Working with Intrusion Events
The FireSIGHT System can help you monitor your network for traffic that could affect the availability, integrity, and confidentiality of a host and its data. By placing managed devices on key network segments, you can examine the packets that traverse your network for malicious activity. The system has several mechanisms it uses to look for the broad range of exploits that attackers have developed.
When the system identifies a possible intrusion, it generates an
intrusion event
, which is a record of the date, time, the type of exploit, and contextual information about the source of the attack and its target. For packet-based events, a copy of the packet or packets that triggered the event is also recorded. Managed devices transmit their events to the Defense Center where you can view the aggregated data and gain a greater understanding of the attacks against your network assets.
You can also deploy a managed device as an inline, switched, or routed intrusion system, which allows you to configure the device to drop or replace packets that you know to be harmful.
The FireSIGHT System also provides you with the tools you need to review intrusion events and evaluate whether they are important in the context of your network environment and your security policies. These tools include:
-
an event summary page that gives you an overview of the current activity on your managed devices
-
text-based and graphical reports that you can generate for any time period you choose; you can also design your own reports and configure them to run at scheduled intervals
-
an incident-handling tool that you can use to gather event data related to an attack; you can also add notes to help you track your investigation and response
-
automated alerting that you can configure for SNMP, email, and syslog
-
automated correlation policies that you can use to respond to and remediate specific intrusion events
-
predefined and custom workflows that you can use to drill down through the data to identify the events that you want to investigate further
See the following sections for more information:
Also, see:
Viewing Intrusion Event Statistics
License:
Protection
The Intrusion Event Statistics page provides you with a quick summary of the current state of your appliance and any intrusion events generated for your network.
The Intrusion Event Statistics page has three main areas:
-
Host Statistics describes the Host Statistics section, which provides information about the appliance and, for Defense Centers, their managed devices.
-
Event Overview describes the Event Overview, which provides an overview of the information in the event database.
-
Event Statistics describes the Event Statistics, which provides more specific details about the information in the event database, such as the top 10 event types.
Each of the IP addresses, ports, protocols, event messages, and so on on the page is a link. Click any link to view the associated event information. For example, if one of the top 10 destination ports is
80 (http)/tcp
, clicking that link displays the first page in the default intrusion events workflow, and lists the events targeting that port. Note that only the events (and the managed devices that generate events) in the current time range appear. Also, intrusion events that you have marked reviewed continue to appear in the statistics. For example, if the current time range is the past hour but the first event was generated five hours ago, when you click the
First Event
link, the resulting event pages will not show the event until you change the time range.
To view intrusion event statistics:
Access:
Admin/Intrusion Admin
Step 1 Select
Overview > Summary > Intrusion Event Statistics
.
The Intrusion Event Statistics page appears.
Step 2 From the two selection boxes at the top of the page, select the zones and devices whose statistics you want to view, or select
All Security Zones
and
All Devices
to view statistics for all the devices that are collecting intrusion events.
Step 3 Click
Get Statistics
.
The Intrusion Event Statistics page refreshes with data from the devices you selected.
Tip To view data from a custom time range, click the link in the upper right page area and follow the directions in Setting Event Time Constraints.
Step 4 See the following sections for more information about the statistics that appear on the Intrusion Event Statistics page:
Host Statistics
License:
Protection
The Host Statistics section of the Intrusion Event Statistics page provides information about the appliance itself. On the Defense Center, this section also provides information about any managed devices.
This information includes the following:
-
Time
shows the current time on the appliance.
-
Uptime
shows the number of days, hours, and minutes since the appliance itself was restarted. On the Defense Center, the uptime also shows the last time each managed device was rebooted, the number of users logged in, and the load average.
-
Disk Usage
shows the percentage of the disk that is being used.
-
Memory Usage
shows the percentage of system memory that is being used.
-
Load Average
shows the average number of processes in the CPU queue for the past 1 minute, 5 minutes, and 15 minutes.
Event Overview
License:
Protection
The Event Overview section of the Intrusion Event Statistics page provides an overview of the information in the intrusion event database.
These statistics include the following:
-
Events
shows the number of events in the intrusion event database.
-
Events in Time Range
shows the currently selected time range as well as the number and percentage of events from the database that fall within the time range.
-
First Event
shows the event message for the first event in the event database.
-
Last Event
shows the event message for the last event in the event database.
Note On the Defense Center, note that if you selected a managed device, the Event Overview section for that device appears instead.
Event Statistics
License:
Protection
The Event Statistics section of the Intrusion Event Statistics page provides more specific information about of the information in the intrusion event database.
This information includes details on:
-
the top 10 event types
-
the top 10 source IP addressees
-
the top 10 destination IP addresses
-
the top 10 destination ports
-
the protocols, ingress and egress security zones, and devices with the greatest number of events
Viewing Intrusion Event Performance
License:
Protection
The intrusion event performance page allows you to generate graphs that depict performance statistics for intrusion events over a specific period of time. Graphs can be generated to reflect number of intrusion events per second, number of megabits per second, average number of bytes per packet, the percent of packets uninspected by Snort, and the number of packets blocked as the result of TCP normalization. These graphs can show statistics for the last hour, last day, last week, or last month of operation.
See Generating Intrusion Event Performance Statistics Graphs for more information.
To view the intrusion event performance statistics:
Access:
Admin/Maint
Step 1 Select
Overview > Summary > Intrusion Event Performance
.
The Intrusion Event Performance page appears.
Generating Intrusion Event Performance Statistics Graphs
License:
Protection
You can generate graphs that depict performance statistics for a Defense Center or a managed device based on the number of events per second, megabits per second, average bytes per packet, percent of packets uninspected by Snort, and the number of packets blocked as the result of TCP normalization.
Note New data is accumulated for statistics graphs every five minutes. Therefore, if you reload a graph quickly, the data may not change until the next five-minute increment occurs.
The following table lists the available graph types. Note that graph types display differently if they are populated with data affected by the network analysis policy
Inline Mode
setting. If
Inline Mode
is disabled, the graph types marked with an asterisk (
*
) in the web interface (a
yes
in the column below) populate with data about the traffic the system would have modified or dropped if
Inline Mode
was enabled. For more information about the
Inline Mode
setting, see Allowing Preprocessors to Affect Traffic in Inline Deployments.
For more information about the required options and settings, see Normalizing Inline Traffic, Allowing Preprocessors to Affect Traffic in Inline Deployments, and Setting Drop Behavior in an Inline Deployment.
Table 41-1 Intrusion Event Performance Graph Types
|
|
|
|
Avg Bytes/Packet
|
n/a
|
the average number of bytes included in each packet.
|
no
|
ECN Flags Normalized in TCP Traffic/Packet
|
enable
Explicit Congestion Notification
and select
Packet
|
the number of packets for which ECN flags have been cleared on a per-packet basis regardless of negotiation.
|
yes
|
ECN Flags Normalized in TCP Traffic/Session
|
enable
Explicit Congestion Notification
and select
Stream
|
the number of times that ECN flags have been cleared on a per-stream basis when ECN use was not negotiated.
|
yes
|
Events/Sec
|
n/a
|
the number of events per second generated on the device.
|
no
|
ICMPv4 Echo Normalizations
|
enable
Normalize ICMPv4
|
the number of ICMPv4 packets for which the 8-bit Code field in Echo (Request) or Echo Reply messages were cleared.
|
yes
|
ICMPv6 Echo Normalizations
|
enable
Normalize ICMPv6
|
the number of ICMPv6 packets for which the 8-bit Code field in Echo (Request) or Echo Reply messages was cleared.
|
yes
|
IPv4 DF Flag Normalizations
|
enable
Normalize IPv4
and
Normalize Don’t Fragment Bit
|
the number of IPv4 packets for which the single-bit Don’t Fragment subfield of the IPv4 Flags header field was cleared.
|
yes
|
IPv4 Options Normalizations
|
enable
Normalize IPv4
|
the number of IPv4 packets for which the option octet was set to 1 (No Operation).
|
yes
|
IPv4 Reserved Flag Normalizations
|
enable
Normalize IPv4
and
Normalize Reserved Bit
|
the number of IPv4 packets for which the single-bit Reserved subfield of the IPv4 Flags header field was cleared.
|
yes
|
IPv4 Resize Normalizations
|
enable
Normalize IPv4
|
the number of IPv4 packets with excessive-length payload that have been truncated to the datagram length specified in the IP header.
|
yes
|
IPv4 TOS Normalizations
|
enable
Normalize IPv4
and
Normalize TOS Bit
|
the number of IPv4 packets for which the one-byte Differentiated Services (DS) field (formerly known as the Type of Service (TOS) field) was cleared.
|
yes
|
IPv4 TTL Normalizations
|
enable
Normalize IPv4
,
Maximum TTL
, and
Reset TTL
|
the number of IPv4 Time to Live normalizations.
|
yes
|
IPv6 Options Normalizations
|
enable
Normalize IPv6
|
the number of IPv6 packets for which the Option Type field in the Hop-by-Hop Options or Destination Options extension header was set to
00
(Skip and continue processing).
|
yes
|
IPv6 TTL Normalizations
|
enable
Normalize IPv6
,
Minimum TTL
, and
Reset TTL
|
the number of IPv6 Hop Limit (TTL) normalizations.
|
yes
|
Mbits/Sec
|
n/a
|
the number of megabits per second of traffic that passes through the device.
|
no
|
Packet Resized to Fit MSS Normalizations
|
enable
Trim Data to MSS
|
the number of packets for which the payload was longer than the TCP Data field, so the payload was trimmed to the Maximum Segment Size.
|
yes
|
Packet Resized to Fit TCP Window Normalizations
|
enable
Trim Data to Window
|
the number of packets for which the TCP Data field was trimmed to fit the receiving host’s TCP window.
|
yes
|
Percent Packets Dropped
|
n/a
|
the average percentage of uninspected packets across all selected devices. For example, if you select two devices, then an average of 50% may indicate that one device has a 90% drop rate and the other has a 10% drop rate. It may also indicate that both devices have a drop rate of 50%. The graph only represents the total % drop when you select a single device.
|
no
|
RST Packets With Data Stripped Normalizations
|
enable
Remove Data on RST
|
the number of packets for which data was removed from a TCP reset (RST) packet.
