Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPS event query ** Help needed badly**

Greetings all. Apologies for the dramatic headline but I'm in a bit of a time crunch.

I have a 4215 running 6.0(3)E1. The device is inline. Below is an event which triggered,

========================

evIdsAlert: eventId=1184881408377311643 severity=low vendor=Cisco

originator:

hostId: xyz

appName: sensorApp

appInstanceId: 380

time: 2007/09/24 15:11:25 2007/09/24 15:11:25 UTC

signature: description=Recognized content type id=12673 version=S149

subsigId: 0

sigDetails: Recognized content type

marsCategory: Info/Misc

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: locality=any a.a.a.a

port: 80

target:

addr: locality=any b.b.b.b

port: 51095

os: idSource=unknown relevance=relevant type=unknown

actions:

deniedFlow: true

context:

fromAttacker: <stuff>

riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 50

threatRatingValue: 15

interface: fe2_1

protocol: tcp

========================

I have an external application which pull this same event from the sensor using a query *like* the following,

wget --user foo --password hoo http://a.b.c.d/cgi-bin/event-server?events=evAlert

I'm able to pull most of the event information but not all. What I can't seem to get from query is the " deniedFlow: true" value. I'm seeing something like,

></attack></participants><actions></actions></evAlert>

Notice the "deniedFlow: true" information missing between action.

Is my wget-ish query missing some arguments which is preventing me from pulling all the same information I can see from the CLI?

Thanks in advance.

2 REPLIES
Cisco Employee

Re: IPS event query ** Help needed badly**

The problem is that you are using the 5.x-style event-server and so you do not see all of the event fields. You need to change the app to pull from the "sdee-server" and then you will see all of the event fields:

http://a.b.c.d/cgi-bin/sdee-server?events=evAlert

New Member

Re: IPS event query ** Help needed badly**

That solved it. Thank you very much, James. I appreciate it.

354
Views
0
Helpful
2
Replies