<p>Security Analytics 8.1.x Reference Guide </p><p><strong>Updated: </strong>Friday, November 15, 2019 </p><p></p><ul style="display: flex;"><li style="flex:1"><em>Security Analytics Reference Guide </em></li><li style="flex:1"><em>Security Analytics 8.1 </em></li></ul><p></p><p>Copyrights, Trademarks, and Intellectual Property </p><p><strong>Copyright © 2019 Symantec Corp. </strong>All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. </p><p>THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. SYMANTEC CORPORATION PRODUCTS, TECHNICAL SERVICES, AND ANY OTHER TECHNICAL DATA REFERENCED IN THIS DOCUMENT ARE SUBJECT TO U.S. EXPORT CONTROL AND SANCTIONS LAWS, REGULATIONS AND REQUIREMENTS, AND MAY BE SUBJECT TO EXPORT OR IMPORT REGULATIONS IN OTHER COUNTRIES. YOU AGREE TO COMPLY STRICTLY WITH THESE LAWS, REGULATIONS AND REQUIREMENTS, AND ACKNOWLEDGE THAT YOU HAVE THE RESPONSIBILITY TO OBTAIN ANY LICENSES, PERMITS OR OTHER APPROVALS THAT MAY BE REQUIRED IN ORDER TO EXPORT, RE-EXPORT, TRANSFER IN COUNTRY OR IMPORT AFTER DELIVERY TO YOU. </p><p>3</p><p></p><ul style="display: flex;"><li style="flex:1"><em>Security Analytics Reference Guide </em></li><li style="flex:1"><em>Security Analytics 8.1 </em></li></ul><p></p><p>Table of Contents </p><p><a href="#9_0"><strong>Recognized Applications </strong></a></p><p><a href="#9_1"><strong>Application Groups </strong></a></p><p><a href="#9_0"><strong>9</strong></a></p><p><a href="#9_1"><strong>9</strong></a></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#11_0"><strong>Backup and Restore </strong></a></li><li style="flex:1"><a href="#11_0"><strong>11 </strong></a></li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#11_1"><strong>Backup </strong></a></li><li style="flex:1"><a href="#11_1"><strong>11 </strong></a></li></ul><p></p><p><a href="#12_0"><em>12 </em></a><a href="#12_1"><em>12 </em></a><a href="#12_2"><em>12 </em></a><a href="#13_0"><em>13 </em></a><br><a href="#12_0"><em>Specify the Storage Location </em></a><a href="#12_1"><em>Manual Backup </em></a><a href="#12_2"><em>Encrypted Backup </em></a><a href="#13_0"><em>Scheduled Backup </em></a></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#13_1"><strong>Restore </strong></a></li><li style="flex:1"><a href="#13_1"><strong>13 </strong></a></li></ul><p></p><p><a href="#15_0"><strong>BPF Syntax </strong></a></p><p><a href="#15_1"><strong>GRE Encapsulation and BPF Filters </strong></a></p><p><a href="#15_0"><strong>15 </strong></a></p><p><a href="#15_1"><strong>15 </strong></a></p><p><a href="#17_0"><strong>Syslog Facilities </strong></a></p><p><a href="#17_1"><strong>Standard Syslog Facilities </strong></a><a href="#18_0"><strong>Standard Syslog Levels and Priorities </strong></a></p><p><a href="#17_0"><strong>17 </strong></a></p><p><a href="#17_1"><strong>17 </strong></a><a href="#18_0"><strong>18 </strong></a></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#19_0"><strong>Disable SSH Root Logins </strong></a></li><li style="flex:1"><a href="#19_0"><strong>19 </strong></a></li></ul><p></p><ul style="display: flex;"><li style="flex:1"><a href="#20_0"><strong>20 </strong></a></li><li style="flex:1"><a href="#20_0"><strong>MD5-Encrypted Password for Bootloader </strong></a></li></ul><p><a href="#0_0"><strong>Command-Line Interface </strong></a></p><p><a href="#0_1"><strong>CLI Commands </strong></a><a href="#0_2"><strong>Supported Linux Commands </strong></a><a href="#0_3"><strong>csr.sh </strong></a></p><p><a href="#0_0"><strong>21 </strong></a></p><p><a href="#0_1"><strong>21 </strong></a><a href="#0_2"><strong>24 </strong></a><a href="#0_3"><strong>26 </strong></a></p><ul style="display: flex;"><li style="flex:1"><a href="#0_4"><strong>dscapture </strong></a></li><li style="flex:1"><a