|
yes
|
SYN Packets With Data Stripped Normalizations
|
enable
Remove Data on SYN
|
the number of packets for which data was removed from SYN packets when the TCP operating system was not Mac OS.
|
yes
|
TCP Header Padding Normalizations
|
enable
Normalize/Clear Option Padding Bytes
|
the number of TCP packets in which option padding bytes were set to 0.
|
yes
|
TCP No Option Normalizations
|
enable
Allow These TCP Options
and set to an option other than
any
|
the number of packets from which the Time Stamp option was stripped.
|
yes
|
TCP NS Flag Normalizations
|
enable
Explicit Congestion Notification
and select
Packet
|
the number of ECN Nonce Sum (NS) option normalizations.
|
yes
|
TCP Options Normalizations
|
enable
Allow These TCP Options
and set to an option other than
any
|
the number of options (excluding MSS, Window Scale, Time Stamp, and explicitly allowed options) for which the option field is set to No Operation (TCP Option 1).
|
yes
|
TCP Packets Blocked By Normalizations
|
enable
Normalize TCP Payload
(segment reassembly must fail)
|
the number of packets dropped because the TCP segments could not be properly reassembled.
|
yes
|
TCP Reserved Flags Normalizations
|
enable
Normalize/Clear Reserved Bits
|
the number of TCP packets where the Reserved bits have been cleared.
|
yes
|
TCP Segment Reassembly Normalizations
|
enable
Normalize TCP Payload
(segment reassembly must be successful)
|
the number of packets for which the TCP Data field was normalized to ensure consistency in retransmitted data (any segments that cannot be properly reassembled are dropped).
|
yes
|
TCP SYN Option Normalizations
|
enable
Allow These TCP Options
and set to an option other than
any
|
the number of options for which the Maximum Segment Size or Window Scale option was set to No Operation (TCP Option 1) because the SYN control bit was not set.
|
yes
|
TCP Timestamp ECR Normalizations
|
enable
Allow These TCP Options
and set to an option other than
any
|
the number of packets for which the Time Stamp Echo Reply (TSecr) option field was cleared because the Acknowledgment (ACK) control bit was not set.
|
yes
|
TCP Urgent Pointer Normalizations
|
enable
Normalize Urgent Pointer
|
the number of packets for which the two-byte TCP header Urgent Pointer field was greater than the payload length and was set to the payload length.
|
yes
|
Total Blocked Packets
|
configure
Inline Mode
or
Drop when Inline
|
the total number of dropped packets, including rule, decoder, and preprocessor drops.
|
no
|
Total Injected Packets
|
configure
Inline Mode
|
the number of packets that were resized before being retransmitted.
|
no
|
Total TCP Filtered Packets
|
configure TCP Stream Preprocessing
|
the number of packets skipped by the stream because of TCP port filtering.
|
no
|
Total UDP Filtered Packets
|
configure UDP Stream Preprocessing
|
the number of packets skipped by the stream because of UDP port filtering.
|
no
|
Urgent Flag Cleared Normalizations
|
enable
Clear URG if Urgent Pointer is Not Set
|
the number of packets for which the TCP header URG control bit was cleared because the urgent pointer was not set.
|
yes
|
Urgent Pointer and Urgent Flag Cleared Normalizations
|
enable
Clear Urgent Pointer/URG on Empty Payload
|
the number of packets for which the TCP header Urgent Pointer field and the URG control bit have been cleared because there was no payload.
|
yes
|
Urgent Pointer Cleared Normalizations
|
enable
Clear Urgent Pointer if URG=0
|
the number of packets for which the 16-bit TCP header Urgent Pointer field was cleared because the urgent (URG) control bit was not set.
|
yes
|
To generate intrusion event performance graphs:
Access:
Admin/Maint
Step 1 Select
Overview > Summary > Intrusion Event Performance
.
The Intrusion Event Performance page appears.
Step 2 From the
Select Device
list, select the devices whose data you want to view.
Step 3 From the
Select Graph(s)
list, select the type of graph you want to create.
Step 4 From the
Select Time Range
list, select the time range you would like to use for the graph.
You can choose from last hour, last day, last week, or last month.
Step 5 Click
Graph
.
The graph appears, displaying the information you specified.
Step 6 To save the graph, right-click it and follow the instructions for your browser to save the image.
Viewing Intrusion Event Graphs
License:
Protection
The FireSIGHT System provides graphs that show you intrusion event trends over time. You can generate intrusion event graphs over time ranging from the last hour to the last month, for the following:
-
one or all managed devices
-
top 10 destination ports
-
top 10 source IP addresses
-
top 10 event messages
To generate an event graph:
Access:
Admin/Intrusion Admin
Step 1 Select
Overview > Summary > Intrusion Event Graphs
.
The Intrusion Event Graphs page appears. Three selection boxes at the top of the page control which graph is generated.
Step 2 Under
Select Device
, select
all
to include all devices, or select the specific device you want to include in the graph.
Step 3 Under
Select Graph(s)
, select the type of graph you want to generate.
Step 4 Under
Select Time Range
, select the time range for the graph.
Step 5 Click
Graph
.
The graph is generated.
Viewing Intrusion Events
License:
Protection
When the system recognizes a packet that is potentially malicious, it generates an intrusion event and adds the event to the database.
The initial intrusion events view differs depending on the workflow you use to access the page. You can use one of the predefined workflows, which includes one or more drill-down pages, a table view of intrusion events, and a terminating packet view, or you can create your own workflow. You can also view workflows based on custom tables, which may include intrusion events. Note that an event view may be slow to display if it contains a large number of IP addresses and you have enabled the
Resolve IP Addresses
event view setting. See Configuring Event View Settings for more information.
You view an intrusion event to determine whether there is a threat to your network security. If you are confident that an intrusion event is not malicious, you can mark the event reviewed. Your name appears as the reviewer, and the reviewed event is no longer listed in the default intrusion events view. You can return a reviewed event to the default intrusion events view by marking the event unreviewed.
You can view intrusion events that you have marked reviewed. Reviewed events are stored in the event database and are included in the event summary statistics, but no longer appear in the default event pages. See Reviewing Intrusion Events for more information.
If you perform a backup and then delete reviewed intrusion events, restoring your backup restores the deleted intrusion events but does not restore their reviewed status. You view those restored intrusion events under Intrusion Events, not under Reviewed Events.
To quickly view connection events associated with one or more intrusion events, select the intrusion events using the check boxes in the event viewer, then select
Connections
from the
Jump to
drop-down list. This is most useful when navigating between table views of events. You can also view the intrusions associated with particular connections in a similar way.
For more information, see the following sections:
To view intrusion events:
Access:
Admin/Intrusion Admin
Step 1 Select
Analysis > Intrusions > Events
.
The first page of the default intrusion events workflow appears. For information on specifying a different default workflow, see Configuring Event View Settings. If no events appear, you may need to adjust the time range; see Setting Event Time Constraints.
Tip If you are using a custom workflow that does not include the table view of intrusion events, select any of the predefined workflows that ship with the appliance by clicking (switch workflow) next to the workflow title.
See Understanding Intrusion Events to learn more about the events that appear in intrusion event views. See Understanding Workflow Pages for Intrusion Events to learn more about how to narrow your view to the intrusion events that are important to your analysis.
Understanding Intrusion Events
License:
Protection
The system examines the packets that traverse your network for malicious activity that could affect the availability, integrity, and confidentiality of a host and its data. When the system identifies a possible intrusion, it generates an
intrusion event
, which is a record of the date, time, the type of exploit, and contextual information about the source of the attack and its target. For packet-based events, a copy of the packet or packets that triggered the event is also recorded. Note that the information available for any individual intrusion event depends on several factors, including licenses. For more information, see Service Subscriptions.
The following list describes the information that an intrusion event contains. Note that some fields in the table view of intrusion events are disabled by default. To enable a field for the duration of your session, click the expand arrow (
) to expand the search constraints, then click the column name under
Disabled Columns
.
Time
The date and time of the event.
Priority
The event priority as determined by the Cisco VRT.
Impact
The impact level in this field indicates the correlation between intrusion data, network discovery data, and vulnerability information. For more information, see Using Impact Levels to Evaluate Events.
Note that because there is no operating system information available for hosts added to the network map based on NetFlow data, the Defense Center cannot assign Vulnerable (impact level 1: red) impact levels for intrusion events involving those hosts, unless you use the host input feature to manually set the host operating system identity.
Inline Result
One of the following:
-
a black down arrow, indicating that the system dropped the packet that triggered the rule
-
a gray down arrow, indicating that IPS would have dropped the packet if you enabled the
Drop when Inline
intrusion policy option (in an inline deployment), or if a Drop and Generate rule generated the event while the system was pruning
-
blank, indicating that the triggered rule was not set to Drop and Generate Events
Note that the system does not drop packets in a passive deployment, including when an inline interface is in tap mode, regardless of the rule state or the inline drop behavior of the intrusion policy.
Source IP
The IP address used by the sending host.
Source Country
The country of the sending host.
Destination IP
The IP address used by the receiving host.
Destination Country
The country of the receiving host.
Original Client IP
The original client IP address that was extracted from an X-Forwarded-For (XFF), True-Client-IP, or custom-defined HTTP header. To display a value for this field, you must enable the HTTP preprocessor
Extract Original Client IP Address
option in the network analysis policy. Optionally, in the same area of the network analysis policy, you can also specify up to six custom client IP headers, as well as set the priority order in which the system selects the value for the Original Client IP event field. See Selecting Server-Level HTTP Normalization Options for more information.
This field is enabled by default.
Source Port / ICMP Type
The port number on the sending host. For ICMP traffic, where there is no port number, the system displays the ICMP type.
Destination Port / ICMP Code
The port number for the host receiving the traffic. For ICMP traffic, where there is no port number, the system displays the ICMP code.
SSL Status
The action associated with the SSL rule, default action, or undecryptable traffic action that logged the encrypted connection:
–
Block
and
Block with reset
represent blocked encrypted connections.
–
Decrypt (Resign)
represents an outgoing connection decrypted using a re-signed server certificate.
–
Decrypt (Replace Key)
represents an outgoing connection decrypted using a self-signed server certificate with a substituted public key.
–
Decrypt (Known Key)
represents an incoming connection decrypted using a known private key.
–
Do not Decrypt
represents a connection the system did not decrypt.
