Database tables
Table argos
Column Type Not Null Default
id integer NOT NULL nextval('argos_id_seq'::regclass)
sensorid integer
imageid integer
templateid integer
timespan character varying
- id - Unique identifier.
- sensorid - Identifier of the sensor.
- imageid - Identifier of the image.
- templateid - Identifier of the template.
- timespan - Timespan chosen.
Table argos_images
Column Type Not Null Default
id integer NOT NULL nextval('argos_images_id_seq'::regclass)
name character varying
serverip inet
macaddr macaddr
imagename character varying
osname character varying
oslang character varying
organisationid integer 0
- id - Unique identifier.
- name - Name of the image.
- serverip - IP address of the Argos server that is hosting this image.
- macaddr - MAC address used on the Argos server by this image.
- imagename - Filename of the image.
- osname - Name of the operating system of this image.
- oslang - Language of the operating system.
- organisationid - Identifier of the organisation that owns this image.
Table argos_ranges
Column Type Not Null Default
id integer NOT NULL nextval('argos_ranges_id_seq'::regclass)
sensorid integer
range inet
- id - Unique identifier.
- sensorid - Identifier of the sensor.
- range - IP address (single IP or range) that is redirected to the Argos server.
Table argos_templates
Column Type Not Null Default
id integer NOT NULL nextval('argos_templates_id_seq'::regclass)
name character varying
abbr character varying
- id - Unique identifier.
- name - Name of the template.
- abbr - Shorter version of the name of the template.
Table arp_cache
Column Type Not Null Default
id integer NOT NULL nextval('arp_cache_id_seq'::regclass)
mac macaddr NOT NULL
ip inet NOT NULL
sensorid integer NOT NULL
last_seen integer NOT NULL
manufacturer character varying
flags character varying
- id - Unique identifier.
- mac - MAC address that is detected by the ARP script.
- ip - IP address that is paired with the detected MAC address.
- sensorid - Identifier of the sensor.
- last_seen - Timestamp of the time this MAC address/IP pair was last changed.
- manufacturer - Manufacturer of the NIC based on the OUI from the MAC address.
- flags - Detected flags (router, dhcp, etc).
Table arp_excl
Column Type Not Null Default id serial NOT NULL mac macaddr NOT NULL
- id - Unique identifier.
- mac - MAC address that is excluded from the ARP results.
Table arp_static
Column Type Not Null Default
id integer NOT NULL nextval('arp_static_id_seq'::regclass)
mac macaddr NOT NULL
ip inet NOT NULL
sensorid integer NOT NULL
- id - Unique identifier.
- mac - MAC address.
- ip - IP address that is paired with the entered MAC address.
- sensorid - Identifier of the sensor.
Table attacks
Column Type Not Null Default
id integer NOT NULL nextval('public.attacks_id_seq'::text)
timestamp integer NOT NULL
severity integer NOT NULL
source inet NOT NULL
sport integer NOT NULL
dest inet NOT NULL
dport integer NOT NULL
sensorid integer NOT NULL
src_mac macaddr
dst_mac macaddr
atype integer NOT NULL 0
- id - Unique identifier.
- timestamp - Timestamp in epoch format.
- severity - Severity of the attack (Nepenthes defines possible values: 0, 1, 16, 32).
- source - Source IP address.
- sport - Source port.
- dest - Destination IP address.
- dport - Destination port.
- sensorid - Identifier of the sensor that logged the attack.
- src_mac - The MAC address of the attacker if known.
- dst_mac - The MAC address of the destination.
- atype - Type of malicious attack.
Table binaries
Column Type Not Null Default
id integer NOT NULL nextval('public.binaries_id_seq'::text)
timestamp integer
bin integer
info integer
scanner integer
- id - Unique identifier.
- timestamp - Timestamp in epoch format.
- bin - ID of the binary linking to uniq_binaries.
- info - Result of the virus scan linking to stats_virus.
- scanner - ID of the scanner used linking to scanners.
Table binaries_details
Column Type Not Null Default
id integer NOT NULL nextval('public.binaries_detail_id_seq'::text)
bin integer
fileinfo character varying
filesize integer
last_scanned integer
upx character varying
- id - Unique identifier.
- bin - ID of the binary.
- fileinfo - Result of the linux command: file.
- filesize - Size of the file in bytes.
- last_scanned - Timestamp of the last scan time.
- upx - UPX scan result.
Table cwsandbox
Column Type Not Null Default binid integer NOT NULL xml text result text
- binid - Identifier of the binary that was scanned.
- xml - XML result of the CWsandbox scan.
- result - HTML result converted from the XML.
