Generating SQL query texts for Network Anomaly Detection rules

You can manually generate the texts of SQL queries when creating or modifying Network Anomaly Detection rules. Queries are intended for searching, extracting, and analyzing the attributes of protocols received in registered network sessions. Protocol attributes are stored in a separate database on the Kaspersky Industrial CyberSecurity for Networks Server. To access this database, you need to generate queries in the Structured Query Language (SQL), which is supported by the ClickHouse DBMS. For information about the supported queries that are used to perform actions for data extraction and analysis, see ClickHouse Help.

You are advised to use one of the built-in rule templates to generate the SQL query text. You can select a template when creating a rule. You can select a template that is most similar in purpose to the task that you want to perform. After selecting a built-in template to generate other SQL query text, you need to click the Unlock all template values button.

When you enter SQL query strings in the window, lists of suitable functions, operators, and settings are automatically displayed. You can select the items that you need from these lists for quick insertion into the text of an SQL query.

Main functions and operators used in SQL queries for Network Anomaly Detection rules

Function

Description

SELECT

Contains an enumeration of the fields in the table containing information about network sessions. The listed fields are accessed based on an SQL query. The results of the selection from the query are used in part or in full to create a temporary table containing data for event enrollment. The fields of the temporary table are filled with values via an alias assignment mechanism. Aggregation functions (such as sum) and arithmetic operators (such as +) are supported.

See the lists of table fields below.

FROM

Specifies the source of the data. The source can be specified as one of the following views, which are provided for queries to the table containing information about network sessions in the database used to store protocol attributes:

  • {{sessions}} to extract data while filtering based on a certain time interval.
  • {{sessions_symmetric}} is an extended variant of the {{sessions}} view, which adds symmetric network sessions (with the opposite direction of Source–Destination).

WHERE

Contains conditions for filtering data received from the source. A filter expression can contain comparison operations, logical operators, and the special function PARAM_EQ.

The PARAM_EQ function lets you compare a value from the table with a variable defined in a rule. If a dictionary is selected for substituting variable values, the PARAM_EQ function must be specified in the SQL query.

The general syntax for using the PARAM_EQ function is as follows:

PARAM_EQ(column_value, {{param_name:param_type}})

where:

  • column_value is the field or expression to be compared.
  • {{param_name:param_type}} refers to the variable and its type as defined in the rule for the SQL query.

GROUP BY

Switches the query to aggregation mode and specifies the list of fields or aliases by which you need to group the returned data.

HAVING

Contains conditions for filtering the results obtained using the GROUP BY operator.

ORDER BY

Contains a list for sorting the returned data. For list items, you can specify modifiers that determine the sorting direction:

  • DESC sorts in descending order.
  • ASC sorts in ascending order.

Fields of the table containing information about network sessions

In the database for storing the attributes of protocols, the table containing information about network sessions contains rows with data blocks (chunks) that were received during 15-second intervals. Each registered network session is presented in the table as separate data blocks, and calls in SQL queries must be made within these data blocks.

The table containing information about network sessions contains the following fields that can be called in SQL queries:

Fields of the table containing data for event enrollment

The table containing data for event enrollment may contain the following fields, which are filled with values via the alias assignment mechanism in an SQL query:

Protocol names in the table containing information about network sessions

Path in the protocol stack tree

Protocol name in the table

Ethernet I

EthernetI

Ethernet I \ LLC \ Cisco Discovery Protocol (CDP)