If the system fails to decrypt an encrypted connection, it displays the undecryptable traffic action taken, as well as the failure reason. For example, if the system detects traffic encrypted with an unknown cipher suite and allowed it without further inspection, this field displays
Do Not Decrypt (Unknown Cipher Suite)
.
Click the lock icon (
) to view certificate details. For more information, see Viewing the Certificate Associated with an Encrypted Connection.
VLAN ID
The innermost VLAN ID associated with the packet that triggered the intrusion event.
MPLS Label
The Multiprotocol Label Switching label associated with the packet that triggered this intrusion event.
This field is disabled by default.
Message
The explanatory text for the event. For rule-based intrusion events, the event message is pulled from the rule. For decoder- and preprocessor-based events, the event message is hard coded.
Classification
The classification where the rule that generated the event belongs. See the
Rule Classifications
table for a list of rule classification names and numbers.
Generator
The component that generated the event. See Table 41-7 for a list of intrusion event generator IDs.
Source User
The User ID for any known user logged in to the source host.
Destination User
The User ID for any known user logged in to the destination host.
Application Protocol
The application protocol, if available, which represents communications between hosts, detected in the traffic that triggered the intrusion event. For information on how the system identifies detected application protocols in the Defense Center web interface, see Table 45-3 .
Client
The client application, if available, which represents software running on the monitored host detected in the traffic that triggered the intrusion event.
Web Application
The web application, which represents the content or requested URL for HTTP traffic detected in the traffic that triggered the intrusion event.
Note that if the system detects an application protocol of HTTP but cannot detect a specific web application, the system supplies a generic web browsing designation here.
IOC
Whether the traffic that triggered the intrusion event also triggered an indication of compromise (IOC) for a host involved in the connection. For more information on IOC, see Understanding Indications of Compromise.
Category, Tag (Application Protocol, Client, Web Application)
Criteria that characterize an application to help you understand the application's function; see Table 45-2.
Application Risk
The risk associated with detected applications in the traffic that triggered the intrusion event. Each type of application detected in a connection has an associated risk; this field displays the highest risk of those. For more information, see Table 45-2.
Business Relevance
The business relevance associated with detected applications in the traffic that triggered the intrusion event. Each type of application detected in a connection has an associated business relevance; this field displays the lowest (least relevant) of those. For more information, see Table 45-2.
Ingress Security Zone
The ingress security zone of the packet that triggered the event. Only this security zone field is populated in a passive deployment. See Working with Security Zones.
Egress Security Zone
For an inline deployment, the egress security zone of the packet that triggered the event. This security zone field is not populated in a passive deployment. See Working with Security Zones.
Device
The managed device where the access control policy was applied. See Managing Devices.
Security Context
The metadata identifying the virtual firewall group through which the traffic passed. Note that the system only populates this field for ASA FirePOWER devices in multiple context mode.
Ingress Interface
The ingress interface of the packet that triggered the event. Only this interface column is populated for a passive interface. See Configuring Sensing Interfaces.
Egress Interface
For an inline set, the egress interface of the packet that triggered the event. This interface column is not populated for a passive interface. See Configuring Sensing Interfaces.
Intrusion Policy
The intrusion policy where the intrusion, preprocessor, or decoder rule that generated the event was enabled. You can select an intrusion policy as the default action for an access control policy, or you can associate an intrusion policy with an access control rule. See Setting Default Handling and Inspection for Network Traffic and Configuring an Access Control Rule to Perform Intrusion Prevention.
Access Control Policy
The access control policy that includes the intrusion policy where the intrusion, preprocessor, or decoder rule that generated the event is enabled; see Managing Access Control Policies.
Access Control Rule
The access control rule that invoked the intrusion policy that generated the event; see Configuring an Access Control Rule to Perform Intrusion Prevention.
Default Action
indicates that the intrusion policy where the rule is enabled is not associated with a specific access control rule but, instead, is configured as the default action of the access control policy; see Setting Default Handling and Inspection for Network Traffic.
This field is blank if intrusion inspection was associated with neither an access control rule nor the default action, for example, if the packet was examined by the default intrusion policy. For more information, see Setting the Default Intrusion Policy for Access Control.
Network Analysis Policy
The network analysis policy (NAP), if any, associated with the generation of the event; see Getting Started with Network Analysis Policies.
HTTP Hostname
The host name, if present, that was extracted from the HTTP request Host header. Note that request packets do not always include the host name.
To display host names, you must enable the HTTP Inspect preprocessor
Log Hostname
option. See Selecting Server-Level HTTP Normalization Options for more information.
This column displays the first fifty characters of the extracted host name. You can hover your pointer over the displayed portion of an abbreviated host name to display the complete name, up to 256 bytes. You can also display the complete host name, up to 256 bytes, in the packet view. See Viewing Event Information for more information.
This field is disabled by default.
HTTP URI
The raw URI, if present, associated with the HTTP request packet that triggered the intrusion event. Note that request packets do not always include a URI.
To display the extracted URI, you must enable the HTTP Inspect preprocessor
Log URI
option. See Selecting Server-Level HTTP Normalization Options for more information.
To see the associated HTTP URI in intrusion events triggered by HTTP responses, you should configure HTTP server ports in the
Perform Stream Reassembly on Both Ports
option; note, however, that this increases resource demands for traffic reassembly. See Selecting Stream Reassembly Options.
This column displays the first fifty characters of the extracted URI. You can hover your pointer over the displayed portion of an abbreviated URI to display the complete URI, up to 2048 bytes. You can also display the complete URI, up to 2048 bytes, in the packet view. See Viewing Event Information for more information.
This field is disabled by default.
Email Sender
The address of the email sender that was extracted from the SMTP MAIL FROM command. To display a value for this field, you must enable the SMTP preprocessor
Log From Address
option. Multiple sender addresses are supported. See Understanding SMTP Decoding for more information.
This field is disabled by default.
Email Recipient
The address of the email recipient that was extracted from the SMTP RCPT TO command. To display a value for this field, you must enable the SMTP preprocessor
Log To Addresses
option. Multiple recipient addresses are supported. See Understanding SMTP Decoding for more information.
This field is disabled by default.
Email Attachments
The MIME attachment file name that was extracted from the MIME Content-Disposition header. To display attachment file names, you must enable the SMTP preprocessor
Log MIME Attachment Names
option. Multiple attachment file names are supported. See Understanding SMTP Decoding for more information.
This field is disabled by default.
Reviewed By
The name of the user who reviewed the event. See Reviewing Intrusion Events.
Count
The number of events that match the information that appears in each row. Note that the Count field appears only after you apply a constraint that creates two or more identical rows.
Viewing Connection Data Associated with Intrusion Events
License:
Protection
The system can log the connections where intrusion events are detected. Although this logging is automatic for intrusion policies associated with access control rules, you must manually enable connection logging to see associated connection data for the default action; see Logging Connections Based on Access Control Handling.
Note The information available for any individual connection or Security Intelligence event depends on several factors, including licenses and appliance model. For more information, see License and Model Requirements for Connection Logging.
To view connection data associated with one or more intrusion events:
Access:
Admin
Step 1 Select
Analysis > Intrusions > Events
.
The first page of the default intrusion events workflow appears.
Viewing associated data is most useful when navigating between table views of events. See Understanding Workflow Pages for Intrusion Events to learn more about how to narrow your view to the intrusion events that are important to your analysis.
Step 2 Select the intrusion events using the check boxes in the event viewer, then select
Connections
from the
Jump to
drop-down list.
You can view the intrusion events associated with particular connections in a similar way. For more information, see Navigating Between Workflows.
When you view associated events, the Defense Center uses your default connection data workflow. For more information on connection data, see Working with Connection & Security Intelligence Data.
Tip If you are using a custom workflow that does not include the table view of intrusion events, select any of the predefined workflows that ship with the appliance by clicking (switch workflow) next to the workflow title.
Reviewing Intrusion Events
License:
Protection
If you have examined an intrusion event and are confident that the event does not represent a threat to your network security (perhaps because you know that none of the hosts on your network are vulnerable to the detected exploit), you can mark the event reviewed. Your name appears as the reviewer, and the reviewed event is no longer listed in the default intrusion events view. Events that you mark reviewed remain in the event database, but no longer appear in intrusion event views.
To mark an intrusion event reviewed:
Access:
Admin/Intrusion Admin
Step 1 On a page that displays intrusion events, you have two options:
-
To mark one or more intrusion events from the list of events, select the check boxes next to the events and click
Review
.
-
To mark all intrusion events from the list of events, click
Review All
.
A success message appears and the list of reviewed events is updated.
See Understanding Intrusion Events to learn more about the events that appear in intrusion event views. See Understanding Workflow Pages for Intrusion Events to learn more about how to narrow your view to the intrusion events that are important to your analysis.
Note Although they do not appear on intrusion event-related workflow pages, reviewed events are included in the event summary statistics.
To view events previously marked reviewed:
Access:
Admin/Intrusion Admin
Step 1 Select
Analysis > Intrusions > Reviewed Events
.
The first page of the default reviewed intrusion events workflow appears. For information on specifying a different default workflow, see Configuring Event View Settings. If no events appear, you may need to adjust the time range; see Setting Event Time Constraints.
Tip If you are using a custom workflow that does not include the table view of intrusion events, select any of the predefined workflows that ship with the appliance by clicking (switch workflow) next to the workflow title.
See Understanding Intrusion Events to learn more about the events that appear in reviewed intrusion event views. See Understanding Workflow Pages for Intrusion Events to learn more about how to narrow your view to the intrusion events that are important to your analysis.
To mark reviewed events unreviewed:
Access:
Admin/Intrusion Admin
Step 1 On a page that displays reviewed events, you have two options:
-
To remove individual intrusion events from the list of reviewed events, select the check boxes next to the events and click
Unreview
.
-
To remove all intrusion events from the list of reviewed events, click
Unreview All
.
A success message appears and the list of reviewed events is updated.
Understanding Workflow Pages for Intrusion Events
License:
Protection
The preprocessor, decoder, and intrusion rules that are enabled in the current intrusion policy generate intrusion events whenever the traffic that you monitor violates the policy.
The FireSIGHT System provides a set of predefined workflows, populated with event data, that you can use to view and analyze intrusion events. Each of these workflows steps you through a series of pages to help you pinpoint the intrusion events that you want to evaluate.