Table deactivated_attacks
This table is to archive attacks from deactivated sensors. The layout is the same as the normal attack table.
Table deactivated_details
This table is to archive details from archived attacks. The layout is the same as the normal detail table.
Table deactivated_sensors
This table is to archive sensors which are known to be never coming online again. This is a way to remove them from all the logging but not delete the information altogether. The layout is the same as the normal sensors table.
Table details
Column Type Not Null Default
id integer NOT NULL nextval('public.details_id_seq'::text)
attackid integer NOT NULL
sensorid integer NOT NULL
type integer NOT NULL
text text NOT NULL
- id - Unique identifier.
- attackid - Identifier of the related attack.
- sensorid - Identifier of the sensor that logged the related attack.
- type - Type of attack (Nepenthes defines possible values: 1, 2, 4, 8).
- text - Detailed info.
Table dhcp_static
Column Type Not Null Default
id integer NOT NULL nextval('dhcp_static_id_seq'::regclass)
ip inet NOT NULL
sensorid integer NOT NULL
- id - Unique identifier
- ip - IP address of the DHCP server
- sensorid - Identifier of the corresponding sensor
Table groupmembers
Column Type Not Null Default id integer NOT NULL sensorid integer NOT NULL groupid integer NOT NULL
- id - Unique identifier.
- sensorid - ID of the sensor.
- groupid - ID of the group.
Table groups
Column Type Not Null Default id integer NOT NULL name character varying NOT NULL owner integer NOT NULL
- id - Unique identifier.
- name - Name of the group.
- owner - Owner of the group. Points to a login ID.
Table honeypots
Column Type Not Null Default id integer NOT NULL name character varying NOT NULL desc character varying
- id - Unique identifier.
- name - Name of the honeypot
- desc - Description of the honeypot
Table indexmods
Column Type Not Null Default id serial NOT NULL phppage character varying
- id - Unique identifier.
- phppage - Name of the php module.
Table indexmods_selected
Column Type Not Null Default login_id integer indexmod_id integer
- login_id - ID of the user.
- indexmod_id - ID of the php module.
Table ipv6_static
Column Type Not Null Default
id integer NOT NULL nextval('ipv6_static_id_seq'::regclass)
ip inet NOT NULL
sensorid integer NOT NULL
- id - Unique identifier
- ip - IPv6 address
- sensorid - Identifier of the corresponding sensor
Table login
Column Type Not Null Default
id integer NOT NULL nextval('public.login_id_seq'::text)
username character varying NOT NULL
password character varying NOT NULL
email character varying
lastlogin integer
organisation integer NOT NULL 0
access character varying NOT NULL '000'::character varying
serverhash character varying
gpg integer 0
d_plotter integer NOT NULL 0
d_plottype integer NOT NULL 0
d_utc integer NOT NULL 0
d_censor integer NOT NULL 0
- id - Unique identifier.
- uername - Username.
- password - Password of the user as a md5 hash.
- email - Email address of the user.
- lastlogin - Last time the user logged in. Timestamp in epoch format.
- organisation - Organisation of the user.
- access - Access of the user. 3 digits 0-9.
- serverhash - A token used when login method 2 is enabled in the webinterface.
- gpg - Enables(1)/disables(0) the use of GPG signing of the email alerts.
- d_plotter - Default plotter used for the graphs (PHPlot, OpenFlash).
- d_plottype - Default graph type (pie, line, area, bars).
- d_utc - Default timestamp notation (UTC or regular)
- d_censor - Default value for the IP address censor setting.
Table logmessages
Column Type Not Null Default id integer NOT NULL type integer NOT NULL log character varying NOT NULL
- id - Unique identifier.
- type - Type of message.
- log - Info text.
Table norman
Column Type Not Null Default binid integer NOT NULL result text
- binid - Unique binary id linking to the uniq_binaries table.
- text - Norman sandbox result.
Table org_excl
Column Type Not Null Default
id integer NOT NULL nextval('org_excl_id_seq'::regclass)
orgid integer NOT NULL
exclusion inet NOT NULL
- id - Unique identifier.
- orgid - Identifier of the organisation.
- exclusion - IP address excluded from the logging.
Table org_id
Column Type Not Null Default
id integer NOT NULL nextval('org_id_id_seq'::regclass)
orgid integer NOT NULL
identifier character varying NOT NULL
type integer
- id - Unique identifier.
- orgid - Organisation identifier.
- identifier - Name of the identifier.
- type - Type of identifier (WHOIS netname, domain name, ris, SURFnet SOAP).