Cdp

Ethernet I \ LLC \ Emerson Ovation: interactions over LLC

Emerson_Ovation_OverLlc

Ethernet I \ LLC \ Foxboro FCP280/FCP270: device interaction

FoxboroHps

Ethernet I \ LLC \ HiDiscovery

HiDiscovery

Ethernet I \ LLC \ IS-IS over Ethernet I

IsIsOverEthernetI

Ethernet I \ LLC \ ISO 8073 \ Siemens S7comm

SiemensIndustrialEthernet

Ethernet I \ LLC \ VNIIA

Vniia

Ethernet II

EthernetII

Ethernet II \ ARP

ARP

Ethernet II \ IEC 61850: GOOSE

IEC61850_GOOSE

Ethernet II \ IEC 61850: Sampled Values

SAMPLED_VALUES

Ethernet II \ IP

IPv4

Ethernet II \ IP \ 3PC

ip34

Ethernet II \ IP \ Active Networks

ip107

Ethernet II \ IP \ ARIS

ip104

Ethernet II \ IP \ AX.25

ip93

Ethernet II \ IP \ BBN RCC Monitoring

ip10

Ethernet II \ IP \ BNA

ip49

Ethernet II \ IP \ BR-SAT-MON

ip76

Ethernet II \ IP \ CBT

ip7

Ethernet II \ IP \ CFTP

ip62

Ethernet II \ IP \ CHAOS

ip16

Ethernet II \ IP \ Compaq-Peer

ip110

Ethernet II \ IP \ CPHB

ip73

Ethernet II \ IP \ CPNX

ip72

Ethernet II \ IP \ CRTP

ip126

Ethernet II \ IP \ CRUDP

ip127

Ethernet II \ IP \ DCCP

ip33

Ethernet II \ IP \ DCN-MEAS

ip19

Ethernet II \ IP \ DDP

ip37

Ethernet II \ IP \ DDX

ip116

Ethernet II \ IP \ DGP

ip86

Ethernet II \ IP \ DSR

ip48

Ethernet II \ IP \ EGP

ip8

Ethernet II \ IP \ EIGRP

EIGRP

Ethernet II \ IP \ EMCON

ip14

Ethernet II \ IP \ ETHERIP

ip97

Ethernet II \ IP \ FCIP

ip133

Ethernet II \ IP \ FIRE

ip125

Ethernet II \ IP \ GGP

ip3

Ethernet II \ IP \ GMTP

ip100

Ethernet II \ IP \ GRE

GRE

Ethernet II \ IP \ HMP

ip20

Ethernet II \ IP \ IATP

ip117

Ethernet II \ IP \ ICMP

Icmp

Ethernet II \ IP \ IDPR

ip35

Ethernet II \ IP \ IDPR-CMTP

ip38

Ethernet II \ IP \ IDRP

ip45

Ethernet II \ IP \ IFMP

ip101

Ethernet II \ IP \ IGMP

IGMP

Ethernet II \ IP \ IGP

ip9

Ethernet II \ IP \ I-NLSP

ip52

Ethernet II \ IP \ Internet Link

ip40

Ethernet II \ IP \ IPComp

ip108

Ethernet II \ IP \ IPCV

ip71

Ethernet II \ IP \ IPIP

ip94

Ethernet II \ IP \ IPLT

ip129

Ethernet II \ IP \ IPPC

ip67

Ethernet II \ IP \ IPv4 Encapsulated

ip4

Ethernet II \ IP \ IPv6 Encapsulated

IPv6encapsulated

Ethernet II \ IP \ IPX-in-IP

ip111

Ethernet II \ IP \ IRTP

ip28

Ethernet II \ IP \ IS-IS over IPv4

IsIsOverIp

Ethernet II \ IP \ ISO-IP

ip80

Ethernet II \ IP \ ISO-TP4

ip29

Ethernet II \ IP \ Kryptolan

ip65

Ethernet II \ IP \ L2TP

ip115

Ethernet II \ IP \ LARP

ip91

Ethernet II \ IP \ MANET

ip138

Ethernet II \ IP \ MERIT-INP

ip32

Ethernet II \ IP \ MFE-NSP

ip31

Ethernet II \ IP \ MICP

ip95

Ethernet II \ IP \ MOBILE

ip55

Ethernet II \ IP \ MPLS-in-IP

ip137

Ethernet II \ IP \ MTP

ip92

Ethernet II \ IP \ MUX

ip18

Ethernet II \ IP \ NARP

ip54

Ethernet II \ IP \ NETBLT

ip30

Ethernet II \ IP \ NSFNET-IGP

ip85

Ethernet II \ IP \ NVP-II

ip11

Ethernet II \ IP \ Open Shortest Path First (OSPF)