The predefined intrusion event workflows contain three different types of pages, or event views:
-
one or more drill-down pages
-
the table view of intrusion events
-
a packet view
Drill-down pages
generally include two or more columns in a table (and, for some drill-down views, more than one table) that allow you to view one specific type of information.
When you “drill down” to find more information for one or more destination ports, you automatically select those events and the next page in the workflow appears. In this way, drill-down tables help you reduce the number of events you are analyzing at one time.
The initial
table view
of intrusion events lists each intrusion event in its own row. The columns in the table list information such as the time, the source IP address and port, the destination IP address and port, the event priority, the event message, and more.
When you select events on a table view, instead of selecting events and displaying the next page in the workflow, you add to what are called
constraints
. Constraints are limits that you impose on the types of events that you want to analyze.
For example, if you click the close column icon (
) in any column and clear
Time
from the drop-down list, you can remove Time as one of the columns. To narrow the list of events in your analysis, you can click the link for a value in one of the rows in the table view. For example, to limit your analysis to the events generated from one of the source IP addresses (presumably, a potential attacker), click the IP address in the
Source IP Address
column.
If you select one or more rows in a table view and then click
View
, the packet view appears. A
packet view
provides information about the packet that triggered the rule or the preprocessor that generated the event. Each section of the packet view contains information about a specific layer in the packet. You can expand collapsed sections to see more information.
Note Because each portscan event is triggered by multiple packets, portscan events use a special version of the packet view. See Detecting Portscans for more information.
If the predefined workflows do not meet your specific needs, you can create custom workflows that display only the information you are interested in. Custom intrusion event workflows can include drill-down pages, a table view of events, or both; the system automatically includes a packet view as the last page. You can easily switch between the predefined workflows and your own custom workflows depending on how you want to investigate events.
Tip Understanding and Using Workflows explains how to use workflows and the features common to all workflow pages. This chapter also explains how to create and use custom intrusion event workflows.
For more information, see:
Using Drill-Down and Table View Pages
License:
Protection
The workflows that you can use to investigate intrusion events take advantage of three different types of pages:
-
drill-down pages
-
the table view of intrusion events
-
the packet view
Each of these pages is described in Understanding Workflow Pages for Intrusion Events.
The drill-down views and table view of events share some common features that you can use to narrow a list of events and then concentrate your analysis on a group of related events. The following table describes these features.
Table 41-2 Intrusion Event Common Features
|
|
learn more about the columns that appear
|
find more information in Understanding Intrusion Events.
|
view a host’s profile
|
click the host profile icon (
) that appears next to the host IP address.
|
view geolocation details
|
click the flag icon that appears in the Source Country or Destination Country columns.
|
modify the time and date range for displayed events
|
find more information in Setting Event Time Constraints.
Note that events generated outside the appliance's configured time window (whether global or event-specific) may appear in an event view if you constrain the event view by time. This may occur even if you configured a sliding time window for the appliance.
|
sort and constrain events on the current workflow page
|
find more information in:
|
navigate within the current workflow page
|
find more information in Navigating to Other Pages in the Workflow.
Tip To avoid displaying the same intrusion events on different workflow pages, the time range pauses when you click a link at the bottom of the page to display another page of events, and resumes when you click to take any other action on the subsequent page. For more information, see Setting Event Time Constraints.
|
navigate between pages in the current workflow, keeping the current constraints
|
click the appropriate page link at the top left of the workflow page. For more information, see Using Workflow Pages.
|
add events to the clipboard so you can transfer them to an incident at a later time
|
use one of the following methods:
-
To copy several intrusion events on a workflow page to the clipboard, select the check boxes next to events you want to copy, then click
Copy
.
-
To copy all the intrusion events in the current constrained view to the clipboard, click
Copy All
.
The clipboard stores up to 25,000 events per user. For more information, see Using the Clipboard.
|
delete events from the event database
|
use one of the following methods:
-
To delete selected intrusion events, select the check boxes next to events you want to delete, then click
Delete
.
-
To delete all the intrusion events in the current constrained view, click
Delete All
, then confirm you want to delete all the events.
|
mark events reviewed to remove them from intrusion event pages, but not the event database
|
use one of the following methods:
-
To review selected intrusion events, select the check boxes next to events you want to review, then click
Review
.
-
To review all the intrusion events in the current constrained view, click
Review All
.
For more information, see Reviewing Intrusion Events.
|
download a local copy of the packet (a packet capture file in libpcap format) that triggered each selected event
|
use one of the following methods:
-
To download the packets that triggered the selected intrusion events, select the check boxes next to events triggered by the packets you want to download, then click
Download Packets
.
-
To download all packets that triggered the intrusion events in the current constrained view, click
Download All Packets
.
Captured packets are saved in libpcap format. This format is used by several popular protocol analyzers.
|
navigate to other event views to view associated events
|
find more information in Navigating Between Workflows.
|
temporarily use a different workflow
|
click
(switch workflow)
. For more information, see Selecting Workflows.
|
bookmark the current page so that you can quickly return to it
|
click
Bookmark This Page
. For more information, see Using Bookmarks.
|
view the Intrusion Events section of the Summary Dashboard
|
click
Dashboards
. For more information, see Working with Dashboards.
|
navigate to the bookmark management page
|
click
View Bookmarks
. For more information, see Using Bookmarks.
|
generate a report based on the data in the current view
|
click
Report Designer
. For more information, see Creating a Report Template from an Event View.
|
The number of intrusion events that appear on the event views may be quite large, depending on:
-
the time range you select
-
the amount of traffic on your network
-
the intrusion policy you apply
To make it easier to analyze intrusion events, you can constrain the event pages. The constraining processes are slightly different for drill-down views and the table view of intrusion events.
Tip The time range pauses when you click one of the links at the bottom of the intrusion event workflow page to navigate to another page, and resumes when you click to take any other action on the subsequent page, including exiting the workflow; this reduces the likelihood of displaying the same events as you navigate to other pages in the workflow to see more events. For more information, see Setting Event Time Constraints and Navigating to Other Pages in the Workflow.
The following table describes how to use the drill-down pages.
Table 41-3 Constraining Events on Drill-Down Pages
|
|
drill down to the next workflow page constraining on a specific value
|
click the value.
For example, on the Destination Port workflow, to constrain the events to those with a destination of port 80, click
80/tcp
in the
DST Port/ICMP Code
column. The next page of the workflow, Events, appears and contains only port 80/tcp events.
|
drill down to the next workflow page constraining on selected events
|
select the check boxes next to the events you want to view on the next workflow page, then click
View
.
For example, on the Destination Port workflow, to constrain the events to those with destination ports 20/tcp and 21/tcp, select the check boxes next to the rows for those ports and click
View
. The next page of the workflow, Events, appears and contains only port 20/tcp and 21/tcp events.
Note If you constrain on multiple rows and the table has more than one column (not including a Count column), you build what is called a compound constraint. Compound constraints ensure that you do not include more events in your constraint than you mean to. For example, if you use the Event and Destination workflow, each row that you select on the first drill-down page creates a compound constraint. If you pick event 1:100 with a destination IP address of 10.10.10.100 and you also pick event 1:200 with a destination IP address of 192.168.10.100, the compound constraint ensures that you do not also select events with 1:100 as the event type and 192.168.10.100 as the destination IP address or events with 1:200 as the event type and 10.10.10.100 as the destination IP address.
|
drill down to the next workflow page keeping the current constraints
|
click
View All
.
|
The following table describes how to use the table view.
Table 41-4 Constraining Events on the Table View of Events
|
|
constrain the view to events with a single attribute
|
click the attribute.
For example, to constrain the view to events with a destination of port 80, click
80/tcp
in the
DST Port/ICMP Code
column.
|
remove a column from the table
|
click the close icon (
) in the column heading that you want to hide. In the pop-up window that appears, click
Apply
.
Tip To hide or show other columns, select or clear the appropriate check boxes before you click Apply. To add a disabled column back to the view, click the expand arrow ( ) to expand the search constraints, then click the column name under Disabled Columns.
|
view the packets associated with one or more events
|
either:
-
click the down arrow icon (
) next to the event whose packets you want to view.
-
select one or more events whose packets you want to view, and, at the bottom of the page, click
View.
-
at the bottom of the page, click
View All
to view the packets for all events that match the current constraints.
|
Tip At any point in the process, you can save the constraints as a set of search criteria. For example, if you find that over the course of a few days your network is being probed by an attacker from a single IP address, you can save your constraints during your investigation and then use them again later. You cannot, however, save compound constraints as a set of search criteria. For more information, see Performing and Saving Searches.
Tip If no intrusion events appear on the event views, adjusting the selected time range might return results. If you selected an older time range, events in that time range might have been deleted. Adjusting the rule thresholding configuration might generate events.
Using the Packet View
License:
Protection
A packet view provides information about the packet that triggered the rule that generated an intrusion event.
Tip The packet view on a Defense Center does not contain packet information when the Transfer Packet option is disabled for the device detecting the event.
The packet view indicates why a specific packet was captured by providing information about the intrusion event that the packet triggered, including the event’s time stamp, message, classification, priority, and, if the event was generated by a standard text rule, the rule that generated the event. The packet view also provides general information about the packet, such as its size.
In addition, the packet view has a section that describes each layer in the packet: data link, network, and transport, as well as a section that describes the bytes that comprise the packet. If the system decrypted the packet, you can view the decrypted bytes. You can expand collapsed sections to display detailed information.
Note Because each portscan event is triggered by multiple packets, portscan events use a special version of the packet view. See Detecting Portscans for more information.
The following table describes the actions you can take on the packet view.
Table 41-5 Packet View Actions
|
|
modify the date and time range in the packet views
|
find more information in Setting Event Time Constraints.
|
learn more about the information displayed in the packet view
|
find more information in:
|
add an event to the clipboard so you can transfer it to the incidents at a later time
|
either:
-
click
Copy
to copy the event whose packet you are viewing
-
click
Copy All
to copy all the events whose packets you previously selected
The clipboard stores up to 25,000 events per user. For more information on the clipboard, see Using the Clipboard.
|
delete an event from the event database
|
either:
-
click
Delete
to delete the event whose packet you are viewing
-
click
Delete All
to delete all the events whose packets you previously selected
|
mark an event reviewed to remove it from event views, but not the event database.
|
either:
-
click
Review
to review the event whose packet you are viewing
-
click
Review All
to review all the events whose packets you previously selected
For more information, see Reviewing Intrusion Events. Note that reviewed events continue to be included in the event statistics on the Intrusion Event Statistics page.
|
download a local copy of the packet (a packet capture file in libpcap format) that triggered the event
|
either:
-
click
Download Packet
to save a copy of the captured packet for the event you are viewing
-
click
Download All Packets
to save copies of the captured packets for all the events whose packets you previously selected
The captured packet is saved in libpcap format. This format is used by several popular protocol analyzers.