href="#0_4"><strong>26 </strong></a></li></ul><p></p><p><a href="#0_5"><em>26 </em></a><a href="#0_6"><em>27 </em></a><a href="#0_7"><em>27 </em></a><a href="#0_8"><em>27 </em></a><a href="#0_9"><em>27 </em></a><a href="#0_6"><em>28 </em></a><a href="#0_10"><em>28 </em></a><a href="#0_11"><em>28 </em></a><a href="#0_6"><em>29 </em></a><a href="#0_12"><em>29 </em></a><a href="#0_13"><em>29 </em></a><a href="#0_5"><em>dscapture clearpersist </em></a><a href="#0_6"><em>dscapture cleartime </em></a><a href="#0_7"><em>dscapture init </em></a><a href="#0_8"><em>dscapture map </em></a><a href="#0_9"><em>dscapture mapshow </em></a><a href="#0_6"><em>dscapture settime </em></a><a href="#0_10"><em>dscapture shutdown </em></a><a href="#0_11"><em>dscapture start </em></a><a href="#0_6"><em>dscapture status </em></a><a href="#0_12"><em>dscapture stop </em></a><a href="#0_13"><em>dscapture unmap </em></a></p><p><a href="#0_14"><strong>dsfilter </strong></a><a href="#0_15"><strong>dsfirewall, dsfirewall6 </strong></a><br><a href="#0_14"><strong>29 </strong></a><a href="#0_15"><strong>30 </strong></a></p><p>4</p><p></p><ul style="display: flex;"><li style="flex:1"><em>Security Analytics Reference Guide </em></li><li style="flex:1"><em>Security Analytics 8.1 </em></li></ul><p></p><p><a href="#0_0"><strong>dslc </strong></a></p><p><a href="#0_16"><strong>dslc add </strong></a><a href="#0_17"><strong>dslc del </strong></a><a href="#0_18"><strong>dslc disable </strong></a><a href="#0_19"><strong>dslc enable </strong></a><a href="#0_20"><strong>dslc export </strong></a><a href="#0_21"><strong>dslc factory </strong></a><a href="#0_22"><strong>dslc import </strong></a><a href="#0_23"><strong>dslc set </strong></a></p><p><a href="#0_0"><strong>32 </strong></a></p><p><a href="#0_16"><strong>32 </strong></a><a href="#0_17"><strong>34 </strong></a><a href="#0_18"><strong>34 </strong></a><a href="#0_19"><strong>35 </strong></a><a href="#0_20"><strong>36 </strong></a><a href="#0_21"><strong>37 </strong></a><a href="#0_22"><strong>37 </strong></a><a href="#0_23"><strong>37 </strong></a><a href="#0_24"><strong>39 </strong></a><a href="#0_25"><strong>39 </strong></a><a href="#0_24"><strong>dslc show </strong></a><a href="#0_25"><strong>dslogdump </strong></a></p><p><a href="#0_0"><strong>dsmigrate.sh </strong></a></p><p><a href="#0_26"><strong>Setup </strong></a><a href="#0_21"><strong>Migrate the Data </strong></a></p><p><a href="#0_0"><strong>40 </strong></a></p><p><a href="#0_26"><strong>41 </strong></a><a href="#0_21"><strong>42 </strong></a></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_0"><strong>dsmigratedata </strong></a></li><li style="flex:1"><a href="#0_0"><strong>44 </strong></a></li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_27"><strong>Setup </strong></a></li><li style="flex:1"><a href="#0_27"><strong>44 </strong></a></li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_28"><em>45 </em></a></li><li style="flex:1"><a href="#0_28"><em>Interface Configuration </em></a></li></ul><p></p><p><a href="#0_29"><strong>Data-Migration Procedure </strong></a><a href="#0_30"><strong>Operation of dsmigratedata </strong></a><br><a href="#0_29"><strong>45 </strong></a><a href="#0_30"><strong>47 </strong></a><br><a href="#0_21"><strong>Restarting dsmigratedata </strong></a></p><p><a href="#0_31"><em>Stateful Restart </em></a></p><p><a href="#0_21"><strong>48 </strong></a></p><p><a href="#0_31"><em>48 </em></a></p><ul style="display: flex;"><li style="flex:1"><a href="#0_32"><em>48 </em></a></li><li style="flex:1"><a href="#0_32"><em>Stateless Restart </em></a></li></ul><p></p><p><a href="#0_33"><strong>dspcapimport </strong></a><a href="#0_24"><strong>dsportmapping </strong></a><a href="#0_21"><strong>dsregen </strong></a><br><a