Table organisations
Column Type Not Null Default
id integer NOT NULL nextval('public.organisations_id_seq'::text)
organisation character varying NOT NULL
ranges text
- id - Unique identifier.
- organisation - Name of the organisation.
- ranges - A ”;” separated list of IP ranges that are owned by the organisation of the user.
Table ostypes
Column Type Not Null Default
id integer NOT NULL nextval('public.organisations_id_seq'::text)
os character varying NOT NULL
- id - Unique identifier.
- os - Unique operating system name. Filled by rule on system.name.
Table pageconf
Column Type Not Null Default userid integer NOT NULL 0 pageid integer NOT NULL 0 config character varying
- userid - ID of the user this page configuration belongs to.
- pageid - ID of the page this configuration is for.
- config - The actual configuration as a csv list.
Table report_content
Column Type Not Null Default
id integer NOT NULL nextval('report_content_id_seq'::regclass)
user_id integer
template integer
last_sent integer
active boolean NOT NULL true
sensor_id integer
frequency integer
interval integer NOT NULL -1
priority integer
subject character varying
operator integer NOT NULL -1
threshold integer NOT NULL -1
severity integer NOT NULL -1
detail integer NOT NULL 0
qs character varying
from_ts integer NOT NULL -1
to_ts integer NOT NULL -1
always integer NOT NULL 0
utc integer NOT NULL 0
public boolean NOT NULL false
orgid integer NOT NULL 0
- id - Unique identifier.
- user_id - User identifier.
- template - Type of template used (threshold, sensor status, own attacks, all attacks).
- last_sent - Timestamp of the last sent alert in epoch format.
- active - Boolean defining the current status of the alert.
- sensor_id - Sensor identifier.
- frequency - Frequency of the report when not threshold (hourly, daily, weekly).
- interval - Interval of the threshold report (last hour, last day, last week).
- priority - Priority level of the email.
- subject - Subject of the email.
- operator - Operator of the report threshold (if applicable).
- threshold - Threshold of the report (if applicable).
- severity - Severity filter of the report (if applicable).
- detail - Detail level of the report.
- qs - Saved query string in case of a searchtemplate.
- from_ts - Start timestamp in case of a searchtemplate.
- to_ts - End timestamp in case of a searchtemplate.
- always - Value to determine if the report always needs to be send regardless of content or threshold.
- utc - Format of the timestamps used (1=UTC, 0=regular).
- public - Boolean value to make an RSS feed publicly available (ie, without logging in) or not.
- orgid - Organisation identifier. This is used for public RSS feeds to determine the organisation.
Table rrd
Column Type Not Null Default
id integer NOT NULL nextval('rrd_id_seq'::regclass)
orgid integer NOT NULL
type character varying NOT NULL
label character varying NOT NULL
image character varying NOT NULL
timestamp integer
- id - Unique identifier.
- orgid - Unique identifier of the organisation.
- type - The type of the image. (day, week, month, year)
- label - Label of the image (sensor name).
- image - Base64 encoded image (result from rrd_traffic.pl script).
- timestamp - Timestamp in epoch format.
Table scanners
Column Type Not Null Default
id integer NOT NULL nextval('scanners_id_seq'::regclass)
name character varying
status integer NOT NULL 0
version character varying
getvirus character varying
matchvirus character varying
getbin character varying
matchclean character varying
- id - Unique identifier.
- name - Name of the scanner.
- status - Enable(1)/disable(0) the scanner.
- version - The version info obtained with the vercommand (by the scanbinaries.pl script).
- getvirus - Check out Antivirus support for more info.
- matchvirus - Check out Antivirus support for more info.
- getbin - Check out Antivirus support for more info.
- matchclean - Check out Antivirus support for more info.
Table scheme
Column Type Not Null Default version integer NOT NULL created timestamp with time zone NOT NULL
- version - Version info for the p0f SQL tables.
- created - Date when the p0f SQL tables were created.
NOTE: These is a p0f specific table.
Table sensor_notes
Column Type Not Null Default
id integer NOT NULL
keyname character varying NOT NULL
ts integer NOT NULL date_part('epoch'::text, now())
note text
vlanid integer
admin integer NOT NULL 0
type integer NOT NULL 1
- id - Unique identifier.
- keyname - Name of the sensor this note belongs to.
- ts - Epoch timestamp of note creation.
- note - Actual note text.
- vlanid - Vlan ID of the sensor this note belongs to. Can be NULL, then it belongs to all VLAN's.
- admin - Admin only note (1=Yes, 0=No).
- type - Type of note.
