| Nr | Name | Description |
| 1 | duration | Duration of connnection |
| 2 | Protocol_type | Connection protocol (tcp, udp, icmp) |
| 3 | service | Dst port mapped to service |
| 4 | flag | Normal or error status flag of connection |
| 5 | Src_bytes | Number of data bytes from src to dst |
| 6 | dst_bytes | Bytes from dst to src |
| 7 | land | 1 if connection is from/to the same host/port; else 0 |
| 8 | wrong_fragment | Number of “wrong” fragments (values 0, 1, 3) |
| 9 | urgent | Number of urgent packets |
| 10 | hot | Number of “hot” indicators |
| 11 | number_failed_logins | Number of failed login attempts |
| 12 | logged_in | 1 if successfully logged in: else 0 |
| 13 | num_compromised | number of “compromised” conditions |
| 14 | root_shell | 1 if root shell is obtained; else 0 |
| 15 | su_attempted | 1 if “su root” command attempted; else 0 |
| 16 | num_root | Number of “root” accesses |
| 17 | num_file__creations | Number of file creation operations |
| 18 | num_shells | Number of shell prompts |
| 19 | num_access_files | Number of operations on access control files |
| 20 | num_outbound_cmds | Number of outbound commands in and ftp session |
| 21 | Is_hot_login | 1 if login belongs to “hot” list; else 0 |
| 22 | Is_guest_login | 1 if login is “guest” login else 0 |
| 23 | count | number of connections to same host as current connection in the past two seconds |
| 24 | srv_count | Number of connections to same service as current connection in the past two seconds |
| 25 | serror_rate | % of connections that have “SYN” errors |
| 26 | srv_serror_rate | % of connections that have “SYN” errors |
| 27 | rerror_rate | % of connections that have “REJ” errors |
| 28 | srv_rerror_rate | % of connections that have “REJ” errors |
| 29 | same_srv_rate | % of connections to the same service |
| 30 | diff_srv_rate | % of connections to different services |
| 31 | Srv_diff_host_rate | % of connections to different hosts |
| 32 | dst_host_count | Count of connections having same dst host |
| 33 | dst_host__srv_count | Count of connections having same des host and using same service |
| 34 | des host same srv rate | % of connections having same dst host and using the same servce |
| 35 | dst_host_diff_srv_rate | % of different services on current host |
| 36 | dst_host_samesrc_port_rate | % of connections to current host having same src port |
| 37 | dst_host_srv_diff_host_rate | % of connections to same service coming from diff hosts |
| 38 | dst_host_serror rate | % of connections to current host that have an SO error |
| 39 | dst_host_srv_serror_rate | % of connections to current host and specified service that have an SO error |
| 40 | dst_host_rerror_rate | % of connections to current host that have an RST error |
| 41 | dst_host_srv_rerror_rate | % of connections to current host and specified service that have an RST error |
| 42 | connection_type | N or A |