href="#0_33"><strong>48 </strong></a><a href="#0_24"><strong>49 </strong></a><a href="#0_21"><strong>50 </strong></a></p><ul style="display: flex;"><li style="flex:1"><a href="#0_34"><strong>dszap </strong></a></li><li style="flex:1"><a href="#0_34"><strong>51 </strong></a></li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_6"><em>53 </em></a></li><li style="flex:1"><a href="#0_6"><em>Actions Performed </em></a></li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_35"><strong>Running dszap </strong></a></li><li style="flex:1"><a href="#0_35"><strong>53 </strong></a></li></ul><p></p><p><a href="#0_0"><strong>dump_slot </strong></a></p><p><a href="#0_36"><strong>dump_slot_chain </strong></a></p><p><a href="#0_0"><strong>55 </strong></a></p><p><a href="#0_36"><strong>55 </strong></a><a href="#0_37"><strong>55 </strong></a><a href="#0_38"><strong>55 </strong></a><a href="#0_39"><strong>56 </strong></a><a href="#0_40"><strong>56 </strong></a><a href="#0_41"><strong>56 </strong></a><a href="#0_21"><strong>57 </strong></a><a href="#0_37"><strong>dump_slot_header slot_&lt;number&gt; </strong></a><a href="#0_38"><strong>dump_slot_elements &lt;filename&gt; </strong></a><a href="#0_39"><strong>dump_slot_pcap &lt;packet_number&gt; </strong></a><a href="#0_40"><strong>dump_slot_trail </strong></a><a href="#0_41"><strong>dump_space_table_entry &lt;slot_id&gt; </strong></a><a href="#0_21"><strong>walk_space_table_journal </strong></a></p><p>5</p><p></p><ul style="display: flex;"><li style="flex:1"><em>Security Analytics Reference Guide </em></li><li style="flex:1"><em>Security Analytics 8.1 </em></li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_42"><strong>dynfilter </strong></a></li><li style="flex:1"><a href="#0_42"><strong>57 </strong></a></li></ul><p><a href="#0_43"><strong>lsi-rate-tool </strong></a><a href="#0_44"><strong>lsi-show </strong></a><a href="#0_45"><strong>MegaCli | megacli </strong></a><a href="#0_21"><strong>scm pivot_only_provider </strong></a><br><a href="#0_43"><strong>58 </strong></a><a href="#0_44"><strong>60 </strong></a><a href="#0_45"><strong>61 </strong></a><a href="#0_21"><strong>62 </strong></a></p><ul style="display: flex;"><li style="flex:1"><a href="#0_46"><strong>Add a Pivot-Only Provider </strong></a></li><li style="flex:1"><a href="#0_46"><strong>62 </strong></a></li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_47"><em>63 </em></a></li><li style="flex:1"><a href="#0_47"><em>Pivot-Only Provider Demonstration </em></a></li></ul><p></p><p><a href="#0_48"><strong>Delete a Pivot-Only Provider </strong></a><a href="#0_49"><strong>Sample Pivot-Only Providers </strong></a><br><a href="#0_48"><strong>66 </strong></a><a href="#0_49"><strong>66 </strong></a></p><ul style="display: flex;"><li style="flex:1"><a href="#0_50"><strong>scm sessions </strong></a></li><li style="flex:1"><a href="#0_50"><strong>68 </strong></a></li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_51"><em>69 </em></a></li><li style="flex:1"><a href="#0_51"><em>scm solera_acl elevate </em></a></li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_52"><strong>scm tally </strong></a></li><li style="flex:1"><a href="#0_52"><strong>69 </strong></a></li></ul><p></p><p><a href="#0_0"><strong>Web Services APIs </strong></a></p><p><a href="#0_53"><strong>Install and Test the SoleraConnector Class </strong></a><a href="#0_54"><strong>Session-Based APIs </strong></a><a href="#0_55"><strong>Pivot to Summary Page </strong></a><a href="#0_21"><strong>Single Time-Value Configuration </strong></a></p><p><a href="#0_0"><strong>71 </strong></a></p><p><a href="#0_53"><strong>71 </strong></a><a href="#0_54"><strong>73 </strong></a><a href="#0_55"><strong>73 </strong></a><a href="#0_21"><strong>74 </strong></a></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_0"><strong>API Changes in Security Analytics 8.1.x </strong></a></li><li style="flex:1"><a href="#0_0"><strong>75 </strong></a></li></ul><p></p><p><a href="#0_56"><em>75 </em></a><a href="#0_57"><em>75 </em></a><br><a href="#0_56"><em>New APIs </em></a><a href="#0_57"><em>Modified APIs </em></a></p><p><a href="#0_0"><strong>Advanced API Queries </strong></a></p><p><a href="#0_58"><em>Example Queries </em></a></p><p><a href="#0_0"><strong>77 </strong></a></p><p><a href="#0_58"><em>77 </em></a></p><ul style="display: flex;"><li style="flex:1"><a href="#0_59"><em>77 </em></a></li><li style="flex:1"><a href="#0_59"><em>Combining Different Namespaces </em></a></li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_0"><strong>Alerts APIs </strong></a></li><li style="flex:1"><a href="#0_0"><strong>79 </strong></a></li></ul><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_0"><strong>91 </strong></a></li><li style="flex:1"><a href="#0_0"><strong>Anomalies APIs </strong></a></li></ul><p><a href="#0_0"><strong>Authentication APIs </strong></a><a href="#0_0"><strong>BPF Filters APIs </strong></a><a href="#0_0"><strong>Capture APIs </strong></a><br><a href="#0_0"><strong>100 </strong></a><a href="#0_0"><strong>111 </strong></a><a href="#0_0"><strong>116 </strong></a><a href="#0_0"><strong>137 </strong></a><a href="#0_0"><strong>158 </strong></a><a href="#0_0"><strong>178 </strong></a><br><a href="#0_0"><strong>Central Manager APIs </strong></a><a href="#0_0"><strong>Data Enrichment APIs </strong></a><a href="#0_0"><strong>Date/Time APIs </strong></a></p><p>6</p><p></p><ul style="display: flex;"><li style="flex:1"><em>Security Analytics Reference Guide </em></li><li style="flex:1"><em>Security Analytics 8.1 </em></li></ul><p></p><p><a href="#0_0"><strong>Drive-Space Management APIs </strong></a><a href="#0_0"><strong>Extractor APIs </strong></a><br><a href="#0_0"><strong>182 </strong></a><a href="#0_0"><strong>186 </strong></a><a href="#0_0"><strong>219 </strong></a><a href="#0_0"><strong>226 </strong></a><a href="#0_0"><strong>236 </strong></a><a href="#0_0"><strong>240 </strong></a><a href="#0_60"><strong>265 </strong></a><a href="#0_0"><strong>268 </strong></a><a href="#0_0"><strong>274 </strong></a><a href="#0_0"><strong>277 </strong></a><a href="#0_0"><strong>300 </strong></a><a href="#0_0"><strong>302 </strong></a><a href="#0_0"><strong>338 </strong></a><a href="#0_0"><strong>347 </strong></a><a href="#0_0"><strong>367 </strong></a><a href="#0_0"><strong>369 </strong></a><a href="#0_0"><strong>378 </strong></a><a href="#0_0"><strong>380 </strong></a><a href="#0_0"><strong>386 </strong></a><a href="#0_0"><strong>405 </strong></a><a href="#0_0"><strong>414 </strong></a><br><a href="#0_0"><strong>Geolocation APIs </strong></a><a href="#0_0"><strong>Indicators APIs </strong></a><a href="#0_0"><strong>License APIs </strong></a><a href="#0_0"><strong>Logging and Communication APIs </strong></a><a href="#0_60"><strong>Metadata APIs </strong></a><a href="#0_0"><strong>Network APIs </strong></a><a href="#0_0"><strong>Packet Analyzer APIs </strong></a><a href="#0_0"><strong>PCAP APIs </strong></a><a href="#0_0"><strong>Playback APIs </strong></a><a href="#0_0"><strong>Report and Report Status APIs </strong></a><a href="#0_0"><strong>Rules APIs </strong></a><a href="#0_0"><strong>Security APIs </strong></a><a href="#0_0"><strong>Statistics APIs </strong></a><a href="#0_0"><strong>Summary Page APIs </strong></a><a href="#0_0"><strong>System APIs </strong></a><a href="#0_0"><strong>Upgrades APIs </strong></a><a href="#0_0"><strong>User Account APIs </strong></a><a href="#0_0"><strong>Web Interface Settings APIs </strong></a><a href="#0_0"><strong>API Appendix </strong></a></p><ul