Receive an alert for IIS Double Decode Error. Okay is it a false positive or real event?
The ONLY way for me to tell in the present CSPM system is to look at the Context Buffers associated with this alert. Those buffers will tell me what the offending URL looks like.
But guess what, this context data is only available throught the CSPMs event viewer or after having run cvtrlog.exe on the CSPM database.
This does not help me in my alerting process, because I want that data available to me along with the alert itself.
CSPM does not allow for real time database connectivity. cvtrlog.exe can appararently extract the context buffers and make them available to your database... but I would have to run cvtrlog.exe in an almost _continuous_ fashion just so I can get access to this information.
Is Cisco going to provide real time database capability? And are they going to pump context data into that database also?
Why not allow us access to the CSPM database as is? How proprietary can it be?
To me, it's a very real problem. My currently open TAC case has not yielded any joy.
Does anyone else think this is a real problem? I know that if I get a bunch of these alerts at 2am, I'm not going to get online to my corp network just to check context buffers... I'd prefer to have that information sent to me directly.
I agree completely with this. CSPM does not provide the information that a security analyst needs to identify real threats. Database connection should be a no-brainer for Cisco...after all, they have "partners" who provide expensive software packages that interface with their system. For the money this stuff is going for we should have at least the functionality that all the freeware IDS systems have out there.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...