Attributes

This page lists all attributes that may occur in entity records. Some are specific for a particular entity type (list of entity types), some are generic.

Generic attributes

Attributes that are used for multiple entity types.

attribute name	entity types	type/format	description
_id	all	depends on entity type	Identification of entity (e.g. IP address, AS number)
ts_added	all	datetime, plain	Time of record creation
ts_last_update	all	datetime, plain	Time of last update of the record
_nru4h	all	datetime, plain	Time of next planned update of the record (4 hour interval). (NRU = Next Regular Update)
_nru1d	all	datetime, plain	Time of next planned update of the record (1 day interval).
_nru1w	all	datetime, plain	Time of next planned update of the record (1 week interval).

Note: Attributes starting with an underscore (_) are for internal purposes only and are normally not shown in Web frontend as entity attributes.

ip attributes

Attributes specific for records of type ip.

attribute name	type/format	description
events	list-of-objects, key: date,cat,node	Number of events for each date, category and node.
events[].date	string YYYY-MM-DD	Date of events (according to DetectTime in UTC)
events[].cat	string	Category of events (as in IDEA format, without dots, multiple Categories in an event are joined by +, e.g. AttemptExploit+Malware)
events[].node	string	Name of source which reported the events (Node[-1].Name in IDEA)
events[].n	int	Number of events in day day with category cat and node name node
events_meta	(group)	Other meta-information about reported alerts/events.
events_meta.total	int	Total number of events in the DB for this IP (within last 90 days by default)
events_meta.total{1,7,30}	int	Total number of events in last 1, 7, 30 days, respectively. (Note: events received in N previous whole days and in the current day are counted; for example, total1 may span 24 to 48 hours, depending on time of the query)
ts_last_event	datetime	Timestamp of last reported event (used for DB cleaning)
hostname	string	Hostname associated to IP address, acquired by PTR DNS query, None/null if the query returned NXDOMAIN or another error
geo	(group)	Geolocation info (based on MaxMind GeoLite2 City DB).
geo.ctry	string	Country code (2-letter code defined by ISO 3166).
geo.city	string	City
geo.tz	string	Timezone (as a string, e.g. Europe/Prague)
bl	list-of-objects, key: n	Presence of IP on various blacklists at various times.
bl[].n	string	Name of the blacklist.
bl[].v	int (0 or 1)	Whether IP was present on the blacklist when last queried.
bl[].t	datetime	Timestamp of the last query of the blacklist.
bl[].h	list of datetime	Timestamps of queries with positive results, i.e. the IP was present on the blacklist.
as_maxmind	(group)	AS information according to MaxMind GeoLite ASN DB.
as_maxmind.num	int	AS number
as_maxmind.description	string	AS name/description
as_rv	(group)	AS information according to RouteViews and CIRD report
as_rv.num	int	AS number (source: RouteViews's DNS zone mapping IPs to origin ASNs (originas.bz2 here).
as_rv.description	string	Name of ASN in as_rv.num (source: CIDR report (data file))
caida_as_class	string, conf	Class of IP's ASN according to CAIDA AS classification dataset. May be access (transit or access network), enterprise, content or unknown. Confidence is set based on source of data (peerDB or inferred by machine learning) and whether as_maxmind.num and as_rv.num are both set and equal or not.
hostname_class	list of strings	Classes/tags derived from hostname, either based on well-known domain names, or on matching a configured regular expression. May be research_scanner, dynamic, nat, etc. (configurable in nerdd.cfg)
rep	float	Reputation score. (Experimental) Simple computation based on non-lineraly tranformed number of events and number of nodes per day, with linearly decreasing weight of older days (up to 14 days). Currently treats all alert categories the same.
tags	special (TODO)	Various tags assigned to the IP.

asn attributes

Attributes specific for records of type asn.

TODO

Special formats of attributes

N/A