style="display: flex;"><li style="flex:1"><a href="#0_0"><strong>Using Polling with the APIs </strong></a></li><li style="flex:1"><a href="#0_0"><strong>415 </strong></a></li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_61"><em>415 </em></a></li><li style="flex:1"><a href="#0_61"><em>Syntax: Identity Path </em></a></li></ul><p></p><p>7</p><p></p><ul style="display: flex;"><li style="flex:1"><em>Security Analytics Reference Guide </em></li><li style="flex:1"><em>Security Analytics 8.1 </em></li></ul><p></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_62"><em>Syntax: Enhanced Primary Filter Array </em></a></li><li style="flex:1"><a href="#0_62"><em>415 </em></a></li></ul><p><a href="#0_63"><em>416 </em></a><a href="#0_10"><em>418 </em></a><a href="#0_6"><em>419 </em></a><a href="#0_30"><em>419 </em></a><a href="#0_64"><em>419 </em></a><a href="#0_65"><em>419 </em></a><a href="#0_66"><em>420 </em></a><a href="#0_67"><em>422 </em></a><a href="#0_68"><em>422 </em></a><a href="#0_69"><em>422 </em></a><br><a href="#0_63"><em>Syntax: Advanced-Filter Array </em></a><a href="#0_10"><em>Syntax: Primary Filter Array </em></a><a href="#0_6"><em>Syntax: Timespan Array </em></a><a href="#0_30"><em>Syntax: Timespan Date Array </em></a><a href="#0_64"><em>Syntax: Geolocation Internal Labels </em></a><a href="#0_65"><em>Syntax: Scheduled Events </em></a><a href="#0_66"><em>LDAP Schema Values </em></a><a href="#0_67"><em>Menu &gt; Analyze &gt; Alerts &gt; Summary </em></a><a href="#0_68"><em>Menu &gt; Analyze &gt; Anomalies &gt; Summary </em></a><a href="#0_69"><em>Capture Summaries Inputs </em></a></p><p><a href="#0_0"><strong>Using the APIs </strong></a></p><p><a href="#0_70"><strong>Best Practices </strong></a><a href="#0_14"><strong>Downloading Extracted Artifacts </strong></a><a href="#0_71"><strong>Downloading PCAPs </strong></a></p><p><a href="#0_0"><strong>424 </strong></a></p><p><a href="#0_70"><strong>424 </strong></a><a href="#0_14"><strong>424 </strong></a><a href="#0_71"><strong>428 </strong></a></p><p></p><ul style="display: flex;"><li style="flex:1"><a href="#0_0"><strong>Resources </strong></a></li><li style="flex:1"><a href="#0_0"><strong>432 </strong></a></li></ul><p></p><p>8</p><p></p><ul style="display: flex;"><li style="flex:1"><em>Security Analytics Reference Guide </em></li><li style="flex:1"><em>Security Analytics 8.1 </em></li></ul><p></p><p>Recognized Applications </p><p>59 New Recognized Applications in Security Analytics 8.1.1. Total: ~2900 To obtain an XLSX or CSV list of recognized applications, select <strong>Reference &gt; Recognized Applications </strong>in the Help Files, which are located: </p><p>n</p><p>In the web interface under <strong>About </strong></p><p><strong>&gt; Help &gt; [language]</strong>. </p><p>n</p><p>On <a href="/goto?url=https://support.symantec.com/content/unifiedweb/en_US/Documentation.1145515.html" target="_blank"><strong>https://support.symantec.com/content/unifiedweb/en_US/Documentation.1145515.html</strong></a>. </p><p>Select the appropriate version, and then under <strong>Administration Guide </strong>open the <em>Security Analytics 8.1.1 </em></p><p><em>WebGuide</em>. </p><p>The applications in the files can be identified by Security Analytics. The values in these tables appear in the </p><p><em>Application</em>, <em>Application Group </em>and <em>Application Group over Time </em>reports and report widgets and are valid for </p><p><strong>application_group=&lt;application_group&gt; </strong>and <strong>application_id=&lt;application_id&gt; </strong>in the <a href="filters.htm#Primary_Filters" target="_blank">primary filter bar</a>, for </p><p>example, <strong>application_group="Network Service"&nbsp;</strong>or <strong>application_id=twitter </strong></p><p>Application Groups </p><p>Following are sample applications that are included in each application group. Where the last item is preceded by the word "and," all applications for that group are listed: </p><p>nnn</p><p><strong>Antivirus </strong>— zonealarm, zonealarm_update, sophos_update, and lookout_ms <strong>Application Service </strong>— citrix_pvs, ldap, syslog, perforce, windows_marketplace, xfs <strong>Audio/Video </strong>— apple_music, baidu_player, google_play_music, gotomeeting, h245, hulu, iheartradio, itunes, netflix, pplive, qqlive, rtsp, spotify </p><p>nnnnnnnn</p><p><strong>Authentication </strong>— chap, diameter, krb5, pap, radius, tacacs_plus </p><p><strong>Behavioral </strong>— high_entropy and spid <strong>Compression </strong>— ccp and comp </p><p><strong>Database </strong>— db2, drda, mysql, postgres, sybase, tds, tns <strong>Encrypted </strong>— i2p, ipsec, isakmp, ocsp, ssh, ssl, tor, and tor2web </p><p><strong>ERP </strong>— sap </p><p><strong>File Server </strong>— afp, ftp, gmail_drive, netbios, nfs, smb, tftp <strong>File Transfer </strong>— aim_transfer, bits, filesharepro, imessage_file_download, irc_transfer, irods, jabber_ transfer, mypocket, paltalk_transfer, and ymsg_transfer </p><p>n</p><p><strong>Forum </strong>— google_groups, ircs, kaskus, linkedin, live_groups, mibbet, nntp, nntps, odnoklassniki, r10, tapatalk, vkontakte, and yahoo_groups </p><p>9</p><p></p><ul style="display: flex;"><li style="flex:1"><em>Security Analytics Reference Guide </em></li><li style="flex:1"><em>Security Analytics 8.1 </em></li></ul><p></p><p>nn</p><p><strong>Game </strong>— all_slots_casino, angry_birds, candy_crush_saga, cstrike, eve_online, poker_stars, qq_r2, quake, runescape, wow </p><p><strong>Instant Messaging </strong>— aim, badoo, facebook_messenger, gmail_chat, gtalk, irc, jabber, qq, whatsapp, ymsg </p><p>nnnnn</p><p><strong>Mail </strong>— imap, imaps, lotusnotes, mapi, pop3, pop3s, smtp, and smtps </p><p><strong>Microsoft Office </strong>— groove </p><p><strong>Middleware </strong>— amqp, dcerpc, diop, giop, iiop, java_rmi, rpc, soap, thrift <strong>Network Management </strong>— cdp, cip, enip, lcp, modbus, netflow, rsvp, sccm, snmp, wccp <strong>Network Service </strong>— 8021q, arp, crudp, dccp, dhcp, dnp3, dns, eth, fibre_channel, hopopt, icmp, ip, ip6, isis, mux, nbns, ntp, sctp, svn, udp, whois </p><p>nnnnnnnnnnn</p><p><strong>Peer to Peer </strong>— bitcoin, bittorrent, directconnect, edonkey, filetopia, gnutella, kazaa, qqmusic, thunder <strong>Printer </strong>— apple_airprint, bjnp, cups, ipp, jetdirect, and lpr <strong>Routing </strong>— bgp, eigrp, mpls, ospf, rip1, rip2, stp <strong>Security Service </strong>— fsecure, ghostsurf, mcafee, and peerguardian <strong>Standard </strong>— established, incomplete, malformed, and unknown </p><p><strong>Telephony </strong>— bssap and isup </p><p><strong>Terminal </strong>— rlogin, rsh, telnet, telnets, and tnvip <strong>Thin Client </strong>— anydesk, gotomypc, ica, jedi, pcanywhere, radmin, rdp, vmware, x11 <strong>Tunneling </strong>— etherip, gre, http_tunnel, l2tp, ppp, pppoe, socks5, teredo <strong>WAP </strong>— bxml, mmse, smpp, ucp, wsp, wtls, and wtp <strong>Web </strong>— 4chan, abcnews, alibaba, amazon_aws, baidu, bbc, disney_channel, ebay, elpais, facebook, flickr, google, http, https, kaspersky, nytimes, outlook, pandora, reddit, sharepoint, travelocity, tumblr, twitter, wikipedia, windows_update, yahoo, youtube </p><p>n</p><p><strong>Webmail </strong>— gmail, live_hotmail, mailru, orangemail, owa, yandex_webmail, ymail2, zimbra </p><p>10 </p><p></p><ul style="display: flex;"><li style="flex:1"><em>Security Analytics Reference Guide </em></li><li style="flex:1"><em>Security Analytics 8.1 </em></li></ul><p></p>