Note that you cannot download a portscan packet because single portscan events are based on multiple packets; however, the portscan view provides all usable packet information. See Understanding Portscan Events for more information.
Note that you must have at least 15% available disk space in order to download.
|
expand or collapse a page section
|
click the arrow next to the section.
|
To display the packet view:
Access:
Admin/Intrusion Admin
Step 1 On the table view of intrusion events, select packets to view. See the
Constraining Events on the Table View of Events
table for more information.
The packet view appears. If you selected more than one event, you can page through the packets by using the page numbers at the bottom of the page.
Viewing Event Information
License:
Protection
On the packet view, you can view information about the packet in the Event Information section.
Event
The event message. For rule-based events, this corresponds to the rule message. For other events, this is determined by the decoder or preprocessor.
The ID for the event is appended to the message in the format
(GID:SID:Rev)
.
GID
is the generator ID of the rules engine, the decoder, or the preprocessor that generated the event.
SID
is the identifier for the rule, decoder message, or preprocessor message.
Rev
is the revision number of the rule. For more information, refer to Reading Preprocessor Generator IDs.
Timestamp
The time that the packet was captured.
Classification
The event classification. For rule-based events, this corresponds to the rule classification. For other events, this is determined by the decoder or preprocessor.
Priority
The event priority. For rule-based events, this corresponds to either the value of the
priority
keyword or the value for the
classtype
keyword. For other events, this is determined by the decoder or preprocessor.
Ingress Security Zone
The ingress security zone of the packet that triggered the event. Only this security zone field is populated in a passive deployment. See Working with Security Zones.
Egress Security Zone
For an inline deployment, the egress security zone of the packet that triggered the event. See Working with Security Zones.
Device
The managed device where the access control policy was applied. See Managing Devices.
Security Context
The metadata identifying the virtual firewall group through which the traffic passed. Note that the system only populates this field for ASA FirePOWER devices in multiple context mode.
Ingress Interface
The ingress interface of the packet that triggered the event. Only this interface column is populated for a passive interface. See Configuring Sensing Interfaces.
Egress Interface
For an inline set, the egress interface of the packet that triggered the event. See Configuring Sensing Interfaces.
Source/Destination IP
The host IP address or domain name where the packet that triggered the event (source) originated, or the target (destination) host of the traffic that triggered the event.
Note that to display the domain name, you must enable IP address resolution; for more information, see Configuring Event View Settings.
Click the address or domain name to view the context menu, then select
Whois
to do a whois search on the host,
View Host Profile
to view host information, or
Blacklist Now
or
Whitelist Now
to add the address to a global blacklist or whitelist. See Using Host Profiles and Working with the Global Whitelist and Blacklist.
Source Port/ICMP Type
Source port of the packet that triggered the event. For ICMP traffic, where there is no port number, the system displays the ICMP type.
Destination Port/ICMP Code
The port number for the host receiving the traffic. For ICMP traffic, where there is no port number, the system displays the ICMP code.
Email Headers
The data that was extracted from the email header. Note that email headers do not appear in the table view of intrusion events, but you can use email header data as a search criterion.
To associate email headers with intrusion events for SMTP traffic, you must enable the SMTP preprocessor
Log Headers
option. See Understanding SMTP Decoding for more information. For rule-based events, this row appears when email data is extracted.
HTTP Hostname
The host name, if present, extracted from the HTTP request Host header. This row displays the complete host name, up to 256 bytes. Click the expand arrow (
) to display the complete host name when longer than a single row.
To display host names, you must enable the HTTP Inspect preprocessor
Log Hostname
option. See Selecting Server-Level HTTP Normalization Options for more information.
Note that HTTP request packets do not always include a host name. For rule-based events, this row appears when the packet contains the HTTP host name or the HTTP URI.
HTTP URI
The raw URI, if present, associated with the HTTP request packet that triggered the intrusion event. This row displays the complete URI, up to 2048 bytes. Click the expand arrow (
) to display the complete URI when it is longer than a single row.
To display the URI, you must enable the HTTP Inspect preprocessor
Log URI
option. See Selecting Server-Level HTTP Normalization Options for more information.
Note that HTTP request packets do not always include a URI. For rule-based events, this row appears when the packet contains the HTTP host name or the HTTP URI.
To see the associated HTTP URI in intrusion events triggered by HTTP responses, you should configure HTTP server ports in the
Perform Stream Reassembly on Both Ports
option; note, however, that this increases resource demands for traffic reassembly. See Selecting Stream Reassembly Options.
Intrusion Policy
The intrusion policy, if present, where the intrusion, preprocessor, or decoder rule that generated the intrusion event was enabled. You can select an intrusion policy as the default action for an access control policy or associate an intrusion policy with an access control rule. See Setting Default Handling and Inspection for Network Traffic and Configuring an Access Control Rule to Perform Intrusion Prevention.
Access Control Policy
The access control policy that includes the intrusion policy where the intrusion, preprocessor, or decoder rule that generated the event is enabled. See Managing Access Control Policies.
Access Control Rule
The access control rule associated with an intrusion rule that generated the event; see Configuring an Access Control Rule to Perform Intrusion Prevention.
Default Action
indicates that the intrusion policy where the rule is enabled is not associated with an access control rule but, instead, is configured as the default action of the access control policy; see Setting Default Handling and Inspection for Network Traffic.
Rule
For standard text rule events, the rule that generated the event.
Note that if the event is based on a shared object rule, a decoder, or a preprocessor, the rule is not available.
Because rule data may contain sensitive information about your network, administrators may toggle users’ ability to view rule information in the packet view with the View Local Rules permission in the user role editor. For more information, see Modifying User Privileges and Options.
Actions
For standard text rule events, expand
Actions
to take any of the following actions on the rule that triggered the event:
– edit the rule
– view documentation for the revision of the rule
– add a comment to the rule
– change the state of the rule
– set a threshold for the rule
– suppress the rule
See Using Packet View Actions, Setting Threshold Options within the Packet View, and Setting Suppression Options within the Packet View for more information.
Note that if the event is based on a shared object rule, a decoder, or a preprocessor, the rule is not available.
Using Packet View Actions
License:
Protection
On the packet view, you can take several actions in the Event Information section on the rule that triggered the event. Note that if the event is based on a shared object rule, a decoder, or a preprocessor, the rule is not available. You must expand
Actions
to display rule actions.
Edit
For standard text rule events, click
Edit
to modify the rule that generated the event.
Note that if the event is based on a shared object rule, a decoder, or a preprocessor, the rule is not available.
Note If you edit a rule provided by Cisco (as opposed to a custom standard text rule), you actually create a new local rule. Make sure you set the local rule to generate events and also disable the original rule in the current intrusion policy. Note, however, that you cannot enable local rules in the default policies. For more information, see Modifying Existing Rules.
View Documentation
For standard text rule events, click
View Documentation
to learn more about the rule revision that generated the event.
Rule Comment
For standard text rule events, click
Rule Comment
to add a text comment to the rule that generated the event.
This allows you to provide additional context and information about the rule and the exploit or policy violation it identifies. You can also add and view rule comments in the rule editor. For more information, see Adding Comments to Rules.
Disable this rule
If this event is generated by a standard text rule, you can disable the rule, if necessary. You can set the rule in all policies that you can edit locally. Alternately, you can set the rule only in the current policy (that is, the policy that generated the event) if you can edit the current policy locally.
For more information, see Setting Rule States.
Note that the current policy option appears only when you can edit the current policy; for example, you can edit a custom policy, but you cannot edit a default policy provided by Cisco.
Note You cannot disable shared object rules from the packet view, nor can you disable rules in the default policies.
Set this rule to generate events
If this event is generated by a standard text rule, you can set the rule to generate events in all policies that you can edit locally. Alternately, you can set the rule only in the current policy (that is, the policy that generated the event) if you can edit the current policy locally.
For more information, see Setting Rule States.
Note that the current policy option appears only when you can edit the current policy; for example, you can edit a custom policy, but you cannot edit a default policy provided by Cisco.
Note You cannot set shared object rules to generate events from e packet view, nor can you disable rules in the default policies.
Set this rule to drop
If your managed device is deployed inline on your network, you can set the rule that triggered the event to drop packets that trigger the rule in all policies that you can edit locally. Alternately, you can set the rule only in the current policy (that is, the policy that generated the event) if you can edit the current policy locally.
Note that the current policy option appears only when you can edit the current policy; for example, you can edit a custom policy, but you cannot edit a default policy provided by Cisco. Note also that this option appears only when
Drop when Inline
is enabled in the current policy. See Setting Drop Behavior in an Inline Deployment for more information.
Set Thresholding Options
You can use this option to create a threshold for the rule that triggered this even in all policies that you can edit locally. Alternately, you create a threshold only for the current policy (that is, the policy that generated the event) if you can edit the current policy locally.
The thresholding options are described in Setting Threshold Options within the Packet View.
Note that the current policy option appears only when you can edit the current policy; for example, you can edit a custom policy, but you cannot edit a default intrusion policy provided by Cisco.
Set Suppression Options
You can use this object to suppress the rule that triggered this event in all policies that you can edit locally. Alternately, you can suppress the rule only in the current policy (that is, the policy that generated the event) if you can edit the current policy locally.
The suppression options are described in Setting Suppression Options within the Packet View.
Note that the current policy option appears only when you can edit the current policy; for example, you can edit a custom policy, but you cannot edit a default policy provided by Cisco.
Setting Threshold Options within the Packet View
License:
Protection
You can control the number of events that are generated per rule over time by setting the threshold options in the packet view of an intrusion event. You can set threshold options in all policies that you can edit locally or, when it can be edited locally, only in the in the current policy (that is, the policy that caused the event to be generated).
