can be a part or a segment of the “Attribute”. E.g. if the Attribute is “apple pie” and the Value is “apple”, then includes is true because “apple pie” contains “apple”

▪ included in - is true if the “Value” contains the “Attribute” as a substring. This is the inverse relationship of includes. E.g. if the Attribute is “apple” and the Value is “apple pie”, then included in is true because “apple” is part of the larger string “apple pie”

▪ excludes - is true if the “Attribute” does not contain the “Value” as a substring. This indicates the absence of the “Value” within the “Attribute”. E.g. if the Attribute is “apple pie” and the Value is “cherry”, then excludes is true because “apple pie” does not contain “cherry”

▪ excluded from - is true if the “Value” does not contain the “Attribute” as a substring. This is the opposite of included in. E.g. if the Attribute is “cherry” and the Value is “apple pie”, then excluded from is true because “cherry” is not part of “apple pie”

▪ regexp - is true when the “Attribute” matches the regular expression from “Value”. E.g. when “Value” is “[A-Z]”, the precondition is true only when the “Attribute” contains an upper-case letter

• Integer returns a 64-bit unsigned integer number. It accepts the comparison operators:

▪ equal to - is true when “Attribute” and “Value” are identical

▪ not equal to - is true when “Attribute” and “Value” are not identical

▪ greater than - is true when “Attribute” is larger than “Value”

▪ less than - is true when “Attribute” is smaller than “Value”

▪ divisible by - is true when “Attribute” can be divided by “Value” without leaving a remainder

• Integer* accepts the same comparison operators as Integer. The values can be returned in multiples of 1,000 by appending “_kilo” to the token name. The same goes for 1,000,000 by appending “_mega” and for 1,000,000,000 by appending “_giga”. To return the value and the biggest multiplier (k, M, G) for the value, append “_prefix”. To also return the decoder before the biggest multiplier (k, M, G) value, append “_decoder_prefix”

• Float returns an unsigned floating point number when the comparison operator is greater than or less than, or an unsigned integer when the comparison operator is equal to, not equal to or divisible by

• Prefix returns a string containing a subnet or IP. It accepts the comparison operators equal to, not equal to, includes, included in, excludes and excluded from. The inclusion/exclusion operators compare prefixes, not strings

