cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
661
Views
0
Helpful
2
Replies

IPS event query ** Help needed badly**

gdntsoc
Level 1
Level 1

Greetings all. Apologies for the dramatic headline but I'm in a bit of a time crunch.

I have a 4215 running 6.0(3)E1. The device is inline. Below is an event which triggered,

========================

evIdsAlert: eventId=1184881408377311643 severity=low vendor=Cisco

originator:

hostId: xyz

appName: sensorApp

appInstanceId: 380

time: 2007/09/24 15:11:25 2007/09/24 15:11:25 UTC

signature: description=Recognized content type id=12673 version=S149

subsigId: 0

sigDetails: Recognized content type

marsCategory: Info/Misc

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: locality=any a.a.a.a

port: 80

target:

addr: locality=any b.b.b.b

port: 51095

os: idSource=unknown relevance=relevant type=unknown

actions:

deniedFlow: true

context:

fromAttacker: <stuff>

riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 50

threatRatingValue: 15

interface: fe2_1

protocol: tcp

========================

I have an external application which pull this same event from the sensor using a query *like* the following,

wget --user foo --password hoo http://a.b.c.d/cgi-bin/event-server?events=evAlert

I'm able to pull most of the event information but not all. What I can't seem to get from query is the " deniedFlow: true" value. I'm seeing something like,

></attack></participants><actions></actions></evAlert>

Notice the "deniedFlow: true" information missing between action.

Is my wget-ish query missing some arguments which is preventing me from pulling all the same information I can see from the CLI?

Thanks in advance.

2 Replies 2

jamesand
Cisco Employee
Cisco Employee

The problem is that you are using the 5.x-style event-server and so you do not see all of the event fields. You need to change the app to pull from the "sdee-server" and then you will see all of the event fields:

http://a.b.c.d/cgi-bin/sdee-server?events=evAlert

That solved it. Thank you very much, James. I appreciate it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: