Emergency Notifications
No recipient configured for Emergency Alerts (alerts with Emergency severity), please configure it to receive important notifications!
Alert and Flow Status Definitions
| Alert Key | Alert Key String | Alert Name | Known Attacker | Known Victim | Flow Status Key |
|---|---|---|---|---|---|
| 1 | alert_flow_blacklisted | Blacklisted Flow | ✓ | ✓ | |
| 2 | alert_blacklisted_country | Blacklisted Country | ✓ | ✓ | |
| 3 | alert_flow_blocked | Flow blocked due to configured policies | |||
| 4 | alert_data_exfiltration | ICMP Data Exfiltration | ✓ | ||
| 5 | alert_device_protocol_not_allowed | Susp. Device Protocol | ✓ | ||
| 6 | alert_dns_data_exfiltration | Too many packets exchanged in this flow | ✓ | ||
| 7 | alert_dns_invalid_query | Invalid DNS query | ✓ | ||
| 8 | alert_elephant_flow | Elephant Flow | |||
| 9 | alert_blacklisted_client_contact | Blacklisted Client Contact | ✓ | ✓ | |
| 10 | alert_external | External Alert | |||
| 11 | alert_longlived | Long-Lived Flow | |||
| 12 | alert_flow_low_goodput | Low Goodput Ratio | |||
| 13 | alert_blacklisted_server_contact | Blacklisted Server Contact | ✓ | ✓ | |
| 14 | alert_internals | Not Purged | |||
| 15 | host_alert_scan_realtime | Scan (Realtime) | ✓ | ||
| 16 | alert_remote_to_remote | Remote to Remote Flow | |||
| 18 | host_alert_icmp_flood | ICMP Flood | ✓ | ||
| 19 | alert_packets_issues | TCP Packets Issues | |||
| 22 | alert_tls_certificate_expired | TLS Cert Expired | |||
| 23 | alert_tls_certificate_mismatch | TLS Cert Mismatch | |||
| 24 | alert_ndpi_tls_old_protocol_version | Obsolete TLS Version | |||
| 25 | alert_tls_unsafe_ciphers | Weak TLS Ciphers | |||
| 26 | alert_ndpi_unidirectional_traffic | Unidirectional Traffic | |||
| 27 | alert_web_mining | Web Mining | |||
| 28 | alert_tls_certificate_selfsigned | TLS Cert Self-signed | |||
| 29 | alert_binary_application_transfer | Binary App/.exe Transfer | ✓ | ✓ | |
| 30 | alert_known_proto_on_non_std_port | Known Proto on Non Std Port | ✓ | ||
| 31 | host_alert_scan | Scan | ✓ | ||
| 32 | alert_unexpected_dhcp_server | Unexpected DHCP server found | ✓ | ||
| 33 | alert_unexpected_dns_server | Unexpected DNS server | ✓ | ||
| 34 | alert_unexpected_smtp_server | Unexpected SMTP server found | ✓ | ||
| 35 | alert_unexpected_ntp_server | Unexpected NTP server found | ✓ | ||
| 36 | alert_zero_tcp_window | TCP Zero Window | |||
| 37 | alert_iec_invalid_transition | IEC Invalid Transition | |||
| 38 | alert_remote_to_local_insecure_flow | Remote to Local Insecure Flow | ✓ | ✓ | |
| 39 | alert_ndpi_url_possible_xss | Possible XSS | ✓ | ✓ | |
| 40 | alert_ndpi_url_possible_sql_injection | Possible SQL Inj | ✓ | ✓ | |
| 41 | alert_ndpi_url_possible_rce_injection | Possible RCE | ✓ | ✓ | |
| 42 | alert_ndpi_http_suspicious_user_agent | HTTP Susp. User-Agent | ✓ | ✓ | |
| 43 | alert_ndpi_numeric_ip_host | HTTP/TLS/QUIC Numeric Hostname/SNI | ✓ | ✓ | |
| 44 | alert_ndpi_http_suspicious_url | HTTP Susp. URL | ✓ | ✓ | |
| 45 | alert_ndpi_http_suspicious_header | HTTP Susp. Header | ✓ | ✓ | |
| 46 | alert_ndpi_tls_not_carrying_https | TLS (probably) Not Carrying HTTPS | |||
| 47 | alert_ndpi_suspicious_dga_domain | Susp. DGA Domain | ✓ | ||
| 48 | alert_ndpi_malformed_packet | Malformed packet | |||
| 49 | alert_ndpi_ssh_obsolete_server | SSH Obsolete Ser Vers/Cipher | |||
| 50 | alert_ndpi_smb_insecure_version | SMB Insecure Vers | |||
| 52 | alert_ndpi_unsafe_protocol | Unsafe Protocol | ✓ | ||
| 53 | alert_ndpi_dns_suspicious_traffic | Susp. DNS Traffic | ✓ | ✓ | |
| 54 | alert_ndpi_tls_missing_sni | Missing SNI TLS Extn | |||
| 55 | alert_iec_unexpected_type_id | IEC Unexpected TypeID | |||
| 56 | alert_flow_tcp_no_data_exchanged | TCP No Data Exchanged | |||
| 57 | alert_remote_access | Remote Access | |||