Table sensors
Column Type Not Null Default
id integer NOT NULL nextval('public.sensors_id_seq'::text)
keyname character varying NOT NULL
laststart integer
status integer
uptime integer
laststop integer
tap character varying
tapip inet
mac macaddr
organisation integer NOT NULL 0
vlanid integer NOT NULL 0
arp boolean NOT NULL false
label character varying
networkconfig character varying
dhcp boolean NOT NULL false
ipv6 boolean NOT NULL false
protos boolean NOT NULL false
- id - Unique identifier.
- keyname - Name of the sensor.
- laststart - Epoch timestamp of the last time the sensor was started.
- status - Current status of the sensor.
- uptime - Actual uptime of the sensor in seconds.
- laststop - Last time the sensor was stopped with stopclient. Epoch timestamp.
- tap - Interface of the virtual end point on the tunnel server.
- tapip - IP address of the tap interface.
- mac - MAC address of the tap interface.
- organisation - Unique identifier of the organisation.
- netconfdetail - The IP configuration if netconf = vlans or static.
- vlanid - The VLAN id of the sensor, defaults to 0 (meaning no VLAN).
- arp - Boolean indicating if the ARP ethernet module is enabled/disabled.
- label - User configured label for the sensor.
- networkconfig - Type of IP configuration (dhcp or the actual static config).
- dhcp - Boolean indicating if the DHCP ethernet module is enabled/disabled.
- ipv6 - Boolean indicating if the IPv6 ethernet module is enabled/disabled.
- protos - Boolean indicating if the protocol ethernet module is enabled/disabled.
Table sensors_details
Column Type Not Null Default id integer NOT NULL keyname character varying NOT NULL remoteip inet localip inet sensormac macaddr mainif character varying trunkif character varying ssh integer NOT NULL 0 action character varying lastupdate integer NOT NULL 0 rev integer NOT NULL 0 sensortype character varying mainconf character varying osversion character varying dns1 inet dns2 inet permanent integer NOT NULL 0
- id - Unique identifier.
- keyname - Name of the sensor.
- remoteip - IP address of the sensor or organisation gateway (in case of NAT).
- localip - IP address of the local interface of the sensor (actual IP address).
- sensormac - MAC address of mainIf interface of the sensor.
- mainif - Main interface for network connections. The tunnel is going out this interface.
- trunkif - The trunk interface (if any, in VLAN config).
- ssh - Current status of the SSH daemon on the sensor.
- action - Type of action the sensor will do at the next update.
- lastupdate - Epoch timestamp of the last update.
- rev - Sensor network configuration revision.
- sensortype - Type of sensor (normal or vlan).
- mainconf - Network configuration of the mainIf.
- osversion - Version of the operating system of the sensor.
- dns1 - Primary DNS server, if configured.
- dns2 - Secondary DNS server, if configured.
- permanent - Marks the sensor a permanent sensor (ie, a sensor that never goes offline, usually used for sensors running on the tunnel server).
Table serverstats
Column Type Not Null Default
id integer NOT NULL nextval('serverstats_id_seq'::regclass)
timestamp integer NOT NULL
type character varying NOT NULL
label character varying NOT NULL
interval character varying NOT NULL
image character varying NOT NULL
server character varying NOT NULL
- id - Unique identifier.
- timestamp - Timestamp in epoch format.
- type - Type of picture (traffic, memory, hdd, cpu).
- label - Label of the picture.
- interval - Interval of the picture (day, week, month, year).
- image - The image encoded in base64 format.
- server - Tunnel server or logging server.
Table sessions
Column Type Not Null Default
id integer NOT NULL nextval('sessions_id_seq'::regclass)
sid character varying NOT NULL
ip inet NOT NULL
ts integer NOT NULL
username character varying
useragent character varying
- id - Unique identifier.
- sid - Session identifier.
- ip - IP of the user with this session identifier.
- ts - Timestamp in epoch format.
- username - Username of the user with this session identifier.
- useragent - User-agent information of the user (hashed md5).
Table severity
Column Type Not Null Default
id integer NOT NULL nextval('public.severity_id_seq'::text)
val integer NOT NULL
txt character varying NOT NULL
- id - Unique identifier.
- val - Nepenthes severity value.
- txt - Text field with the name of the severity.
Table sniff_hosttypes
Column Type Not Null Default
id integer NOT NULL nextval('sniff_hosttypes_id_seq'::regclass)
staticid integer NOT NULL
type integer NOT NULL
- id - Unique identifier.
- staticid - Identifier pointing to the arp_static entry.
- type - Type of host (dhcp, router, server).
Table sniff_protos
Column Type Not Null Default
id integer NOT NULL nextval('sniff_protos_id_seq'::regclass)
sensorid integer NOT NULL
parent integer NOT NULL
number integer NOT NULL
subtype integer NOT NULL
- id - Unique identifier.