Ospf

Ethernet II \ IP \ Performance Transparency Protocol

ip123

Ethernet II \ IP \ PGM

ip113

Ethernet II \ IP \ PIM

PIM

Ethernet II \ IP \ PIPE

ip131

Ethernet II \ IP \ PNNI

ip102

Ethernet II \ IP \ PRM

ip21

Ethernet II \ IP \ PUP

ip12

Ethernet II \ IP \ PVP

ip75

Ethernet II \ IP \ QNX

ip106

Ethernet II \ IP \ Reliable Data Protocol

RDP

Ethernet II \ IP \ ROHC

ip142

Ethernet II \ IP \ RSVP

ip46

Ethernet II \ IP \ RSVP-E2E-IGNORE

ip134

Ethernet II \ IP \ RVD

ip66

Ethernet II \ IP \ SAT-EXPAK

ip64

Ethernet II \ IP \ SAT-MON

ip69

Ethernet II \ IP \ SCC-SP

ip96

Ethernet II \ IP \ SCPS

ip105

Ethernet II \ IP \ SCTP

SCTP

Ethernet II \ IP \ SDRP

ip42

Ethernet II \ IP \ SECURE-VMTP

ip82

Ethernet II \ IP \ SMP

ip121

Ethernet II \ IP \ SNP

ip109

Ethernet II \ IP \ Sprite-RPC

ip90

Ethernet II \ IP \ SPS

ip130

Ethernet II \ IP \ SRP

ip119

Ethernet II \ IP \ SSCOPMCE

ip128

Ethernet II \ IP \ STP

STP

Ethernet II \ IP \ SUN-ND

ip77

Ethernet II \ IP \ TCF

ip87

Ethernet II \ IP \ TCP

Tcp

Ethernet II \ IP \ TCP \ ABB SPA-Bus

ABB_SpaBus

Ethernet II \ IP \ TCP \ AeroAdmin over TCP

AeroAdmin

Ethernet II \ IP \ TCP \ AFP

SrvTcp_AFP

Ethernet II \ IP \ TCP \ Allen-Bradley EtherNet/IP

AB_EtherNet_IP

Ethernet II \ IP \ TCP \ Ammyy Admin over TCP

AmmyyAdmin

Ethernet II \ IP \ TCP \ AnyDesk over TCP

AnyDesk

Ethernet II \ IP \ TCP \ ARMS control protocol

AsrkScada

Ethernet II \ IP \ TCP \ BECKHOFF ADS/AMS

Beckhoff

Ethernet II \ IP \ TCP \ Bitcoin over TCP

Bitcoin_OverTcp

Ethernet II \ IP \ TCP \ BitTorrent over TCP

BittorrentOverTcp

Ethernet II \ IP \ TCP \ CIMPLICITY-Historian over TCP

CIMPLICITYHistorian

Ethernet II \ IP \ TCP \ CIMPLICITY-HMI/SCADA over TCP

CIMPLICITYNetwork_OverTcp

Ethernet II \ IP \ TCP \ CODESYS V2

CodesysV2

Ethernet II \ IP \ TCP \ CODESYS V3 Gateway

CodesysGatewayV3Tcp

Ethernet II \ IP \ TCP \ COS

Cos

Ethernet II \ IP \ TCP \ Dameware MRC

SrvTcp_DameWare_Mini_Remote_Control

Ethernet II \ IP \ TCP \ DCE/RPC

GenericDceRpc

Ethernet II \ IP \ TCP \ DICOM over TCP

DICOM_over_TCP

Ethernet II \ IP \ TCP \ DLMS/COSEM

DlmsCosem

Ethernet II \ IP \ TCP \ DMS for ABB AC 700F

ABB_AC700F_DMS

Ethernet II \ IP \ TCP \ DNP3

Dnp3

Ethernet II \ IP \ TCP \ DNS

SrvTcp_DNS

Ethernet II \ IP \ TCP \ DNS/LLMNR over TCP

DnsLlmnr_OverTcp

