IPS Log Formats

IPS logs show traffic, events, and possible threats detected by Umbrella's Intrusion Prevention System.

Table of Contents


"2022-04-12 16:14:09","Firewall Tunnel Name","Network Tunnels","1","16606","SERVER-ORACLE BEA WebLogic Server Plug-ins Certificate overflow attempt","1323","HIGH","Attempted User Privilege Gain","cve-2009-1016","TCP","12345","","33010","","443","Would Block","IDS","3658","S2C","245","PROFILE","us-west-2"

The example entry is 281 bytes. To estimate the size of your S3 Logs, see Estimate the Size of Your Logs.

Order of Fields in the IPS Log

<timestamp><identities><identity types><generator id><signature id><signature message><signature list id><severity><attach classification><CVEs><IP protocol><session ID><source IP><source port><destination IP><destination port><action><operation mode><policy resource ID><direction><firewall rule ID><IPS config type><AWS region>

  • Timestamp—When this request was made in UTC.
  • Identities—All tunnel identities associated with this request.
  • Identity Types—The type of identity associated with this request.
  • Generator ID—Unique ID assigned to the part of the IPS which generated the event.
  • Signature ID—Used to uniquely identify signatures.
  • Signature Message—A brief description of the signature.
  • Signature List ID—Unique ID assigned to a Default or Custom Signature List.
  • Severity—The severity level of the rule, such as High, Medium, Low, and Very Low.
  • Attack Classification—The category of attack detected by a rule that is part of a more general type of attack class, such as trojan-activity, attempted-user, and unknown.
  • CVEs—A list of information about security vulnerabilities and exposures.
  • IP Protocol—The actual protocol of the traffic, such as TCP, UDP, ICMP.
  • Session ID—The unique identifier of a session, which is used to group the correlated events between various services.
  • Source IP—The IP of the computer making the request.
  • Source Port—The port the request was made on.
  • Destination IP—The destination IP requested.
  • Destination Port—The destination port the request was made on.
  • Action—The action performed when criteria meets a rule, such as block, warn, and would_block.
  • Operation Mode— The mode of operation chosen when enabling IPS (detection or prevention). Possibilities: IDS, IPS, UNKNOWN (v9).
  • Policy Resource ID—The ID identifies the IPS policy resource (ex. Signature List). (v9)
  • Direction—Direction of the packet that matched the signature. Possibilities: S2C, C2S, UNKNOWN. (v9)
  • Firewall Rule ID—The rule ID matching the firewall session. (v9)
  • IPS Config Type—Possibilities: CONFIG, PROFILE, UNKNOWN. (v9)
  • AWS Region—AWS region from where the log was sent. (v9)

DNS log Formats < IPS Log Formats > Web Log Formats