● Description provides a short explanation of the parameter

45.1. Anomaly-Related Tokens

#	Attribute	Token	Data Type	Description
1	Anomaly #	{anomaly_id}	Integer	Returns a unique identification number of the anomaly
2	Prefix	{prefix}	Prefix	Returns the prefix of the anomaly, which is the victim IP/CIDR mask for inbound anomalies, or the source IP/CIDR mask for outbound anomalies. The CIDR mask is omitted for hosts (when CIDR is 32 for IPv4 or 128 for IPv6)
3	IP Address	{ip}	Prefix	Returns the IP of {prefix}, without the CIDR mask
4	IP Version	{ip_version}	Prefix	Returns the IP version of {prefix}, either 4 or 6
		{ip_dns}	String	Returns the reverse DNS of {ip}. If the DNS lookup does not return a valid DNS PTR record then it returns {ip}
5	IP AS Number	{ip_asn}	Integer	Returns the AS Number of {ip}. If the GeoIP database does not provide an AS number, it returns 0
6	CIDR	{cidr}	Integer	Returns the CIDR mask of {prefix}
7	IP Group	{ip_group}	String	Returns the IP Group of {prefix}
8	Anomaly	{anomaly}	String	Returns a description of the anomaly. By default it describes the threshold rule that triggered the anomaly
9	Anomaly Classification	{classification}	String	Returns the clasification of the anomaly by Console users: Unclassified, False Positive, Possible Attack, Trivial Attack, Verified Attack or Crippling Attack
10	Anomaly Comment	{comment}	String	Returns the user-submitted comment about the anomaly, if it exists
11	Direction	{direction}	String	Returns the direction of the traffic that triggered the anomaly: incoming or outgoing
		{Direction}	String	Returns {direction} but with an upper first letter
		{direction_to_from}	String	Returns to for inbound anomalies and from for outbound anomalies
		{direction_receives_sends}	String	Returns receives for inbound anomalies and sends for outbound anomalies
12	Domain	{domain}	String	Returns the corresponding Domain from the threshold. It is internal IP when CIDR mask is 32 for IPv4 or 128 for IPv6, subnet in other cases, or external IP for similar thresholds set on 0.0.0.0/0
		{Domain}	String	Returns {domain} but with an upper first letter
13	Anomaly Class	{class}	String	Returns threshold for threshold-based anomalies and profile for profiling-based anomalies
14	Threshold Type	{threshold_type}	String	Returns the threshold value type, which can be either absolute or percentage
15	Anomaly Decoder (Protocol)	{decoder}	String	Returns the decoder used to detect the anomaly
16	Comparison	{operation}	String	Returns the comparison function used by the threshold rule: over or under
		{comparison}	String	Returns > when {operation} is over, and < when {operation} is under
17	Unit	{unit}	String	Returns the measurement unit of the threshold rule: pkts/s or bits/s
18	Threshold Value	{rule_value}	Integer*	Returns the traffic value configured as threshold
19	Computed Threshold	{computed_threshold}	Integer*	Returns a threshold value dynamically adjusted for profiling-based and percentage-based anomalies
20	Sensor	{sensor}	String	Returns the name of the Sensor that detected the anomaly. For SNMP Sensor and Flow Sensor the format is Sensor Name [Interface Name]
21	Sensor Name	{sensor_name}	String	Returns the name of the Sensor that detected the anomaly. For SNMP Sensor and Flow Sensor it does not return the Interface Name
22	Sensor Group	{sensor_group}	String	Returns the Device Group selected in the Sensor configuration
23	Sensor IP	{sensor_ip}	Prefix	Returns the IP address of the server running the Sensor
24	Sensor Type	{sensor_type}	String	Returns the type of Sensor: Packet Sensor, Flow Sensor, SNMP Sensor or Sensor Cluster
25	Sensor ID	{sensor_id}	Integer	Returns the Server ID of server running the Sensor
26	Flow Exporter IP	{router_ip}	Prefix	Returns the IP address of the flow exporter. It is empty if the Sensor is not a Flow Sensor
27	IP Zone	{ipzone}	String	Returns the IP Zone used by the Sensor
28	IP Zone Prefix	{ipzone_prefix}	Prefix	Returns the most specific prefix that includes the {prefix}
29	IP Zone Parent Prefix	{ipzone_parent_prefix}	Prefix	Returns the parent of the most specific prefix that includes the {prefix}
30	Response	{response}	String	Returns the Response activated by the threshold rule
31	Response Actions	{response_actions}	String	Returns the list of actions executed by the Response. Contains only the actions that have the parameter Record Action checked
32	Threshold Template	{template}	String	Returns the Threshold Template that includes the threshold rule, if it exists
33	Expiration Delay	{expiration}	Integer	Returns the number of seconds of inactivity that must pass before the anomaly expires
34	Peak Packets/s	{anomaly_pps}	Integer*	Returns the highest packets/s rate observed for the anomaly
35	Peak Bits/s	{anomaly_bps}	Integer*	Returns the highest bits/s rate observed for the anomaly
36	Latest Packets/s	{latest_anomaly_pps}	Integer*	Returns the latest packets/s rate
37	Latest Bits/s	{latest_anomaly_bps}	Integer*	Returns the latest bits/s rate
38	Peak Value	{value}	Integer*	Returns the highest value of abnormal traffic, and also the {unit}
39	Latest Value	{latest_value}	Integer*	Returns the latest value of abnormal traffic, and also the {unit}
40	Sum Value	{sum_value}	Integer*	Returns the number of packets counted during the anomaly, when the {unit} is pkts/s. For bits/s thresholds it returns the number of bits counted during the anomaly
41	Peak Rule Severity	{severity}	Float	Returns the ratio between the peak abnormal traffic rate and the threshold value
42	Latest Rule Severity	{latest_severity}	Integer	Returns the ratio between the latest abnormal traffic rate and the threshold value
43	Peak Link Severity	{link_severity}	Integer	Returns the ratio between the peak abnormal traffic rate and the interface’s traffic rate
44	Latest Link Severity	{latest_link_severity}	Integer	Returns the ratio between the latest abnormal traffic rate and the interface’s traffic rate
45	Latest Link Utilization	{latest_link_utilization}	Integer	Returns the percentage between the latest traffic rate reported by the IP decoder for the whole interface, and the interface Speed In/Out value configured in the Sensor configuration
46	Captured Packets	{captured_pkts}	Integer	Returns the number of packets captured successfully, if the Response contains an action for capturing packets
47	BGP Log Size	{bgplog_bytes}	Integer	Returns the size of the BGP announcement log which is non-zero only when a BGP routing update was triggered for the anomaly
48	Unique Tokens	N/A	String	This is used to prevent the execution of a Response action when there are other active anomalies that share the same user-defined criteria, expressed as a list of tokens. For example, if the Comparison is “equal to” and the Value “{ip} {decoder}” then the action will be executed only when there isn’t any other active anomaly to/from the same IP and the same decoder
49	Custom Script Return Value	N/A	Integer	This Conditional Parameter allows execution only when the script entered in the Value field returns status 0 after its execution. You can pass tokens as arguments for the script. Comparison must be set to equal to. It is important for the script to finish quickly, because it blocks the originating process
		{anomaly_log_10}, {anomaly_log_50}, {anomaly_log_100}, {anomaly_log_500}, {anomaly_log_1000}	String	Returns the first 10/50/100/500/1000 packets (if a packet capturing action is enabled in the Response) or flows (if Flow Collector is enabled) with the anomalous traffic
		{attacked_isp}	String	Returns the abuse mailbox or the contact email of the victim’s ISP if it can be extracted from the whois database
		{software_version}	String	Returns the Wanguard version
		{json_anomaly_tokens}	String	Returns a JSON string with all the other anomaly-related tokens and also with a list of filtering rules detected for the anomaly. If the token ends with ‘_brief’, only the most important tokens are included and the filtering rules will not be included. If the token ends with ‘_pretty’, the JSON string will be returned with each token separated by new line

