Breadcrumbs

Origin Port

The port from which activity originated (for example, client or attacker port).

Data Type

Integer

Aliases

Use

Alias

Client Console Full Name

TCP/UDP Port (Origin)

Client Console Short Name

Not applicable

Web Console Tab/Name

TCP/UDP Port (Origin)

Elasticsearch Field Name

originPort

Rule Builder Column Name

SPort

Regex Pattern

<sport>

NetMon Name

Not applicable

Field Relationships

  • SIP
  • SIPv4
  • SIPv6
  • SIPv6E
  • Origin Hostname
  • Origin Hostname or IP
  • Origin NAT IP
  • DIP
  • DIPv4
  • DIPv6
  • DIPv6E
  • Impacted Hostname
  • Impacted Hostname or IP
  • Impacted NAT IP


  • Origin NAT Port
  • Impacted Port
  • Impacted NAT Port
  • Origin MAC Address
  • Impacted MAC Address
  • Origin Interface
  • Impacted Interface
  • Origin Domain
  • Impacted Domain
  • Origin Login
  • Impacted Account
  • IANA Protocol Number
  • IANA Protocol Name

Common Applications

Any network connected application or device.

Use Case

Host and application contexts.

MPE/Data Masking Manipulations

Used to help in determining Application.

Usage Standards

  • Use to indicate the origin port number associated with a client or attacker host.

  • Origin is Client (In Client-Server Model).

  • Origin is Attacker (In Attacker-Target Model).

Examples

  • FireEye Web MPS

02 01 2016 17:13:19 1.1.1.1 <LOC4:WARN> fenotify-609081.warning: CEF:0|FireEye|MPS|1.1.1.1875|IM|infection-match|1|rt=Feb 01 2016 23:13:10 UTC src=1.1.1.1 cn3Label=cncPort cn3=80 cn2Label=sid cn2=84575103 shost= USABLDRRECFLOW01proto=tcp spt=51997 dst=1.1.1.1 cs5Label=cncHost cs5=1.1.1.1 dvchost= USABLDRRECFLOW01 dvc=1.1.1.1 smac=00:00:00:00:00:00 cn1Label=vlan cn1=0 dpt=80 externalId=609081 cs4Label=link cs4=STUFF dmac=00:00:00:00:00:00 cs1Label=sname cs1=Exploit.Kit.AnglerDIPv4

Dpt= is Origin in this case as it is the port used by the attacker ip (dst).

  • Cisco Next Generation Firewall

CISCONGFW EVENT Ev_Id=610 Ev_Severity=6 Ev_TypeId=HTTP_COMPLETE Ev_SrcId=32 Ev_RecvTime=2/24/2013 10:04:34 PM Ev_MetaData=0 Smx_Config_Version=2 Identity_Source=0 Smx_Policy_Id=0 Flow_ConnId=456 Smx_Egress_Interface_Id=0 Smx_Ingress_Interface_Id=0 Avc_App_Id=300003 Ev_GenTime=2/24/2013 10:04:09 PM Flow_Protocol=6 Flow_SrcIp=1.1.1.1 Flow_DstIp=1.1.1.1 Flow_SrcPort=60221 Flow_DstPort=80 Ev_Producer_Id=5 Flow_Transaction_Id=0 Url=recordflow.biz Flow_DstHostName=recordflow.bizSmx_Policy_Id=0 Flow_Bytes_Sent=391 Http_Response_Status=302 Flow_Bytes_Received=647

Origin port (source in a network traffic flow context).

  • Cisco ISE

02 10 2014 13:54:24 1.1.1.1 <LOC6:NOTE> Feb 10 13:54:43 USABLDRRECFLOW01 CISE_Failed_Attempts 0000217969 2 0 2014-02-10 13:54:43.264 +02:00 0008145644 5413 NOTICE Failed-Attempt: RADIUS Accounting-Request dropped, ConfigVersionId=143, Device IP Address=1.1.1.1, Device Port=1646, DestinationIPAddress=1.1.1.1, DestinationPort=1646, Protocol=Radius, NetworkDeviceName=Switch_3560-X_2, NAS-IP-Address=1.1.1.1, NAS-Port=50023, Service-Type=Framed, Acct-Status-Type=Start, Acct-Delay-Time=20, Acct-Session-Id=00002222, Acct-Authentic=Local, NAS-Port-Type=Ethernet, NAS-Port-Id=GigabitEthernet0/23, cisco-av-pair=connect-progress=Call Up, AcsSessionID= USABLDRRECFLOW01/151856948/212124, FailureReason=11038 RADIUS Accounting-Request header contains invalid Authenticator field, Step=11004, Step=11017, Step=11038, Step=5413, NetworkDeviceGroups=Device Type#All Device Types#Switch, NetworkDeviceGroups=Location#All Locations#HQ, NetworkDeviceGroups=Unit#All Units#Networking, NetworkDeviceGroups=ACS Group#All ACS Groups, ACS Group=ACS Group#All ACS Groups,

Device Port shows the originating RADIUS request Port for the corresponding device IP. Destination (Impacted) is the server being authenticated against (Client-Server relationship).