- sensorid - Sensor identifier.
- parent - Type of parent protocol.
- number - Protocol number.
- subtype - Subtype number (if any).
Table ssh_command
Column Type Not Null Default
id integer NOT NULL nextval('ssh_command_id_seq'::regclass)
attackid integer NOT NULL
command character varying NOT NULL
- id - Unique identifier
- attackid - Identifier of the associated attack
- command - Command entered by the attacker
Table ssh_logins
Column Type Not Null Default
id integer NOT NULL nextval('ssh_logins_id_seq'::regclass)
attackid integer NOT NULL
type boolean NOT NULL false
sshuser character varying NOT NULL
sshpass character varying NOT NULL
- id - Unique identifier
- attackid - Identifier of the associated attack
- type - Boolean value indicating succesful or unsuccesful login
- sshuser - SSH username
- sshpass - SSH password
Table ssh_version
Column Type Not Null Default
id integer NOT NULL nextval('ssh_command_id_seq'::regclass)
attackid integer NOT NULL
version integer NOT NULL
- id - Unique identifier
- attackid - Identifier of the associated attack
- version - Identifier of the SSH version (links with uniq_sshversion.id)
Table stats_dialogue
Column Type Not Null Default
id integer NOT NULL nextval('public.stats_dialogue_id_seq'::text)
desc character varying
url character varying
name character varying
- id - Unique identifier.
- desc - Description of the exploit/vulnerability.
- url - URL to a description of the exploit/vulnerability.
- name - Dialogue name as used by Nepenthes.
Table stats_virus
Column Type Not Null Default
id integer NOT NULL nextval('public.stats_virus_id_seq'::text)
name character varying
- id - Unique identifier.
- name - Name of the virus.
Table syslog
Column Type Not Null Default
id integer NOT NULL
source character varying NOT NULL
error character varying NOT NULL
args character varying
level integer NOT NULL 0
keyname character varying
device character varying
pid integer NOT NULL 0
vlanid integer NOT NULL 0
timestamp timestamp without time zone DEFAULT ('now'::text)::timestamp(4) without time zone NOT NULL
- id - Unique identifier.
- source - Source of the log message (script name).
- error - Abbreviated error identifier (a sort of classification of the log message).
- args - The actual log message.
- level - Severity level of the log message (CRIT - 4, ERROR - 3, WARN - 2, INFO - 1, DEBUG - 0)
- keyname - Name of the sensor this log message is related to (if known).
- device - Name of the device (interface) this log message is related to (if applicable).
- pid - Process ID of the script running that produced this log message (if applicable).
- vlanid - VLAN ID of the sensor this log message is related to (if applicable).
- timestamp - Timestamp of the log message.
Table system
Column Type Not Null Default
sid bigint NOT NULL nextval('system_sid_seq'::regclass)
ip_addr inet NOT NULL
name character(128) NOT NULL
first_tstamp timestamp with time zone
last_tstamp timestamp with time zone NOT NULL
- sid - Unique identifier.
- ip_addr - IP address of the detected system.
- name - Type of system as detected by p0f.
- first_tstamp - First time the system has been seen.
- last_tstamp - Last time the system has been seen.
NOTE: This is a p0f specific table.
Table system_details
Column Type Not Null Default sid integer NOT NULL ip_addr inet NOT NULL nat character varying(64) NOT NULL 'no/unknown'::character varying ecn character varying(64) NOT NULL 'no/unknown'::character varying firewall character varying(64) NOT NULL 'no/unknown'::character varying lookup_link character varying(128) NOT NULL 'unknown'::character varying distance smallint NOT NULL 0
- sid - Unique identifier.
- ip_addr - IP address.
- nat - Detected NAT'ed address.
- ecn - Unkown.
- firewall - If the host is firewalled or not.
- lookup_link - Unkown.
- distance - The distance of the host (amount of hops).
NOTE: This is a p0f specific table. We don't use this in the webinterface, but it's required for p0f-db.
Table uniq_binaries
Column Type Not Null Default
id integer NOT NULL nextval('uniq_binaries_id_seq'::regclass)
name character varying
- id - Unique identifier.
- name - Name of the binary.
Table uniq_sshversion
Column Type Not Null Default
id integer NOT NULL nextval('uniq_sshversion_id_seq'::regclass)
version character varying
- id - Unique identifier.
- version - Version of the SSH client used by attackers.
Table version
Column Type Not Null Default version integer NOT NULL
- version - Version of the currently installed database model. Should be 30000 for this release.