45.2. Time-Related Tokens

#	Attribute	Token	Data Type	Description
50	From (ISO 8601)	{from}	String	Returns the start time of the anomaly, in iso8601 format (YYYY-MM-DD HH:MM:SS)
51	From (unixtime)	{from_unixtime}	Integer	Returns the start time of the anomaly, in unixtime format (number of seconds since Jan 1st 1970)
52	From (minute)	{from_minute}	Integer	Returns the start minute of the anomaly
53	From (hour)	{from_hour}	Integer	Returns the start hour of the anomaly
54	From (day)	{from_day}	Integer	Returns the start day of the anomaly
55	From (dow)	{from_dow}	Integer	Returns the start day-of-the-week of the anomaly
56	From (month)	{from_month}	Integer	Returns the start month of the anomaly
57	From (year)	{from_year}	Integer	Returns the start year of the anomaly
58	Until (ISO 8601)	{until}	String	Returns the stop/expiration time of the anomaly, in iso8601 format (YYYY-MM-DD HH:MM:SS)
59	Until (unixtime)	{until_unixtime}	Integer	Returns the stop/expiration time of the anomaly, in unixtime format (number of seconds since Jan 1st 1970)
60	Until (minute)	{until_minute}	Integer	Returns the stop/expiration minute of the anomaly
61	Until (hour)	{until_hour}	Integer	Returns the stop/expiration hour of the anomaly
62	Until (day)	{until_day}	Integer	Returns the stop/expiration day of the anomaly
63	Until (dow)	{until_dow}	Integer	Returns the stop/expiration day-of-the-week of the anomaly
64	Until (month)	{until_month}	Integer	Returns the stop/expiration month of the anomaly
65	Until (year)	{until_year}	Integer	Returns the stop/expiration year of the anomaly
66	Duration	{duration}	Integer	Returns the duration of the anomaly, expressed in seconds
		{duration_clock}	String	Returns a text string describing the duration of the anomaly. Example: <5sec, 5h 4h 3s
		{duration_clock_full}	String	Returns a text string describing the duration of the anomaly. Example: <5 seconds, 5 hours 4 minutes 3 seconds
67	Internal Ticks	{tick}	Integer	Returns the internal tick of the Sensor. By default, Packet Sensor increases the tick value once every 5 seconds. Flow Sensor increases the tick value once every X seconds, where X is the value of the Granularity parameter

