Skip to main content
Skip table of contents

Origin Port

The port from which activity originated (for example, client or attacker port).

Data Type

Integer

Aliases

UseAlias

Client Console Full Name

TCP/UDP Port (Origin)

Client Console Short Name

Not applicable

Web Console Tab/Name

TCP/UDP Port (Origin)

Elasticsearch Field Name

originPort

Rule Builder Column Name

SPort

Regex Pattern

<sport>

NetMon Name

Not applicable

Field Relationships

  • SIP
  • SIPv4
  • SIPv6
  • SIPv6E
  • Origin Hostname
  • Origin Hostname or IP
  • Origin NAT IP
  • DIP
  • DIPv4
  • DIPv6
  • DIPv6E
  • Impacted Hostname
  • Impacted Hostname or IP
  • Impacted NAT IP
  • Origin NAT Port
  • Impacted Port
  • Impacted NAT Port
  • Origin MAC Address
  • Impacted MAC Address
  • Origin Interface
  • Impacted Interface
  • Origin Domain
  • Impacted Domain
  • Origin Login
  • Impacted Account
  • IANA Protocol Number
  • IANA Protocol Name

Common Applications

Any network connected application or device.

Use Case

Host and application contexts.

MPE/Data Masking Manipulations

Used to help in determining Application.

Usage Standards

  • Use to indicate the origin port number associated with a client or attacker host.
  • Origin is Client (In Client-Server Model).
  • Origin is Attacker (In Attacker-Target Model).

Examples

  • FireEye Web MPS

02 01 2016 17:13:19 1.1.1.1 <LOC4:WARN> fenotify-609081.warning: CEF:0|FireEye|MPS|1.1.1.1875|IM|infection-match|1|rt=Feb 01 2016 23:13:10 UTC src=1.1.1.1 cn3Label=cncPort cn3=80 cn2Label=sid cn2=84575103 shost= USABLDRRECFLOW01proto=tcp spt=51997 dst=1.1.1.1 cs5Label=cncHost cs5=1.1.1.1 dvchost= USABLDRRECFLOW01 dvc=1.1.1.1 smac=00:00:00:00:00:00 cn1Label=vlan cn1=0 dpt=80 externalId=609081 cs4Label=link cs4=STUFF dmac=00:00:00:00:00:00 cs1Label=sname cs1=Exploit.Kit.AnglerDIPv4

Dpt= is Origin in this case as it is the port used by the attacker ip (dst).

  • Cisco Next Generation Firewall

CISCONGFW EVENT Ev_Id=610 Ev_Severity=6 Ev_TypeId=HTTP_COMPLETE Ev_SrcId=32 Ev_RecvTime=2/24/2013 10:04:34 PM Ev_MetaData=0 Smx_Config_Version=2 Identity_Source=0 Smx_Policy_Id=0 Flow_ConnId=456 Smx_Egress_Interface_Id=0 Smx_Ingress_Interface_Id=0 Avc_App_Id=300003 Ev_GenTime=2/24/2013 10:04:09 PM Flow_Protocol=6 Flow_SrcIp=1.1.1.1 Flow_DstIp=1.1.1.1 Flow_SrcPort=60221 Flow_DstPort=80 Ev_Producer_Id=5 Flow_Transaction_Id=0 Url=recordflow.biz Flow_DstHostName=recordflow.bizSmx_Policy_Id=0 Flow_Bytes_Sent=391 Http_Response_Status=302 Flow_Bytes_Received=647

Origin port (source in a network traffic flow context).

  • Cisco ISE

02 10 2014 13:54:24 1.1.1.1 <LOC6:NOTE> Feb 10 13:54:43 USABLDRRECFLOW01 CISE_Failed_Attempts 0000217969 2 0 2014-02-10 13:54:43.264 +02:00 0008145644 5413 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=143, Device IP Address=1.1.1.1, Device Port=1646, DestinationIPAddress=1.1.1.1, DestinationPort=1646, Protocol=Radius, NetworkDeviceName=Switch_3560-X_2, NAS-IP-Address=1.1.1.1, NAS-Port=50023, Service-Type=Framed, Acct-Status-Type=Start, Acct-Delay-Time=20, Acct-Session-Id=00002222, Acct-Authentic=Local, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/23, cisco-av-pair=connect-progress=Call Up, AcsSessionID= USABLDRRECFLOW01/151856948/212124, FailureReason=11038 RADIUS Accounting-Request header contains invalid Authenticator field, Step=11004, Step=11017, Step=11038, Step=5413, NetworkDeviceGroups=Device Type#All Device Types#Switch, NetworkDeviceGroups=Location#All Locations#HQ, NetworkDeviceGroups=Unit#All Units#Networking, NetworkDeviceGroups=ACS Group#All ACS Groups, ACS Group=ACS Group#All ACS Groups,

Device Port shows the originating RADIUS request Port for the corresponding device IP. Destination (Impacted) is the server being authenticated against (Client-Server relationship).

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.