To set the threshold options within the packet view:
Access:
Admin/Intrusion Admin
Step 1 Within the packet view of an intrusion event that was generated by an intrusion rule, expand
Actions
in the Event Information section; expand
Set Thresholding Options
and select one of the two possible options:
-
in the current policy
-
in all locally created policies
Note that the current policy option appears only when you can edit the current policy; for example, you can edit a custom policy, but you cannot edit a default policy provided by Cisco.
The thresholding options appear.
Step 2 Select the type of threshold you want to set:
-
Select
limit
to limit notification to the specified number of event instances per time period.
-
Select
threshold
to provide notification for each specified number of event instances per time period.
-
Select
both
to provide notification once per time period after a specified number of event instances.
Step 3 Select the appropriate radio button to indicate whether you want the event instances tracked by
Source
or
Destination
IP address.
Step 4 In the
Count
field, type the number of event instances you want to use as your threshold.
Step 5 In the
Seconds
field, type a number between 1 and 86400 that specifies the time period for which event instances are tracked.
Step 6 If you want to override any current thresholds for this rule in existing intrusion policies, select
Override any existing settings for this rule
.
Step 7 Click
Save Thresholding
.
The system adds your threshold and displays a message indicating success. If you chose not to override existing settings, a message appears informing you of any conflicts.
Setting Suppression Options within the Packet View
License:
Protection
You can use the suppression options to suppress intrusion events altogether, or based on the source or destination IP address. You can set suppression options in all policies that you can edit locally. Alternately, you can set suppression options only in the current policy (that is, the policy that generated the event) when the current policy can be edited locally.
To suppress intrusion events within the packet view:
Access:
Admin/Intrusion Admin
Step 1 Within the packet view of an intrusion event that was generated by an intrusion rule, expand
Actions
in the Event Information section; expand
Set Suppression Options
and click one of the two possible options:
-
in the current policy
-
in all locally created policies
Note that the current policy option appears only when you can edit the current policy; for example, you can edit a custom policy, but you cannot edit a default policy provided by Cisco.
The suppression options appear.
Step 2 Select one of the following
Track By
options:
-
To completely suppress events for the rule that triggered this event, select
Rule
.
-
To suppress events generated by packets originating from a specified source IP address, select
Source
.
-
To suppress events generated by packets going to a specified destination IP address, select
Destination
.
Step 3 In the
IP address or CIDR block
field, enter the IP address or CIDR block/prefix length you want to specify as the source or destination IP address.
For information on using CIDR notation and prefix lengths in the FireSIGHT System, see IP Address Conventions.
Step 4 Click
Save Suppression
.
The suppression options within your intrusion policies are modified according to your specifications. If you chose not to override existing settings, a message appears informing you of any conflicts.
Viewing Frame Information
License:
Protection
On the packet view, click the arrow next to
Frame
to view information about the captured frame. The packet view may display a single frame or multiple frames. Each frame provides information about an individual network packet. You would see multiple frames, for example, in the case of tagged packets or packets in reassembled TCP streams. For information on tagged packets, see Evaluating Post-Attack Traffic. For information on reassembled TCP streams, see Reassembling TCP Streams.
Frame n
The captured frame, where
n
is 1 for single-frame packets and the incremental frame number for multi-frame packets. The number of captured bytes in the frame is appended to the frame number.
Arrival Time
The date and time the frame was captured.
Time delta from previous captured frame
For multi-frame packets, the elapsed time since the previous frame was captured.
Time delta from previous displayed frame
For multi-frame packets, the elapsed time since the previous frame was displayed.
Time since reference or first frame
For multi-frame packets, the elapsed time since the first frame was captured.
Frame Number
The incremental frame number.
Frame Length
The length of the frame in bytes.
Capture Length
The length of the captured frame in bytes.
Frame is marked
Whether the frame is marked (true or false).
Protocols in frame
The protocols included in the frame.
Viewing Data Link Layer Information
License:
Protection
On the packet view, click the arrow next to the data link layer protocol (for example,
Ethernet II
) to view the data link layer information about the packet, which contains the 48-bit media access control (MAC) addresses for the source and destination hosts. It may also display other information about the packet, depending on the hardware protocol.
Note Note that this example discusses Ethernet link layer information; other protocols may also appear.
The packet view reflects the protocol used at the data link layer. The following listing describes the information you might see for an Ethernet II or IEEE 802.3 Ethernet packet in the packet view.
Destination
The MAC address for the destination host.
Note Ethernet can also use multicast and broadcast addresses as the destination address.
Source
The MAC address for the source host.
Type
For Ethernet II packets, the type of packet that is encapsulated in the Ethernet frame; for example, IPv6 or ARP datagrams. Note that this item only appears for Ethernet II packets.
Length
For IEEE 802.3 Ethernet packets, the total length of the packet, in bytes, not including the checksum. Note that this item only appears for IEEE 802.3 Ethernet packets.
Viewing Network Layer Information
License:
Protection
On the packet view, click the arrow next to the network layer protocol (for example,
Internet Protocol
) to view more detailed information about network layer information related to the packet.
Note Note that this example discusses IP packets; other protocols may also appear.
See the following sections for more information:
Viewing IPv4 Network Layer Information
License:
Protection
The following listing describes protocol-specific information that might appear in an IPv4 packet.
Version
The Internet Protocol version number.
Header Length
The number of bytes in the header, including any IP options. An IP header with no options is 20 bytes long.
Differentiated Services Field
The values for differentiated services that indicate how the sending host supports Explicit Congestion Notification (ECN):
–
0x0
— does not support ECN-Capable Transport (ECT)
–
0x1
and
0x2
— supports ECT
–
0x3
— Congestion Experienced (CE)
Total Length
The length of the IP packet, in bytes, minus the IP header.
Identification
The value that uniquely identifies an IP datagram sent by the source host. This value is used to trace fragments of the same datagram.
Flags
The values that control IP fragmentation, where:
values for the Last Fragment flag indicate whether there are more fragments associated with the datagram:
–
0
— there are no more fragments associated with the datagram
–
1
— there are more fragments associated with the datagram
values for the Don’t Fragment flag control whether the datagram can be fragmented:
–
0
— the datagram can be fragmented
–
1
— the datagram must
not
be fragmented
Fragment Offset
The value for the fragment offset from the beginning of the datagram.
Time to Live (ttl)
The remaining number of hops that the datagram can make between routers before the datagram expires.
Protocol
The transport protocol that is encapsulated in the IP datagram; for example, ICMP, IGMP, TCP, or UDP.
Header Checksum
The indicator for whether the IP checksum is valid. If the checksum is invalid, the datagram may have been corrupted during transit or may be being used in an intrusion evasion attempt.
Source/Destination
The IP address or domain name for the source (or destination) host.
Note that to display the domain name, you must enable IP address resolution; for more information, see Configuring Event View Settings.
Click the address or domain name to view the context menu, then select
Whois
to do a whois search on the host,
View Host Profile
to view host information, or
Blacklist Now
or
Whitelist Now
to add the address to a global blacklist or whitelist. See Using Host Profiles and Working with the Global Whitelist and Blacklist.
Viewing IPv6 Network Layer Information
License:
Protection
The following listing describes protocol-specific information that might appear in an IPv6 packet.
Traffic Class
An experimental 8-bit field in the IPv6 header for identifying IPv6 packet classes or priorities similar to the differentiated services functionality provided for IPv4. When unused, this field is set to zero.
Flow Label
A optional 20-bit IPv6 hexadecimal value 1 to FFFFF that identifies a special flow such as non-default quality of service or real-time service. When unused, this field is set to zero.
Payload Length
A 16-bit field identifying the number of octets in the IPv6 payload, which is comprised of all of the packet following the IPv6 header, including any extension headers.
Next Header
An 8-bit field identifying the type of header immediately following the IPv6 header, using the same values as the IPv4 Protocol field.
Hop Limit
An 8-bit decimal integer that each node that forwards the packet decrements by one. The packet is discarded if the decremented value reaches zero.
Source
The 128-bit IPv6 address for the source host.
Destination
The 128-bit IPv6 address for the destination host.
Viewing Transport Layer Information
License:
Protection
On the packet view, click the arrow next to the transport layer protocol (for example,
TCP
,
UDP
, or
ICMP
) to view more information about the packet.
Tip Click Data when present to view the first twenty-four bytes of the payload for the protocol immediately above it in the Packet Information section of the packet view.
The contents of the transport layer for each of the following protocols is described below:
Note Note that these examples discuss TCP, UDP, and ICMP packets; other protocols may also appear.
TCP Packet View
License:
Protection
This section describes the protocol-specific information for a TCP packet.
Source port
The number that identifies the originating application protocol.
Destination port
The number that identifies the receiving application protocol.
Sequence number
The value for the first byte in the current TCP segment, keyed to initial sequence number in the TCP stream.
Next sequence number
In a response packet, the sequence number of the next packet to send.
Acknowledgement number
The TCP acknowledgement, which is keyed to the sequence number of the previously accepted data.
Header Length
The number of bytes in the header.
Flags
The six bits that indicate the TCP segment’s transmission state:
–
U
— the urgent pointer is valid
–
A
— the acknowledgement number is valid
–
P
— the receiver should push data
–
R
— reset the connection
–
S
— synchronize sequence numbers to start a new connection
–
F
— the sender has finished sending data
Window size
The amount of unacknowledged data, in bytes, that the receiving host will accept.
Checksum
The indicator for whether the TCP checksum is valid. If the checksum is invalid, the datagram may have been corrupted during transit or may be being used in an in evasion attempt.
Urgent Pointer
The position, if present, in the TCP segment where the urgent data ends. Used in conjunction with the
U
flag.
Options
The values, if present, for TCP options.
UDP Packet View
License:
Protection
This section describes the protocol-specific information for a UDP packet.
Source port
The number that identifies the originating application protocol.
Destination port
The number that identifies the receiving application protocol.
Length
The combined length of the UDP header and data.
Checksum
The indicator for whether the UDP checksum is valid. If the checksum is invalid, the datagram may have been corrupted during transit.
ICMP Packet View
License:
Protection
This section describes the protocol-specific information for an ICMP packet.