45.3. IP Decoder-Related Tokens

#	Attribute	Token	Data Type	Description
68	Peak IP Pkts/s	{total_pps}	Integer*	Returns the peak packets/s rate for {prefix} and the IP decoder
69	Peak IP Bits/s	{total_bps}	Integer*	Returns the peak bits/s rate for {prefix} and the IP decoder
70	Latest IP Pkts/s	{latest_total_pps}	Integer*	Returns the latest packets/s rate for {prefix} and the IP decoder
71	Latest IP Bits/s	{latest_total_bps}	Integer*	Returns the latest bits/s rate for {prefix} and the IP decoder
72	IP Packets	{sum_total_pkts}	Integer*	Returns the number of packets counted during the anomaly for the IP decoder
73	IP Bits	{sum_total_bits}	Integer*	Returns the number of bits counted during the anomaly for the IP decoder

45.4. Filter-Related Tokens

#	Attribute	Token	Data Type	Description
74	Number of Filters	{filters}	Integer	Returns the number of Filter instances activated for the anomaly
75	Filters Pkts/s	{filters_pps}	Integer*	Returns the most recent packets/s rate recorded by the Filter instance(s)
76	Filters Bits/s	{filters_bps}	Integer*	Returns the most recent bits/s rate recorded by the Filter instance(s)
77	Filters Peak Pkts/s	{filters_max_pps}	Integer*	Returns the peak packets/s rate recorded by the Filter instance(s)
78	Filters Peak Bits/s	{filters_max_bps}	Integer*	Returns the peak bits/s rate recorded by the Filter instance(s)
79	Filtered Packets	{filters_filtered_packets}	Integer*	Returns the number of packets blocked by the Filter instance(s)
80	Filtered Bits	{filters_filtered_bits}	Integer*	Returns the number of bits blocked by the Filter instance(s)
81	Filters CPU Usage	{filters_max_cpu_usage}	Integer	Returns the maximum CPU% used by the Filter instance(s)
82	Filters IPs (Ext.)	{filters_ips}	Integer	Returns the number of external IPs detected by the Filter instance(s) in the last 5 seconds
83	Number of Filtering Rules	{filtering_rules}	Integer	Returns the number of filtering rules detected by the Filter instance(s)

