pub struct Network { /* private fields */ }Expand description
The network is defined as the communication path over which a host or network event happens.
The network.* fields should be populated with details about the network activity associated with an event.
Implementations§
Source§impl Network
impl Network
Sourcepub fn get_name(&self) -> Option<&String>
pub fn get_name(&self) -> Option<&String>
Name given by operators to sections of their network.
Sourcepub fn get_type(&self) -> Option<&String>
pub fn get_type(&self) -> Option<&String>
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
The field value must be normalized to lowercase for querying.
Sourcepub fn set_type(&mut self, type_arg: String)
pub fn set_type(&mut self, type_arg: String)
In the OSI Model this would be the Network Layer. ipv4, ipv6, ipsec, pim, etc
The field value must be normalized to lowercase for querying.
§Example
ipv4
Sourcepub fn get_iana_number(&self) -> Option<&String>
pub fn get_iana_number(&self) -> Option<&String>
IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
Sourcepub fn set_iana_number(&mut self, iana_number_arg: String)
pub fn set_iana_number(&mut self, iana_number_arg: String)
IANA Protocol Number (https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). Standardized list of protocols. This aligns well with NetFlow and sFlow related logs which use the IANA Protocol Number.
§Example
6
Sourcepub fn get_transport(&self) -> Option<&String>
pub fn get_transport(&self) -> Option<&String>
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
The field value must be normalized to lowercase for querying.
Sourcepub fn set_transport(&mut self, transport_arg: String)
pub fn set_transport(&mut self, transport_arg: String)
Same as network.iana_number, but instead using the Keyword name of the transport layer (udp, tcp, ipv6-icmp, etc.)
The field value must be normalized to lowercase for querying.
§Example
tcp
Sourcepub fn get_application(&self) -> Option<&String>
pub fn get_application(&self) -> Option<&String>
When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name.
For example, the original event identifies the network connection being from a specific web service in a https network connection, like facebook or twitter.
The field value must be normalized to lowercase for querying.
Sourcepub fn set_application(&mut self, application_arg: String)
pub fn set_application(&mut self, application_arg: String)
When a specific application or service is identified from network connection details (source/dest IPs, ports, certificates, or wire format), this field captures the application’s or service’s name.
For example, the original event identifies the network connection being from a specific web service in a https network connection, like facebook or twitter.
The field value must be normalized to lowercase for querying.
§Example
aim
Sourcepub fn get_protocol(&self) -> Option<&String>
pub fn get_protocol(&self) -> Option<&String>
In the OSI Model this would be the Application Layer protocol. For example, http, dns, or ssh.
The field value must be normalized to lowercase for querying.
Sourcepub fn set_protocol(&mut self, protocol_arg: String)
pub fn set_protocol(&mut self, protocol_arg: String)
In the OSI Model this would be the Application Layer protocol. For example, http, dns, or ssh.
The field value must be normalized to lowercase for querying.
§Example
http
Sourcepub fn get_direction(&self) -> Option<&String>
pub fn get_direction(&self) -> Option<&String>
Direction of the network traffic.
When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values “ingress” or “egress”.
When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values “inbound”, “outbound”, “internal” or “external”.
Note that “internal” is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that “external” is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
Sourcepub fn set_direction(&mut self, direction_arg: String)
pub fn set_direction(&mut self, direction_arg: String)
Direction of the network traffic.
When mapping events from a host-based monitoring context, populate this field from the host’s point of view, using the values “ingress” or “egress”.
When mapping events from a network or perimeter-based monitoring context, populate this field from the point of view of the network perimeter, using the values “inbound”, “outbound”, “internal” or “external”.
Note that “internal” is not crossing perimeter boundaries, and is meant to describe communication between two hosts within the perimeter. Note also that “external” is meant to describe traffic between two hosts that are external to the perimeter. This could for example be useful for ISPs or VPN service providers.
§Example
inbound
Sourcepub fn get_forwarded_ip(&self) -> Option<&String>
pub fn get_forwarded_ip(&self) -> Option<&String>
Host IP address when the source IP address is the proxy.
Sourcepub fn set_forwarded_ip(&mut self, forwarded_ip_arg: String)
pub fn set_forwarded_ip(&mut self, forwarded_ip_arg: String)
Sourcepub fn get_community_id(&self) -> Option<&String>
pub fn get_community_id(&self) -> Option<&String>
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
Learn more at https://github.com/corelight/community-id-spec.
Sourcepub fn set_community_id(&mut self, community_id_arg: String)
pub fn set_community_id(&mut self, community_id_arg: String)
A hash of source and destination IPs and ports, as well as the protocol used in a communication. This is a tool-agnostic standard to identify flows.
Learn more at https://github.com/corelight/community-id-spec.
§Example
1:hO+sN4H+MG5MY/8hIrXPqc4ZQz0=
Sourcepub fn get_bytes(&self) -> Option<&u64>
pub fn get_bytes(&self) -> Option<&u64>
Total bytes transferred in both directions.
If source.bytes and destination.bytes are known, network.bytes is their sum.
Sourcepub fn set_bytes(&mut self, bytes_arg: u64)
pub fn set_bytes(&mut self, bytes_arg: u64)
Total bytes transferred in both directions.
If source.bytes and destination.bytes are known, network.bytes is their sum.
§Example
368
Sourcepub fn get_packets(&self) -> Option<&u64>
pub fn get_packets(&self) -> Option<&u64>
Total packets transferred in both directions.
If source.packets and destination.packets are known, network.packets is their sum.
Sourcepub fn set_packets(&mut self, packets_arg: u64)
pub fn set_packets(&mut self, packets_arg: u64)
Total packets transferred in both directions.
If source.packets and destination.packets are known, network.packets is their sum.
§Example
24
Sourcepub fn get_inner(&self) -> Option<&Value>
pub fn get_inner(&self) -> Option<&Value>
Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)
Sourcepub fn set_inner(&mut self, inner_arg: Value)
pub fn set_inner(&mut self, inner_arg: Value)
Network.inner fields are added in addition to network.vlan fields to describe the innermost VLAN when q-in-q VLAN tagging is present. Allowed fields include vlan.id and vlan.name. Inner vlan fields are typically used when sending traffic with multiple 802.1q encapsulations to a network sensor (e.g. Zeek, Wireshark.)