Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Gold

explaination of event context

I don't quite understand the context that is sometimes included with events. The event in particular I was looking at is 5442-0.

First of all, what determines whether context is included with an event? The action for this particular signature is "produce alert".

Secondly, what is supposed to be contained in this contextual information? The context data for the 5442-0 event certainly didn't seem to contain what the regex was looking for. Should it?

TIA,

Matt

4 REPLIES
Silver

Re: explaination of event context

The context buffer just displays extra information the sensor sees in the payload of the packet. Sometimes this information is legible (if clear text) or it can be junk (if the data is encrypted). The info in the context buffer can give you a little more info to decide what is happening... I do not know why sub sig 0 of the Cursor/Icon File Format Buffer Overflow signature is firing though... I would need more info.

Gold

Re: explaination of event context

"The context buffer just displays extra information the sensor sees in the payload of the packet."

I understand that. What I'm looking for is specifics. Is this in a manual somewhere (if so, a quick rtfm and I'll be on my way). otherwise, I'd like someone from Cisco to explain how this works.

"or it can be junk (if the data is encrypted)"

If the data were encrypted, the sensor wouldn't be able to do much in terms of inspection. In any event, this is normal HTTP so shouldn't the regex be somewhere in the context?

Silver

Re: explaination of event context

Yes, the regex should be somewhere in the context buffer. Since this signature is an Atomic.TCP signature, the sig fires when the regex is matched and the destination or source port is 80 or 443. What is your context buffer showing?

Silver

Re: explaination of event context

Actually, I checked and it is a TCP.String sig... If the appropriate regex is matched in the TCP Stream, then the sig will fire. If you turn on IP logging, then you should see the regex over several packets. The alarm that fired probably only contains a portion of the regex.

148
Views
0
Helpful
4
Replies
CreatePlease to create content