Type
The type of ICMP message:
– 0 — echo reply
– 3 — destination unreachable
– 4 — source quench
– 5 — redirect
– 8 — echo request
– 9 — router advertisement
– 10 — router solicitation
– 11 — time exceeded
– 12 — parameter problem
– 13 — timestamp request
– 14 — timestamp reply
– 15 — information request (obsolete)
– 16 — information reply (obsolete)
– 17 — address mask request
– 18 — address mask reply
Code
The accompanying code for the ICMP message type. ICMP message types 3, 5, 11, and 12 have corresponding codes as described in RFC 792.
Checksum
The indicator for whether the ICMP checksum is valid. If the checksum is invalid, the datagram may have been corrupted during transit.
Viewing Packet Byte Information
License:
Protection
On the packet view, click the arrow next to
Packet Bytes
to view hexadecimal and ASCII versions of the bytes that comprise the packet. If the system decrypted traffic, you can view the decrypted packet bytes.
Using Impact Levels to Evaluate Events
License:
Protection
To help you evaluate the impact an event has on your network, the Defense Center displays an impact level in the table view of intrusion events. For each event, the Defense Center adds an impact level icon whose color indicates the correlation between intrusion data, network discovery data, and vulnerability information.
Note Because there is no operating system information available for hosts added to the network map based on NetFlow data, the Defense Center cannot assign impact Vulnerable (impact level 1: red) impact levels for intrusion events involving those hosts, unless you use the host input feature to manually set the hosts’ operating system identity.
The following table describes the possible values for the impact levels.
Table 41-6 Impact Levels
|
|
|
|
|
Unknown
|
gray
|
Neither the source nor the destination host is on a network that is monitored by network discovery.
|
|
Vulnerable
|
red
|
Either:
-
the source or the destination host is in the network map, and a vulnerability is mapped to the host
-
the source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software; see Setting Impact Level 1 for more information
|
|
Potentially Vulnerable
|
orange
|
Either the source or the destination host is in the network map and one of the following is true:
-
for port-oriented traffic, the port is running a server application protocol
-
for non-port-oriented traffic, the host uses the protocol
|
|
Currently Not Vulnerable
|
yellow
|
Either the source or the destination host is in the network map and one of the following is true:
-
for port-oriented traffic (for example, TCP or UDP), the port is not open
-
for non-port-oriented traffic (for example, ICMP), the host does not use the protocol
|
|
Unknown Target
|
blue
|
Either the source or destination host is on a monitored network, but there is no entry for the host in the network map.
|
To use the impact level on the table view to evaluate events:
Access:
Admin/Intrusion Admin
Step 1 Select
Analysis > Intrusions > Events
.
The first page of the default intrusion events workflow appears. For information on specifying a different default workflow, see Configuring Event View Settings. If no events appear, you may need to adjust the time range; see Setting Event Time Constraints.
Step 2 Constrain the event view to view only those events that you want to evaluate.
For more information, see Using Drill-Down and Table View Pages.
Step 3 At the top of the page, click
Table View of Events
.
The table view of events appears.
Impact
can have any of the values described in the
Impact Levels
table.
Step 4 To sort the table by impact level, click
Impact
.
The events are sorted by impact level.
Tip To reverse the sort order, click Impact again.
Reading Preprocessor Events
License:
Protection
Preprocessors provide two functions: performing the specified action on the packet (for example, decoding and normalizing HTTP traffic) and reporting the execution of specified preprocessor options by generating an event whenever a packet triggers that preprocessor option and the associated preprocessor rule is enabled (for example, you can enable the
Double Encoding
HTTP Inspect option and the associated preprocessor rule with the HTTP Inspect generator (GID) 119 and the Snort ID (SID) 2 to generate an event when the preprocessor encounters IIS double-encoded traffic). Generating events to report the execution of preprocessors helps you detect anomalous protocol exploits. For example, attackers can craft overlapping IP fragments to cause a DoS attack on a host. The IP defragmentation preprocessor can detect this type of attack and generate an intrusion event for it.
See the following sections for more information:
Understanding the Preprocessor Event Packet Display
License:
Protection
Preprocessor events differ from rule events in that the packet display does not include a detailed rule description for the event. Instead, the packet display shows the event message, the generator ID, Snort ID, the packet header data, and the packet payload. This allows you to analyze the packet’s header information, determine if its header options are being used and if they can exploit your system, and inspect the packet payload. After the preprocessors analyze each packet, the rules engine executes appropriate rules against it (if the preprocessor was able to defragment it and establish it as part of a valid session) to further analyze potential content-level threats and report on them.
Reading Preprocessor Generator IDs
License:
Protection
Each preprocessor has its own Generator ID number, or GID, that indicates which preprocessor was triggered by the packet. Some of the preprocessors also have related SIDs, which are ID numbers that classify potential attacks. This helps you analyze events more effectively by categorizing the type of event much the way a rule’s Snort ID (SID) can offer context for packets triggering rules. You can list preprocessor rules by preprocessor in the Preprocessors filter group on the intrusion policy Rules page; you can also list preprocessor rules in the preprocessor and packet decoder sub-groupings in the Category filter group. See Tuning Intrusion Policies Using Rules and Table 32-1 for more information.
Note Events generated by standard text rules have a generator ID of 1. The event’s SID indicates which specific rule triggered. For shared object rules, the events have a generator ID of 3 and a SID that indicates which specific rule was triggered.
The following table describes the types of events that generate each GID.
Searching for Intrusion Events
License:
Protection
You can search for specific intrusion events by using a predefined search delivered with the FireSIGHT System or by creating your own search criteria.
The predefined searches serve as examples and can provide quick access to important information about your network. You may want to modify specific fields within the default searches to customize them for your network environment, then save them to reuse later. Keep in mind that your search results depend on the available data in the events you are searching. In other words, depending on the available data, your search constraints may not apply. For example, only intrusion events triggered on decrypted traffic contain SSL information.
Tip For information about the syntax for specifying IP addresses and ports in an intrusion event search, see Specifying IP Addresses in Searches and Specifying Ports in Searches.
For more information on searching, including how to load and delete saved searches, see Searching for Events.
The search criteria you can use are described in the following list:
Priority
Specify the priority of the events you want to view. The priority corresponds to either the value of the
priority
keyword or the value for the
classtype
keyword. For other intrusion events, the priority is determined by the decoder or preprocessor. Valid values are
high, medium
, and
low
.
Impact
Specify the impact level assigned to the intrusion event based on the correlation between intrusion data and network discovery data. Valid case-insensitive values are
Impact 0, Impact Level 0
,
Impact 1, Impact Level 1
,
Impact 2, Impact Level 2
,
Impact 3, Impact Level 3
,
Impact 4,
and
Impact Level 4
.
Do not use impact icon colors or partial strings (for example, do not use
blue
,
level 1
, or
0
).
For more information, see Using Impact Levels to Evaluate Events.
Inline Result
Type either:
–
dropped
, to specify whether the packet is dropped in an inline deployment
–
would have dropped
, to specify whether the packet would have dropped if the intrusion policy had been set to drop packets in an inline deployment
Note that the system does not drop packets in a passive deployment, including when an inline interface is in tap mode, regardless of the rule state or the inline drop behavior of the intrusion policy.
Source IP
Specify the IP address used by the source host involved in the intrusion events.
Destination IP
Specify the IP address used by the destination host involved in the intrusion events.
Source/Destination IP
Specify the source or destination IP address used by the host whose intrusion events you want to view.
Source Country
Specify the country of the source host involved in the intrusion events.
Destination Country
Specify the country of the destination host involved in the intrusion events.
Source/Destination Country
Specify the country of the source or destination host involved in the intrusion events you want to view.
Source Continent
Specify the continent of the source host involved in the intrusion events.
Destination Continent
Specify the continent of the destination host involved in the intrusion events.
Source/Destination Continent
Specify the continent of the source or destination host involved in the intrusion events you want to view.
Original Client IP
Specify the original client IP address extracted from the X-Forwarded-For (XFF), True-Client-IP, or custom-defined HTTP headers. To extract a value for this field in an intrusion event, you must enable the HTTP preprocessor
Extract Original Client IP Address
option. Optionally, in the same area of the network analysis policy, you can also specify up to six custom client IP headers, as well as set the priority order in which the system selects the value for the Original Client IP event field. See Selecting Server-Level HTTP Normalization Options for more information.
Protocol
Type the name or number of the transport protocol used in the connection as listed in
http://www.iana.org/assignments/protocol-numbers
.
Note that there is no Protocol column in the intrusion event table view. This is the protocol associated with the source and destination port/ICMP column.
Source Port / ICMP Type
Specify the source port associated with the intrusion event.
Tip For ICMP traffic, which does not target ports, you can use this field to search for events with specific ICMP types.
Destination Port / ICMP Code
Specify the destination port associated with the intrusion event.
Tip For ICMP traffic, which does not target ports, you can use this field to search for events with specific ICMP codes.
VLAN ID
Specify the innermost VLAN ID associated with the packet that triggered the intrusion event.
MPLS Label
Specify the Multiprotocol Label Switching label of the packet associated with the packet that triggered the intrusion event.
Message
Specify all or part of the event message for the events you want to view.
Classification
Enter the classification number, or all or part of the classification name or description for the rule that generated the events you want to view. You can also enter a comma-separated list of numbers, names, or descriptions. Finally, if you add a custom classification, you can also search using all or part of its name or description. See the
Rule Classifications
table for a list of classification numbers, names, and descriptions.
Generator
Specify the component that generated the events you want to view, as listed in Table 41-7.
Snort ID
Specify the Snort ID (SID) of the rule that generated the event or, optionally, specify the combination generator ID (GID) and SID of the rule, where the GID and SID are separated with a colon (:) in the format GID:SID. You can specify any of the values in the following table:
Table 41-8 Snort ID Search Values
|
|
a single SID
|
10000
|
a SID range
|
10000-11000
|
greater than a SID
|
>10000
|
greater than or equal to a SID
|
>=10000
|
less than a SID
|
<10000
|
less than or equal to a SID
|
<=10000
|
a comma-separated list of SIDs
|
10000,11000,12000
|
a single GID:SID combination
|
1:10000
|
a comma-separated list of GID:SID combinations
|
1:10000,1:11000,1:12000
|
a comma-separated list of SIDs and GID:SID combinations
|
10000,1:11000,12000
|
For more information, see Reading Preprocessor Generator IDs.
