Network activities tab
Kaspersky Threat Intelligence Portal provides information about activities that were registered during the file execution. The results are displayed in separate tables, each of which contains up to 10 entries.
For easier navigation to certain sections, you can select the required protocol on the panel above the sections. Also, you can select the required section by clicking the button with three dots (
). The panel is frozen and remains visible when you scroll the page.
Network interactions
Table name |
Description |
Table fields |
|---|---|---|
IP sessions |
IP sessions that were registered during file execution. |
Threat score—Probability that the destination IP address is dangerous (0 to 100). An IP address is classified by Kaspersky expert systems as dangerous if its threat score is greater than 74. Destination IP—Destination IP address. Started—Date and time when the IP session started. Ended—Date and time when the IP session ended. Size—Size of data that was sent and received within the IP session (in bytes). Packets—Number of packets that were sent and received within the IP session. |
TCP sessions |
TCP sessions that were registered during file execution. |
Threat score—Probability that the IP address is dangerous (0 to 100). Destination IP—Destination IP address. Source port—Source port number (0–65536). Destination port—Destination port number (0–65536). Size—Size of data that was sent and received within the TCP session (in bytes). Packets—Number of packets that were sent and received within the TCP session. SYN packets—Number of SYN packets that were sent and received within the TCP session. FIN packets—Number of FIN packets that were sent and received within the TCP session. Out-of-order packets—Number of out-of-order packets that were sent and received within the TCP session. Lost ACK packets—Number of lost ACK packets that were sent and received within the TCP session. Duplicated ACK packets—Number of duplicated ACK packets that were sent and received within the TCP session. Window In—Number of incoming segments (bytes) that can be sent from server to client before an acknowledgment (ACK packet) is received. Window Out—Number of outgoing segments (bytes) that can be sent from client to server before an acknowledgment (ACK packet) is received. |
UDP sessions |
UDP sessions that were registered during file execution. |
Threat score—Probability that the IP address is dangerous (0 to 100). Destination IP—Destination IP address. Source port—Source port number (0–65536). Destination port—Destination port number (0–65536). Size—Size of data that was sent and received within the UDP session (in bytes). Packets—Number of packets that were sent and received within the UDP session. |
DNS requests |
DNS requests that were registered during file execution. |
Id—DNS message ID. QR—Request/response indicator (0—DNS query, 1—DNS response). RCode—DNS response code. Size—Size of data that was sent and received within the DNS session (in bytes). Packets—Number of packets that were sent and received within the DNS session. Records—Records in the message. You can click the link to view detailed information about records. For each record, its name, section, type, and APT categories are displayed. If available, TTL and Data fields are available. |
TLS sessions |
TLS sessions that were registered during file execution. |
Status—Status of the domain. APT categories—List of APT categories of the domain. Version—TLS protocol version. Cipher—Cryptographic algorithm. Curve—Curve class. Server name—Name of the server. Subject—Subject name. Issuer—Issuer name. |
FTP sessions |
FTP sessions that were registered during file execution. |
Status—Danger level. APT categories—List of APT categories of the IP address. Command—Command name. Reply—Reply code and reply message from a server. MD5—File that was transferred when the command was executed. Channel—Information about FTP client address, FTP server address and port number. |
IRC sessions |
IRC sessions that were registered during file execution. |
Command—Command name. User—User name. Nick—User's nickname. Sender—Nickname of the command's sender. Channel—Name of the channel to send the message to during the IRC session. Text—Text that was sent during the IRC session. |
POP3 sessions |
POP3 sessions that were registered during file execution. |
Type—Command type. Command—Command result. Arguments—Command arguments. Text—Description of the result of the command. |
SMB sessions |
SMB sessions that were registered during file execution. |
Status—Status of the IP address. APT categories—List of APT categories of the IP address. Destination IP—Session's destination IP address. Destination port—Destination port number (0–65536). Version—Protocol version. MD5—MD5 of the file transferred during the command execution. |
SMTP sessions |
SMTP sessions that were registered during file execution. |
Status—Status of the hash. APT categories—List of APT categories of the hash. From—Sender's name and address. To—Receivers' names and addresses. Subject—Message subject. MD5—List of MD5 hashes of attached files. |
SOCKS sessions |
SOCKS sessions that were registered during file execution. |
Status—Status of the IP address. APT categories—List of APT categories of the IP address. Version—SOCKS protocol version. Request host/port—IP address or fully qualified domain name (FQDN) and port (0-65536), to which the connection request was made via the SOCKS protocol. Bound host/port—IP address or fully qualified domain name (FQDN) and port (0-65536), to which the connection was established. |
HTTP(S) requests |
HTTP requests registered during file execution. |
Status—Status of the web address in the HTTP request. The web address can belong to one of the following zones:
If the web address is related to an APT attack or mentioned in threat intelligence reports, the corresponding category is displayed by the web address zone. You can click the web address to navigate to the Threat Lookup results page. If you have a valid commercial APT Intelligence Reporting Service license, and the file is related to an APT attack, a link to the corresponding APT Intelligence report on the Reporting page is displayed in the Categories field. If the requested object is related to several APT attacks, all related links are displayed. APT categories—List of APT categories of the web address. URL—Web address to which the request was registered. Investigation results for certain web addresses in this section may be unavailable on the Threat Lookup results page. Method—Method of sending the HTTP request. The HTTP method can be one of the following: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, or PATCH. Response code—Response code of the HTTP request. Response length—Size of the response to the HTTP request in bytes. Fields—Additional fields (Request headers, Response headers, Request body, and Response body) displayed as key:value. Standard header names are based on the RFC2616 Hypertext Transfer Protocol -- HTTP/1.1. Custom headers (for example, x-ms-request-id) are highlighted in blue. |
HTTPS requests |
HTTP requests registered during file execution. |
Status—Status of the web address in the HTTPS request. The web address can belong to one of the following zones:
|