Ethernet II \ IP \ TCP \ Dogecoin over TCP

Dogecoin

Ethernet II \ IP \ TCP \ Emerson ControlWave Designer

EmersonControlWaveDesigner

Ethernet II \ IP \ TCP \ Emerson DeltaV - firmware update

EmersonDeltaVFirmware

Ethernet II \ IP \ TCP \ EtherNet/IP \ OMRON FINS

OmronFinsEthernetIp

Ethernet II \ IP \ TCP \ Ether-S-IO over TCP

Esio_OverTcp

Ethernet II \ IP \ TCP \ Finger

SrvTcp_FINGER_PROTOCOL

Ethernet II \ IP \ TCP \ Flash Media Server

SrvTcp_Flash_Media_Server

Ethernet II \ IP \ TCP \ FTP

Ftp

Ethernet II \ IP \ TCP \ FTP Data

SrvTcp_FTP_DATA

Ethernet II \ IP \ TCP \ General Electric SRTP

Srtp

Ethernet II \ IP \ TCP \ HL7 v2 over TCP

HL7_ver2_over_TCP

Ethernet II \ IP \ TCP \ HL7 v3 over TCP

HL7_ver3_over_TCP

Ethernet II \ IP \ TCP \ Honeywell ControlEDGE 900: device interaction

HoneywellControlEdge

Ethernet II \ IP \ TCP \ Honeywell Experion CDA

HoneywellExperionCdaComm

Ethernet II \ IP \ TCP \ Honeywell Experion EpicMo

HoneywellExperionEpicMo

Ethernet II \ IP \ TCP \ HTTP

SrvTcp_HTTP

Ethernet II \ IP \ TCP \ HTTP/2

HTTP2

Ethernet II \ IP \ TCP \ HTTPS

SrvTcp_HTTPS

Ethernet II \ IP \ TCP \ IBM DB2

SrvTcp_IBM_DB2

Ethernet II \ IP \ TCP \ Ident

SrvTcp_Ident

Ethernet II \ IP \ TCP \ IEC 60870-5-101

IEC_60870_5_101

Ethernet II \ IP \ TCP \ IEC 60870-5-104

IEC_60870_5_104

Ethernet II \ IP \ TCP \ IMAP

SrvTcp_IMAP

Ethernet II \ IP \ TCP \ IPU-FEU: device interaction

Feu

Ethernet II \ IP \ TCP \ IRC

Irc

Ethernet II \ IP \ TCP \ ISaGRAF IXL

IsagrafIxl

Ethernet II \ IP \ TCP \ ISaGRAF SNCP

IsagrafSncp

Ethernet II \ IP \ TCP \ ISO TSAP

SrvTcp_Iso8072

Ethernet II \ IP \ TCP \ ISO TSAP \ ISO 8073 \ IEC 61850: MMS

IEC61850_MMS

Ethernet II \ IP \ TCP \ ISO TSAP \ ISO 8073 \ MMS for ABB AC 800M

ABB_AC800M_MMS

Ethernet II \ IP \ TCP \ ISO TSAP \ ISO 8073 \ Siemens S7comm

SiemensS7Comm

Ethernet II \ IP \ TCP \ ISO TSAP \ ISO 8073 \ Siemens S7comm-plus

SiemensS7CommPlus

Ethernet II \ IP \ TCP \ ISO TSAP \ ISO 8073 \ TASE.2

Tase2

Ethernet II \ IP \ TCP \ Jabber XMPP over TCP

Jabber

Ethernet II \ IP \ TCP \ Kerberos over TCP

SrvTcp_Kerberos

Ethernet II \ IP \ TCP \ LDAP(S) over TCP

SrvTcp_LDAP_S_

Ethernet II \ IP \ TCP \ Litecoin over TCP

Litecoin

Ethernet II \ IP \ TCP \ Mitsubishi MELSEC System Q

MitsubishiMelsecSystemQProtocol

Ethernet II \ IP \ TCP \ MMS (ISO 9506-2)