45.5. Filtering Rule-Related Tokens

#	Attribute	Token	Data Type	Description
84	Filtering Rule #	{filtering_rule_id}	Integer	Returns a unique ID of the filtering rule
85	Filtering Rule Type	{filtering_rule_type}	String	Returns the type of the filtering rule. The possible values are listed in Anomaly Mitigation
86	Filtering Rule Value	{filtering_rule_value}	String	Returns the value of the filtering rule: specific IP, port number, protocol number, etc.
		{filtering_rule_ip_dns}	String	Returns the reverse DNS of the IP, when {filtering_rule_type} is IP Address
87	Filtering Rule ISP	{filtering_rule_ip_isp}	String	Returns the corresponding organization or Internet Service Provider of the IP, when {filtering_rule_type} is IP Address
88	Filtering Rule ASN	{filtering_rule_ip_asn}	Integer	Returns the AS number from a GeoIP database for the IP, when {filtering_rule_type} is IP Address
		{attacker_isp}	String	Returns the email address of {filtering_rule_ip_isp}, if it is defined and if the information can be extracted from the whois database
89	Filtering Rule Country	{filtering_rule_ip_country}	String	Returns the country of the IP, when {filtering_rule_type} is IP Address
90	Filtering Rule Pkts/s	{filtering_rule_pps}	Integer*	Returns the latest packet/s rate for the traffic matched by the filtering rule
91	Filtering Rule Bits/s	{filtering_rule_bps}	Integer*	Returns the latest bits/s throughput for the traffic matched by the filtering rule
92	Filtering Rule Peak Pkts/s	{filtering_rule_max_pps}	Integer*	Returns the peak packet/s rate for the traffic matched by the filtering rule
93	Filtering Rule Peak Bits/s	{filtering_rule_max_bps}	Integer*	Returns the peak bits/s throughput for the traffic matched by the filtering rule
94	Filtering Rule Unit/s	{filtering_rule_unit}	Integer*	Returns {filtering_rule_pps} for packets/s thresholds and {filtering_rule_bps} for bits/s thresholds
95	Filtering Rule Peak Unit/s	{filtering_rule_max_unit}	Integer*	Returns {filtering_rule_max_pps} or {filtering_rule_max_bps}, depending on the unit of the threshold
96	Filtering Rule Packets	{filtering_rule_packets}	Integer*	Returns the number of packets matched by the filtering rule
97	Filtering Rule Bits	{filtering_rule_bits}	Integer*	Returns the number of bits matched by the filtering rule
98	Filtering Rule Time Interval	{filtering_rule_difftime}	Integer	Returns the duration while the filtering rule was detected
99	Filtering Rule Severity	{filtering_rule_severity}	Integer	Returns the ratio between the traffic matched by the filtering rule and the threshold value
100	Filtering Rule Whitelist	{filtering_rule_whitelisted}	Integer	Returns 1 when the filtering rule is whitelisted, or 0 otherwise
101	Filtering Rule Traffic Sample Size	{filtering_rule_log_size}	Integer*	Returns the packet dump size in bytes, if a packet capturing action is enabled in the Response for the filtering rule
102	Filtering Rule Scrubbed %	{firewall_drop_percent}	Integer	Returns the percentage of scrubbed traffic by a firewall
103	Netfilter Firewalled	{netfilter_firewalled}	Integer	Returns 1 when the filtering rule is applied on the Netfilter firewall, or 0 otherwise
104	Flowspec Firewalled	{flowspec_firewalled}	Integer	Returns 1 when the filtering rule is applied in BGP Flowspec, or 0 otherwise
105	Hardware Offloaded	{hardware_firewalled}	Integer	Returns 1 when the filtering rule is applied on a NIC hardware filter, or 0 otherwise
106	Custom Firewalled	{custom_firewalled}	Integer	Returns 1 when the filtering rule is applied on a custom firewall, or 0 otherwise
107	Dataplane Firewalled	{dataplane_firewalled}	Integer	Returns 1 when the filtering rule is applied on a Dataplane Firewall, or 0 otherwise
108	Filter	{filter}	String	Returns the name of the Filter that detected the filtering rule
109	Filter Group	{filter_group}	String	Returns the Device Group selected in the Filter configuration
110	Filter Type	{filter_type}	String	Returns the type of the Filter: Packet Filter, Flow Filter or Filter Cluster
111	Filter ID	{filter_id}	Integer	Returns a unique ID of the Filter that detected the filtering rule
		{filtering_rule_first_time}	String	Returns the first time (in iso8601 format) when the filtering rule was detected
		{filtering_rule_first_unixtime}	Integer	Returns the first time (in unixtime format) when the filtering rule was detected
		{filtering_rule_last_time}	String	Returns the last time (in iso8601 format) when the filtering rule was detected
		{filtering_rule_last_unixtime}	Integer	Returns the last time (in unixtime format) when the filtering rule was detected
		{filtering_rule_log_10}, {filtering_rule_log_50}, {filtering_rule_log_100}, {filtering_rule_log_500}, {filtering_rule_log_1000}	String	Returns the first 10/50/100/500/1000 packets with the traffic matched by the filtering rule, if a packet capturing action is enabled in the Response for the filtering rule
		{json_filtering_rule_tokens}	String	Returns a JSON string with all the other filtering rule-related tokens. If the token name ends with ‘_pretty’, the JSON string will be returned with each token separated by new line

45.6. System-Wide Tokens

Attribute	Token	Data Type	Description
Anomalies (all Sensors, Decoders, Prefixes)	{anomalies}	Integer	Returns the total number of active anomalies from any Sensor, Decoder (incl. Unit) or Prefix
Anomalies (same Sensor)	{anomalies_sensor}	Integer	Returns the total number active anomalies from the same Sensor
Anomalies (same Decoder)	{anomalies_decoder}	Integer	Returns the total number active anomalies from the same Decoder and Unit (pkts/s or bits/s)
Anomalies (same Sensor, Decoder)	{anomalies_sensor_decoder}	Integer	Returns the total number active anomalies from the same Sensor and Decoder and Unit (pkts/s or bits/s)
Anomalies (same Sensor, Decoder, Prefix/X)	{anomalies_sensor_decoder_cidr_X}	Integer	Returns the total number active anomalies from the same Sensor, Decoder, Unit (pkts/s or bits/s) and Prefix/X, where X can be any CIDR mask