Five-tuple
Definition
The five fields that uniquely identify a network flow: source IP address, source port, destination IP address, destination port, and transport protocol (TCP or UDP). Every firewall log entry records at least the five-tuple plus the action taken.
Related terms
- Anomaly-based IDS
- An intrusion detection system that models normal traffic behaviour and alerts when observed traffic deviates significantly from that baseline. Detects novel attacks...
- Lateral movement
- Attacker activity after initial compromise in which the threat actor traverses from one internal system to another, typically to escalate privileges, access...
- Proxy log
- A record generated by a forward proxy server for each HTTP or HTTPS request made by an internal client. Contains the URL,...
- Signature-based IDS
- An intrusion detection system that compares network traffic against a database of known attack patterns (signatures). Snort and Suricata are the dominant...
- True positive / false positive
- A true positive is an alert that correctly identifies malicious activity. A false positive is an alert that fires on legitimate traffic....
Explained in
- Firewall and Intrusion Detection Log AnalysisThe five fields that uniquely identify a network flow: source IP address, source port, destination IP address, destination port, and transport protocol (TCP or...