| 58 | alert_lateral_movement | Lateral Movement on Service Map | |||
| 59 | alert_periodicity_changed | Periodicity Changed | |||
| 60 | alert_ndpi_tls_cert_validity_too_long | Too Long TLS Cert Validity | |||
| 61 | alert_ndpi_ssh_obsolete_client | Obsolete SSH Client Version or Cipher | |||
| 62 | alert_ndpi_clear_text_credentials | Clear-Text Credentials | |||
| 63 | alert_ndpi_http_suspicious_content | HTTP Susp. Content | |||
| 64 | alert_ndpi_dns_large_packet | Large DNS Packet (512+ bytes) | |||
| 65 | alert_ndpi_dns_fragmented | Fragmented DNS Message | |||
| 66 | alert_ndpi_dns_invalid_characters | Invalid Characters | |||
| 67 | alert_broadcast_non_udp_traffic | Broadcast Non-UDP Traffic | ✓ | ||
| 68 | alert_ndpi_possible_exploit | Possible Exploit | |||
| 69 | alert_ndpi_tls_certificate_about_to_expire | TLS Cert About To Expire | |||
| 70 | alert_ndpi_punicody_idn | Punicody IDN | |||
| 71 | alert_ndpi_error_code | Error Code | |||
| 72 | alert_ndpi_http_crawler_bot | Crawler/Bot | |||
| 73 | alert_ndpi_suspicious_entropy | Susp. Entropy | ✓ | ✓ | |
| 74 | alert_iec_invalid_command_transition | IEC Invalid Command Transition | |||
| 75 | alert_tcp_connection_no_answer | No Answer | |||
| 76 | alert_ndpi_anonymous_subscriber | Anonymous Subscriber | |||
| 78 | alert_ndpi_desktop_or_file_sharing_session | Desktop/File Sharing | |||
| 79 | alert_ndpi_malicious_fingerprint | Malicious Fingerprint | |||
| 80 | alert_ndpi_malicious_sha1_certificate | Malicious SHA1 TLS Cert. | |||
| 81 | alert_ndpi_tls_uncommon_alpn | TLS Uncommon ALPN | |||
| 82 | alert_ndpi_tls_suspicious_extension | TLS Susp. Extension | |||
| 83 | alert_ndpi_tls_fatal_alert | TLS Fatal Alert | |||
| 84 | alert_ndpi_http_obsolete_server | HTTP Obsolete Server | |||
| 85 | alert_ndpi_risky_asn | Risky ASN | |||
| 86 | alert_ndpi_risky_domain | Risky Domain | |||
| 87 | alert_custom_lua_script | Custom Script | |||
| 88 | alert_ndpi_periodic_flow | Periodic Flow | |||
| 89 | ndpi_minor_issues | Minor Issues | |||
| 90 | ndpi_tcp_issues | TCP Connection Issues | |||
| 91 | alert_vlan_bidirectional_traffic | VLAN Bidirectional Traffic | |||
| 92 | alert_rare_destination | Rare Destination | |||
| 93 | alert_modbus_unexpected_function_code | ModbusTCP Invalid Function Code | |||
| 94 | alert_modbus_too_many_exceptions | ModbusTCP Too Many Exceptions | |||
| 95 | alert_modbus_invalid_transition | ModbusTCP Invalid Transition | |||
| 96 | alert_ndpi_unresolved_hostname | Unresolved DNS hostname | ✓ | ||
| 97 | ndpi_tls_alpn_sni_mismatch | ALPN/SNI Mismatch | |||
| 98 | alert_ndpi_malware_host_contacted | Malware Host Contacted | |||
| 99 | ndpi_binary_data_transfer | Binary File/Data Transfer (Attempt) | |||
| 100 | alert_tcp_flow_reset | TCP Flow Reset | |||
| 101 | ndpi_probing_attempt | Probing Attempt | |||
| 102 | alert_access_control_list | ACL Violation (ICMP/TCP/UDP) | |||
| 103 | alert_host_policy | Host Policy | |||
| 104 | alert_qoe_degraded | QoE Issues | |||
| 105 | ndpi_obfuscated_traffic | Obfuscated Traffic | |||
| 106 | alert_nedge_policy_violation | Policy Violation | |||
| 107 | alert_ndpi_mismatching_protocol_with_ip | Mismatching protocol with IP address | ✓ | ||
| 4099 | alert_dropped_alerts | Dropped Alerts | |||
| 4100 | alert_gateway_unreachable | Gateway Unreachable | |||
| 4102 | alert_ghost_network | Ghost Networks | |||
| 4103 | alert_no_exporter_activity | No Exporter Activity | |||
| 4104 | alert_host_pool_disconnection | Host Pool Disconnection | |||
| 4106 | alert_influxdb_error | InfluxDB Error | |||
| 4107 | alert_influxdb_export_failure | InfluxDB Export Failure | |||
| 4109 | alert_ip_outsite_dhcp_range | Misconfigured DHCP Range | |||
| 4110 | alert_list_download_failed | List Download Failed | |||
| 4111 | alert_login_failed | Login Failed | |||
| 4112 | alert_mac_ip_association_change | IP/MAC Reassoc/Spoofing | |||
