IPS event query ** Help needed badly**

Unanswered Question
Sep 24th, 2007

Greetings all. Apologies for the dramatic headline but I'm in a bit of a time crunch.

I have a 4215 running 6.0(3)E1. The device is inline. Below is an event which triggered,

========================

evIdsAlert: eventId=1184881408377311643 severity=low vendor=Cisco

originator:

hostId: xyz

appName: sensorApp

appInstanceId: 380

time: 2007/09/24 15:11:25 2007/09/24 15:11:25 UTC

signature: description=Recognized content type id=12673 version=S149

subsigId: 0

sigDetails: Recognized content type

marsCategory: Info/Misc

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: locality=any a.a.a.a

port: 80

target:

addr: locality=any b.b.b.b

port: 51095

os: idSource=unknown relevance=relevant type=unknown

actions:

deniedFlow: true

context:

fromAttacker: <stuff>

riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 50

threatRatingValue: 15

interface: fe2_1

protocol: tcp

========================

I have an external application which pull this same event from the sensor using a query *like* the following,

wget --user foo --password hoo http://a.b.c.d/cgi-bin/event-server?events=evAlert

I'm able to pull most of the event information but not all. What I can't seem to get from query is the " deniedFlow: true" value. I'm seeing something like,

></attack></participants><actions></actions></evAlert>

Notice the "deniedFlow: true" information missing between action.

Is my wget-ish query missing some arguments which is preventing me from pulling all the same information I can see from the CLI?

Thanks in advance.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
gdntsoc Mon, 09/24/2007 - 07:55

That solved it. Thank you very much, James. I appreciate it.

Actions

This Discussion