Origin Port
The port from which activity originated (for example, client or attacker port).
Data Type
Integer
Aliases
Use | Alias |
---|---|
Client Console Full Name | TCP/UDP Port (Origin) |
Client Console Short Name | Not applicable |
Web Console Tab/Name | TCP/UDP Port (Origin) |
Elasticsearch Field Name | originPort |
Rule Builder Column Name | SPort |
Regex Pattern | <sport> |
NetMon Name | Not applicable |
Field Relationships
- SIP
- SIPv4
- SIPv6
- SIPv6E
- Origin Hostname
- Origin Hostname or IP
- Origin NAT IP
- DIP
- DIPv4
- DIPv6
- DIPv6E
- Impacted Hostname
- Impacted Hostname or IP
- Impacted NAT IP
- Origin NAT Port
- Impacted Port
- Impacted NAT Port
- Origin MAC Address
- Impacted MAC Address
- Origin Interface
- Impacted Interface
- Origin Domain
- Impacted Domain
- Origin Login
- Impacted Account
- IANA Protocol Number
- IANA Protocol Name
Common Applications
Any network connected application or device.
Use Case
Host and application contexts.
MPE/Data Masking Manipulations
Used to help in determining Application.
Usage Standards
- Use to indicate the origin port number associated with a client or attacker host.
- Origin is Client (In Client-Server Model).
- Origin is Attacker (In Attacker-Target Model).
Examples
- FireEye Web MPS
02 01 2016 17:13:19 1.1.1.1 <LOC4:WARN> fenotify-609081.warning: CEF:0|FireEye|MPS|1.1.1.1875|IM|infection-match|1|rt=Feb 01 2016 23:13:10 UTC src=1.1.1.1 cn3Label=cncPort cn3=80 cn2Label=sid cn2=84575103 shost= USABLDRRECFLOW01proto=tcp spt=51997 dst=1.1.1.1 cs5Label=cncHost cs5=1.1.1.1 dvchost= USABLDRRECFLOW01 dvc=1.1.1.1 smac=00:00:00:00:00:00 cn1Label=vlan cn1=0 dpt=80 externalId=609081 cs4Label=link cs4=STUFF dmac=00:00:00:00:00:00 cs1Label=sname cs1=Exploit.Kit.AnglerDIPv4
Dpt= is Origin in this case as it is the port used by the attacker ip (dst).
- Cisco Next Generation Firewall
CISCONGFW EVENT Ev_Id=610 Ev_Severity=6 Ev_TypeId=HTTP_COMPLETE Ev_SrcId=32 Ev_RecvTime=2/24/2013 10:04:34 PM Ev_MetaData=0 Smx_Config_Version=2 Identity_Source=0 Smx_Policy_Id=0 Flow_ConnId=456 Smx_Egress_Interface_Id=0 Smx_Ingress_Interface_Id=0 Avc_App_Id=300003 Ev_GenTime=2/24/2013 10:04:09 PM Flow_Protocol=6 Flow_SrcIp=1.1.1.1 Flow_DstIp=1.1.1.1 Flow_SrcPort=60221 Flow_DstPort=80 Ev_Producer_Id=5 Flow_Transaction_Id=0 Url=recordflow.biz Flow_DstHostName=recordflow.bizSmx_Policy_Id=0 Flow_Bytes_Sent=391 Http_Response_Status=302 Flow_Bytes_Received=647
Origin port (source in a network traffic flow context).
- Cisco ISE
02 10 2014 13:54:24 1.1.1.1 <LOC6:NOTE> Feb 10 13:54:43 USABLDRRECFLOW01 CISE_Failed_Attempts 0000217969 2 0 2014-02-10 13:54:43.264 +02:00 0008145644 5413 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=143, Device IP Address=1.1.1.1, Device Port=1646, DestinationIPAddress=1.1.1.1, DestinationPort=1646, Protocol=Radius, NetworkDeviceName=Switch_3560-X_2, NAS-IP-Address=1.1.1.1, NAS-Port=50023, Service-Type=Framed, Acct-Status-Type=Start, Acct-Delay-Time=20, Acct-Session-Id=00002222, Acct-Authentic=Local, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/23, cisco-av-pair=connect-progress=Call Up, AcsSessionID= USABLDRRECFLOW01/151856948/212124, FailureReason=11038 RADIUS Accounting-Request header contains invalid Authenticator field, Step=11004, Step=11017, Step=11038, Step=5413, NetworkDeviceGroups=Device Type#All Device Types#Switch, NetworkDeviceGroups=Location#All Locations#HQ, NetworkDeviceGroups=Unit#All Units#Networking, NetworkDeviceGroups=ACS Group#All ACS Groups, ACS Group=ACS Group#All ACS Groups,
Device Port shows the originating RADIUS request Port for the corresponding device IP. Destination (Impacted) is the server being authenticated against (Client-Server relationship).