| 4114 | alert_misconfigured_app | Misconfigured App | |||
| 4115 | alert_cloud_disconnected | Cloud Disconnection | |||
| 4116 | alert_nfq_flushed | Packets Queue Flushed | |||
| 4117 | alert_cloud_reconnected | Cloud Reconnected | |||
| 4118 | alert_periodic_activity_not_executed | Periodic Activity Not Executed | |||
| 4119 | alert_am_threshold_cross | Active Monitoring | |||
| 4120 | alert_port_duplexstatus_change | Duplex Status Change | |||
| 4121 | alert_port_errors | High Interface Discards/Errors | |||
| 4122 | alert_no_probe_activity | No Probe Activity | |||
| 4123 | alert_port_mac_changed | MAC Port Changed | |||
| 4124 | alert_port_status_change | Oper. Status Change | |||
| 4125 | alert_process_notification | Process | |||
| 4126 | alert_quota_exceeded | Quota Exceeded | |||
| 4128 | alert_slow_periodic_activity | Slow Periodic Activity | |||
| 4130 | alert_snmp_device_reset | SNMP Device Restart | |||
| 4131 | alert_snmp_topology_changed | LLDP/CDP Topology changed | |||
| 4132 | alert_snmp_trap | SNMP Trap | |||
| 4136 | alert_threshold_cross | Threshold Cross | |||
| 4137 | alert_too_many_drops | Packet Drops | |||
| 4139 | alert_user_activity | User Activity | |||
| 4142 | alert_attack_mitigation_via_snmp | Attack Mitigation via SNMP | |||
| 4145 | alert_list_download_succeeded | List Download Succeeded | |||
| 4146 | alert_no_if_activity | No Traffic Activity | |||
| 4147 | alert_device_connection_disconnection | Unexpected MAC Conn./Disc. | |||
| 4148 | alert_shell_script_executed | Endpoint Shell Script Executed | |||
| 4151 | alert_fail2ban_executed | Fail2Ban command executed | |||
| 4153 | alert_flow_flood_victim | Flows Flood Victim | ✓ | ||
| 4157 | alert_tcp_syn_scan_victim | TCP SYN Scan Victim | ✓ | ||
| 4159 | alert_contacts_anomaly | Unexpected Host Contacts Behaviour | |||
| 4164 | alert_broadcast_domain_too_large | Broadcast Domain Too Large | |||
| 4165 | alert_ngi_trust_event | NGI Trust Event | |||
| 4168 | alert_ids_ips_jail_add | Jailed Host Added | |||
| 4169 | alert_ids_ips_jail_remove | Jailed Host Removed | |||
| 4170 | alert_port_too_many_macs | Many MACs on Non-Trunk | |||
| 4171 | alert_network_discovery_executed | Network Discovery | |||
| 4172 | alert_port_mac_appeared | MAC Appeared | |||
| 4173 | alert_port_mac_disappeared | MAC Disappeared | |||
| 4174 | alert_network_score_per_host | Network Score Per Host | |||
| 4175 | alert_dhcp_storm | DHCP Storm | |||
| 4176 | alert_snmp_interface_errors | SNMP High Error Counter | |||
| 4177 | alert_snmp_device_traffic_change | Traffic Change Detected | |||
| 4178 | alert_local_host_blacklisted | Local Host Blacklisted | |||
| 4179 | alert_network_issues | Network issues | |||
| 4180 | alert_network_rule_threshold_cross | Threshold Crossed | |||
| 4181 | alert_snmp_interface_threshold_crossed | Threshold Crossed | |||
| 4182 | alert_score_behavior_anomaly | Unexpected Score Behavior | |||
| 4183 | alert_traffic_behavior_anomaly | Unexpected Traffic Behavior | |||
| 4184 | alert_vulnerability_scan | Active Scan | |||
| 4185 | alert_host_pool_rule_threshold_crossed | Threshold Crossed | |||
| 4186 | alert_cidr_rule_threshold_crossed | Threshold Crossed | |||
| 4187 | alert_system_error | System Error | |||
| 4189 | alert_vlan_rule_threshold_crossed | Threshold Crossed | |||
| 4190 | alert_profile_rule_threshold_crossed | Threshold Crossed | |||
| 4191 | alert_snmp_device_polling_error | SNMP Polling Error | |||
| 4192 | alert_exporters_limit_exceeded | Exporters Limit Exceeded | |||
| 4193 | alert_acl_violation_arp | ACL Violation (ARP) | |||
| 4194 | alert_redis_reads_writes_exceeded | Redis Reads Writes Exceeded | |||
| 4195 | alert_asn_rule_threshold_crossed | Threshold Crossed | |||
| 4196 | alert_as_ranking_changed | AS Exporter Ranking Changed |