Note that the Snort ID column does not appear in search results; the SID of the events you are viewing is listed in the Message column.
Source User
Specify the User ID for a user logged in to the source host.
Destination User
Specify the User ID for a user logged in to the destination host.
Source/Destination User
Specify the User ID for a user logged in to the source or destination host.
Application Protocol
Type the name of the application protocol, which represents communications between hosts, detected in the traffic that triggered the intrusion event.
Client
Type the name of the client application, which represents software running on the monitored host detected in the traffic that triggered the intrusion event.
Web Application
Type the name of the web application, which represents the content or requested URL for HTTP traffic detected in the traffic that triggered the intrusion event.
Category, Tag (Application Protocol, Client, Web Application)
Type a category or tag associated with the application detected in the session. Use a commas to separate multiple categories or tags. These fields are case-insensitive.
Application Risk
Type the highest risk associated with the application detected in the session. Valid criteria are:
Very High
,
High
,
Medium
,
Low
, and
Very Low
. These fields are case-insensitive.
Business Relevance
Type the lowest business relevance associated with an application detected in the session. Valid criteria are:
Very High
,
High
,
Medium
,
Low
, and
Very Low
. These fields are case-insensitive.
Security Zone (Ingress, Egress, Ingress/Egress)
Type the name of a security zone associated with the packet that triggered the event. These fields are case-insensitive. See Working with Security Zones.
Device
Type the device name or IP address, or a device group, stack, or cluster name to restrict the search to specific devices where the access control policy was applied. For detailed information on how the FireSIGHT System treats the device field in searches, see Specifying Devices in Searches.
Note that the primary and secondary devices in a stacked configuration report intrusion events separately. See Managing Stacked Devices for more information.
Security Context
Type the name of the security context identifying the virtual firewall group through which the traffic passed. Note that the system only populates this field for ASA FirePOWER devices in multiple context mode.
Interface (Ingress, Egress)
Type the name of an interface associated with the packet that triggered the event; see Configuring Sensing Interfaces.
Intrusion Policy
Type the name of the intrusion policy associated with the event; see Managing Intrusion Policies.
Access Control Policy
Type the name of the access control policy associated with the event; see Managing Access Control Policies.
Access Control Rule
Type the name of the access control rule associated with the event; see Tuning Traffic Flow Using Access Control Rules.
HTTP Hostname
Specify a single host name that was extracted from the HTTP request Host header.
To associate host names with intrusion events for HTTP client traffic, you must enable the HTTP Inspect preprocessor
Log Hostname
option. See Selecting Server-Level HTTP Normalization Options for more information.
HTTP URI
Specify a single URI associated with the HTTP request packet that triggered the intrusion event.
To associate URIs with intrusion events for HTTP traffic, you must enable the HTTP Inspect preprocessor
Log URI
option. See Selecting Server-Level HTTP Normalization Options for more information.
Email Sender
Specify the address of the email sender that was extracted from the SMTP MAIL FROM command. You can also enter a comma-separated list to search for events associated with all specified addresses. See Understanding Intrusion Events for more information.
Email Recipient
Specify the address of the email recipient that was extracted from the SMTP RCPT TO command. You can also enter a comma-separated list to search for events associated with all specified addresses. See Understanding Intrusion Events for more information.
Email Attachments
Specify the MIME attachment file name that was extracted from the MIME Content-Disposition header. Enter a comma-separated list to search for events associated with all attachment file names in the list. See Understanding Intrusion Events for more information.
Email Headers
Specify data that was extracted from the email header. Note that email headers do not appear in the table view of intrusion events, but you can use email header data as a search criterion.
To associate email headers with intrusion events for SMTP traffic, you must enable the SMTP preprocessor
Log Headers
option. See Understanding SMTP Decoding for more information.
Reviewed By
Specify the name of the user who reviewed the event. See Reviewing Intrusion Events.
Tip You can enter unreviewed
to search for events that have not been reviewed.
Special Search Syntax for Intrusion Events
To supplement the general search syntax listed above, the following list describes some special search syntax for intrusion events.
The SSL Actual Action taken
Type any of the following keywords to view intrusion events for encrypted traffic to which the system applied the action specified:
–
Do Not Decrypt
represents connections the system did not decrypt.
–
Block
and
Block with Reset
represent blocked encrypted connections.
–
Decrypt (Known Key)
represents incoming connections decrypted using a known private key.
–
Decrypt (Replace Key)
represents outgoing connections decrypted using a self-signed server certificate with a substituted public key.
–
Decrypt (Resign)
represents outgoing connections decrypted using a re-signed server certificate.
This column does not appear in the intrusion events table view.
The SSL Failure Reason
Type any of the following keywords to view intrusion events for encrypted traffic that the system failed to decrypt for the reason specified:
–
Unknown
–
No Match
–
Success
–
Uncached Session
–
Unknown Cipher Suite
–
Unsupported Cipher Suite
–
Unsupported SSL Version
–
SSL Compression Used
–
Session Undecryptable in Passive Mode
–
Handshake Error
–
Decryption Error
–
Pending Server Name Category Lookup
–
Pending Common Name Category Lookup
–
Internal Error
–
Network Parameters Unavailable
–
Invalid Server Certificate Handle
–
Server Certificate Fingerprint Unavailable
–
Cannot Cache Subject DN
–
Cannot Cache Issuer DN
–
Unknown SSL Version
–
External Certificate List Unavailable
–
External Certificate Fingerprint Unavailable
–
Internal Certificate List Invalid
–
Internal Certificate List Unavailable
–
Internal Certificate Unavailable
–
Internal Certificate Fingerprint Unavailable
–
Server Certificate Validation Unavailable
–
Server Certificate Validation Failure
–
Invalid Action
This column does not appear in the intrusion events table view.
The SSL Subject Country
Type a two-character ISO 3166-1 alpha-2 country code to view intrusion events for encrypted traffic associated with the country of a certificate subject.
This column does not appear in the intrusion events table view.
The SSL Issuer Country
Type a two-character ISO 3166-1 alpha-2 country code to view intrusion events for encrypted traffic associated with the country of a certificate issuer.
This column does not appear in the intrusion events table view.
SSL Certificate Fingerprint
Type or paste the SHA hash value used to authenticate a certificate to view intrusion events for traffic associated with that certificate.
This column does not appear in the intrusion events table view.
SSL Public Key Fingerprint
Type or paste the SHA hash value used to authenticate the public key contained within a certificate to view intrusion events for traffic associated with that certificate.
This column does not appear in the intrusion events table view.
To search for intrusion events:
Access:
Admin/Intrusion Admin
Step 1 Select
Analysis > Search
.
The Intrusion Events search page appears.
You can also click
Search
while viewing lists of intrusion events (
Analysis > Intrusions > Events
).
Step 2 Enter your search criteria in the appropriate fields, as described in the list above the procedure.
Step 3 Optionally, if you plan to save the search, you can select the
Private
check box to save the search as private so only you can access it. Otherwise, leave the check box clear to save the search for all users.
Tip If you want to use the search as a data restriction for a custom user role, you must save it as a private search.
Step 4 Optionally, you can save the search to be used again in the future. You have the following options:
-
Click
Save
to save the search criteria.
For a new search, a dialog box appears prompting for the name of the search; enter a unique search name and click
Save
. If you save new criteria for a previously-existing search, no prompt appears. The search is saved (and visible only to your account if you selected
Private
) so that you can run it at a later time.
-
Click
Save as New
to save a new search or assign a name to a search you created by altering a previously-saved search.
A dialog box appears prompting for the name of the search; enter a unique search name and click
Save
. The search is saved (and visible only to your account if you selected
Private
) so that you can run it at a later time.
Step 5 Click
Search
to start the search.
Your search results appear in the default intrusion events workflow, constrained by the current time range. For information on specifying a different default workflow, see Configuring Event View Settings.
Using the Clipboard
License:
Protection
The clipboard is a holding area where you can copy intrusion events from any of the intrusion event views. For information on how to add events to the clipboard, see Using Drill-Down and Table View Pages and Using the Packet View.
The contents of the clipboard are sorted by the date and time that the events were generated. After you add intrusion events to the clipboard, you can delete them from the clipboard as well as generate reports on the contents of the clipboard.
You can also add intrusion events from the clipboard to incidents, which are compilations of events that you suspect are involved in a possible violation of your security policies. For more information about adding events from the clipboard to an incident, see Creating an Incident.
See the following sections for more information:
Generating Clipboard Reports
License:
Protection
You can generate a report for the events on the clipboard just as you would from any of the event views.
To generate a report on intrusion events from the clipboard:
Access:
Admin/Intrusion Admin
Step 1 Add one or more events to the clipboard:
Step 2 Select
Analysis > Intrusions > Clipboard
.
The clipboard appears.
Step 3 You have the following options:
-
To include specific events from a page on the clipboard, navigate to that page, select the check box next to the events, and click
Generate Report
.
-
To include all the events from the clipboard, click
Generate Report All
.
In either case, the Report Templates page appears.
Step 4 Specify how you want your report to look, then click
Generate
.
The Generate Report pop-up dialog appears.
Step 5 Select one or more output formats (HTML, PDF, CSV) and, optionally, modify any of the other settings.
Tip For more information about using the Report Designer, see Working with Reports.
Step 6 Click
Generate
, then click
Yes
.
The Report Generation Complete pop-up window appears with a link to view your report.
Step 7 Click either:
-
a report link, which opens a new window to display the report you selected.
-
OK
to return to the Report Templates page where you can modify your report design.
Deleting Events from the Clipboard
License:
Protection
If you have intrusion events on the clipboard that you do not want to add to an incident, you can delete the events.
Note Deleting an event from the clipboard does not delete the event from the event database. However, deleting an event from the event database does delete the event from the clipboard.
To delete events from the clipboard:
Access:
Admin/Intrusion Admin
Step 1 Select
Analysis > Intrusions > Clipboard
.
The clipboard appears.
Step 2 You have the following options:
-
To delete specific intrusion events from a page on the clipboard, navigate to the page, select the check box next to the events, and click
Delete
.
The events are deleted.
-
To delete all the intrusion events from the clipboard, click
Delete All
.
All the events are deleted from the clipboard. Note that if you select the
Confirm 'All' Actions
option in the Event Preferences, you are first prompted to confirm that you want to delete all the events.