Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Attacker definition in IDIOM

We are building a database to store the event alert information from the xml log files. According to IDIOM, each event alert can have multiple attacks in it. By an attack, I refer to a set of an attacker and 1/more victims. However, I havent seen any event alert that consists of more than 1 attack in my test database that has 1.8 million alerts so far.

If anyone can confirm whether an event alert can have multiple attacks, it'll be very helpful especially in determining an efficient design for the database.

Thanks,

Rusma

2 REPLIES
Community Member

Re: Attacker definition in IDIOM

I've seen it in the Security Monitor Event Viewer display of the context data, but not in the IDIOMs that I email myself.

My real complaint is that the attacker/victim data is in base64 and is unreadable when extracted through the IdsAlarms.exe utility. Does anyone know how to deal with that?

Community Member

Re: Attacker definition in IDIOM

Thanks for the confirmation.

As for the base64 problem, I use a simple script to read it. And, it seems that the new IDM event viewer (4.1) display the base64 data in both ascii and hex format.

104
Views
0
Helpful
2
Replies
CreatePlease to create content