MmsBase

Ethernet II \ IP \ TCP \ Modbus

ModbusTcp

Ethernet II \ IP \ TCP \ Modbus TCP for EKRA 200 series

Ekra243Modbus

Ethernet II \ IP \ TCP \ Moxa NPort: device configuration

MoxaNportFirmware

Ethernet II \ IP \ TCP \ Moxa NPort: device interaction

MoxaNportIa5000aSystem

Ethernet II \ IP \ TCP \ MQTT over TCP

MQTT

Ethernet II \ IP \ TCP \ MSNP

SrvTcp_MSNP

Ethernet II \ IP \ TCP \ MS SQL Server

SrvTcp_MS_SQL_Server

Ethernet II \ IP \ TCP \ MySQL

SrvTcp_MySQL

Ethernet II \ IP \ TCP \ Napster

SrvTcp_Napster

Ethernet II \ IP \ TCP \ NetBIOS

SrvTcp_NetBIOS

Ethernet II \ IP \ TCP \ NFS

SrvTcp_NFS

Ethernet II \ IP \ TCP \ OMRON FINS

OmronFinsTcp

Ethernet II \ IP \ TCP \ ONVIF over TCP

ONVIF_over_TCP

Ethernet II \ IP \ TCP \ OPC DA

OpcDa

Ethernet II \ IP \ TCP \ OPC UA Binary

OpcUaBinary

Ethernet II \ IP \ TCP \ Oracle DB

SrvTcp_Oracle

Ethernet II \ IP \ TCP \ POP3

SrvTcp_POP3

Ethernet II \ IP \ TCP \ PPTP

SrvTcp_PPTP

Ethernet II \ IP \ TCP \ Radmin application protocol over TCP

Radmin_OverTcp

Ethernet II \ IP \ TCP \ RDP

SrvTcp_RDP

Ethernet II \ IP \ TCP \ Relematika BDUBus

BDUBus

Ethernet II \ IP \ TCP \ Remote Utilities over TCP

RemoteUtilities

Ethernet II \ IP \ TCP \ Rlogin

SrvTcp_RLOGIN

Ethernet II \ IP \ TCP \ RSH

SrvTcp_RSH

Ethernet II \ IP \ TCP \ RTSP over TCP

RTSP_over_TCP

Ethernet II \ IP \ TCP \ SAIA S-Bus over TCP

Saia_OverTcp

Ethernet II \ IP \ TCP \ Schneider Electric UMAS

Umas

Ethernet II \ IP \ TCP \ SFTP

SrvTcp_SFTP

Ethernet II \ IP \ TCP \ Siemens SICAM SCC: interaction with SICAM PAS

NwChannel

Ethernet II \ IP \ TCP \ SMB

SrvTcp_SMB

Ethernet II \ IP \ TCP \ SMB v2 over TCP

Smb2_OverTcp

Ethernet II \ IP \ TCP \ SMB v3 over TCP

Smb3_OverTcp

Ethernet II \ IP \ TCP \ SMTP

SrvTcp_SMTP

Ethernet II \ IP \ TCP \ SNMP

SrvTcp_SNMP

Ethernet II \ IP \ TCP \ SSH

Ssh

Ethernet II \ IP \ TCP \ SSL/TLS

SslTls

Ethernet II \ IP \ TCP \ SSL v2

SslV2

Ethernet II \ IP \ TCP \ SSL v3

SslV3

Ethernet II \ IP \ TCP \ SuiteLink over TCP

SuiteLink

Ethernet II \ IP \ TCP \ Syslog

SrvTcp_Syslog

Ethernet II \ IP \ TCP \ TeamViewer

SrvTcp_TeamViewer

Ethernet II \ IP \ TCP \ Telegram MTProto over TCP

Telegram

Ethernet II \ IP \ TCP \ Telnet

Telnet

Ethernet II \ IP \ TCP \ TFTP over TCP

Tftp_OverTcp

Ethernet II \ IP \ TCP \ TLS v1.0

TlsV10

Ethernet II \ IP \ TCP \ TLS v1.1

TlsV11

Ethernet II \ IP \ TCP \ TLS v1.2

TlsV12

Ethernet II \ IP \ TCP \ TLS v1.3

TlsV13

Ethernet II \ IP \ TCP \ TNS over TCP

Tns_OverTcp

Ethernet II \ IP \ TCP \ Tor over TCP

Tor_OverTcp

Ethernet II \ IP \ TCP \ VNC

SrvTcp_VNC

Ethernet II \ IP \ TCP \ WebSocket

WebSocket_OverTcp

Ethernet II \ IP \ TCP \ WMI technology: device interaction

Wmi

Ethernet II \ IP \ TLSP

ip56

Ethernet II \ IP \ TP++

ip39

Ethernet II \ IP \ UDP

UDP

Ethernet II \ IP \ UDP \ BACnet

Bacnet

Ethernet II \ IP \ UDP \ BECKHOFF ADS/AMS

BeckhoffUdp

Ethernet II \ IP \ UDP \ BitTorrent over UDP

BittorrentOverUdp

Ethernet II \ IP \ UDP \ BSAP

Bsap

Ethernet II \ IP \ UDP \ CHINT MAS400: device interaction

ChintMas400

Ethernet II \ IP \ UDP \ CHINT MAS9600: device interaction

ChintMas9600

Ethernet II \ IP \ UDP \ CIMPLICITY-HMI/SCADA over UDP

CIMPLICITYNetwork_OverUdp

Ethernet II \ IP \ UDP \ CODESYS V3 Gateway

CodesysGatewayV3Udp

Ethernet II \ IP \ UDP \ Data Transfer Systems (DTS)

Dts

Ethernet II \ IP \ UDP \ DHCP

Dhcp

Ethernet II \ IP \ UDP \ DirectLOGIC: device interaction

DirectLogicEcom

Ethernet II \ IP \ UDP \ DNS

SrvUdp_DNS

Ethernet II \ IP \ UDP \ DNS/LLMNR over UDP

DnsLlmnr_OverUdp

Ethernet II \ IP \ UDP \ Dropbox LAN Sync over UDP

DropBox_sync_OverUdp

Ethernet II \ IP \ UDP \ Emerson DeltaV

EmersonDeltaV

Ethernet II \ IP \ UDP \ Emerson Ovation: multicast over UDP

Emerson_Ovation_OverUdp_Mcast

Ethernet II \ IP \ UDP \ Emerson Ovation: interactions over UDP

Emerson_Ovation_OverUdp

Ethernet II \ IP \ UDP \ Ether-S-IO over UDP

Esio_OverUdp

Ethernet II \ IP \ UDP \ General Electric EGD

Egd

Ethernet II \ IP \ UDP \ GLBP over UDP

GLBP_OverUdp

Ethernet II \ IP \ UDP \ Honeywell ControlEDGE 900: device detection

HoneywellControlEdgeDiscovery

Ethernet II \ IP \ UDP \ Honeywell Experion: device detection

HoneywellExperionDiscovery

Ethernet II \ IP \ UDP \ Honeywell Experion: getting device network configurations

HoneywellExperionNameServer

Ethernet II \ IP \ UDP \ HSRP over UDP

HSRP_OverUdp

Ethernet II \ IP \ UDP \ INA2000

Ina2000

Ethernet II \ IP \ UDP \ Kerberos over UDP

SrvUdp_Kerberos

Ethernet II \ IP \ UDP \ KNXnet/IP

Knx

Ethernet II \ IP \ UDP \ LDAP(S) over UDP

SrvUdp_LDAP_S_

Ethernet II \ IP \ UDP \ LDP

SrvUdp_LDP

Ethernet II \ IP \ UDP \ mDNS over UDP

mDNS_OverUdp

Ethernet II \ IP \ UDP \ MikroTik Neighbor Discovery Protocol (MNDP)

Mndp

Ethernet II \ IP \ UDP \ Moxa NPort: device detection

MoxaNportDiscovery

Ethernet II \ IP \ UDP \ MSNP

SrvUdp_MSNP

Ethernet II \ IP \ UDP \ NBNS over UDP

NBNS_OverUdp

Ethernet II \ IP \ UDP \ NetBIOS

SrvUdp_NetBIOS

Ethernet II \ IP \ UDP \ NFS

SrvUdp_NFS

Ethernet II \ IP \ UDP \ NTP

SrvUdp_NTP

Ethernet II \ IP \ UDP \ OMRON FINS

OmronFins

Ethernet II \ IP \ UDP \ PK4

Pk4

Ethernet II \ IP \ UDP \ PNU20

Pnu20

Ethernet II \ IP \ UDP \ QTP

SrvUdp_QTP

Ethernet II \ IP \ UDP \ RADIUS over UDP

RadiusUdp

Ethernet II \ IP \ UDP \ RDP

SrvUdp_RDP

Ethernet II \ IP \ UDP \ RIP

RIP

Ethernet II \ IP \ UDP \ SAIA S-Bus over UDP

Saia_OverUdp

Ethernet II \ IP \ UDP \ SCIYON default over UDP

Sciyon

Ethernet II \ IP \ UDP \ Siemens DIGSI 4

SiemensDigsi4

Ethernet II \ IP \ UDP \ SIP over UDP

Sip

Ethernet II \ IP \ UDP \ SMB over UDP

Smb_OverUdp

Ethernet II \ IP \ UDP \ SMB v2 over UDP

Smb2_OverUdp

Ethernet II \ IP \ UDP \ SMB v3 over UDP

Smb3_OverUdp

Ethernet II \ IP \ UDP \ SNMP

SrvUdp_SNMP

Ethernet II \ IP \ UDP \ SNMP v1 over UDP

Snmpv1_OverUdp

Ethernet II \ IP \ UDP \ SNMP v2 over UDP

Snmpv2_OverUdp

Ethernet II \ IP \ UDP \ SNMP v3 over UDP

Snmpv3_OverUdp

Ethernet II \ IP \ UDP \ SSDP

SrvUdp_SSDP

Ethernet II \ IP \ UDP \ Syslog over UDP

Syslog_OverUdp

Ethernet II \ IP \ UDP \ TeamViewer

SrvUdp_TeamViewer

Ethernet II \ IP \ UDP \ TFTP over UDP

Tftp_OverUdp

Ethernet II \ IP \ UDP \ TNS over UDP

Tns_OverUdp

Ethernet II \ IP \ UDP \ Tor over UDP

Tor_OverUdp

Ethernet II \ IP \ UDP \ Valmet DNA: device interaction

Valmet

Ethernet II \ IP \ UDP \ YARD

Yard

Ethernet II \ IP \ UDP \ Yokogawa Vnet/IP

VnetIp

Ethernet II \ IP \ UDPLite

ip136

Ethernet II \ IP \ UTI

ip120

Ethernet II \ IP \ VINES

ip83

Ethernet II \ IP \ VISA

ip70

Ethernet II \ IP \ VMTP

ip81

Ethernet II \ IP \ VRRP

ip112

Ethernet II \ IP \ VRRP over IPv4

VRRP_OverIpv4

Ethernet II \ IP \ WB-EXPAK

ip79

Ethernet II \ IP \ WB-MON

ip78

Ethernet II \ IP \ WESP

ip141

Ethernet II \ IP \ WSN

ip74

Ethernet II \ IP \ XNET

ip15

Ethernet II \ IP \ XNS-IDP

ip22

Ethernet II \ IP \ XTP

ip36

Ethernet II \ IPv6

IPv6

Ethernet II \ IPX

IPX

Ethernet II \ IS-IS over Ethernet II

IsIsOverEthernetII

Ethernet II \ Link Layer Discovery Protocol (LLDP)

Lldp

Ethernet II \ Loopback

Loopback

Ethernet II \ MiCOM C264

MicomC264

Ethernet II \ MPLS

MPLS

Ethernet II \ MPLS multicast

MPLS_multi

Ethernet II \ Precision Time Protocol

PTP

Ethernet II \ PROFINET IO

ProfinetIo

Ethernet II \ Prosoft-Systems: initial setup of devices

ProsoftSystemsDeviceDiscovery

Ethernet II \ PRP

PRP

Ethernet II \ RARP

RARP

Ethernet II \ RPC for PROFINET IO

ProfinetRpc

Using variables

You can add the following types of variables to the text of an SQL query:

To specify a variable and its type, use an entry in the format {{param_name:param_type}}. If the type of the variable is not specified (in an entry in the format {{param_name}}), the string type is used by default. The added variables are displayed below the SQL query text in the Utilized variables settings block. In this block, you can define the value of a variable or select a dictionary containing values for it.

When adding variables to an SQL query, please keep in mind that the maximum number of variables in an SQL query is 30.

See also:

Creating Network Anomaly Detection rule

Changing Network Anomaly Detection rule
Page top