Cisco Cisco FirePOWER Appliance 7115
Version 5.3
Sourcefire 3D System User Guide
1454
Working with Discovery Events
Working with Discovery and Host Input Events
Chapter 35
names of the event types can help you craft more effective event searches.
Descriptions of the different types of discovery events follow.
Additional MAC Detected for Host
This event is generated when the system detects a new MAC address for a
previously discovered host.
This event is often generated when the system detects hosts passing traffic
This event is often generated when the system detects hosts passing traffic
through a router. While each host has a different IP address, they all appear to
have the MAC address associated with the router. When the system detects
the actual MAC address associated with the IP address, it displays the MAC
address in bold text within the host profile and displays an “ARP/DHCP
detected” message within the event description in the event view.
Client Timeout
This event is generated when the system drops a client from the database
due to inactivity.
Client Update
This event is generated when the system detects a payload (that is, a specific
type of content, such as audio, video, or webmail) in HTTP traffic.
DHCP: IP Address Changed
This event is generated when the system detects that a host IP address has
changed due to DHCP address assignment.
DHCP: IP Address Reassigned
This event is generated when a host is reusing an IP address; that is, when a
host obtains an IP address formerly used by another physical host due to
DHCP IP address assignment.
Hops Change
This event is generated when the system detects a change in the number of
network hops between a host and the device that detects the host.
This may happen if the device sees host traffic through different routers and
This may happen if the device sees host traffic through different routers and
is able to make a better determination of the host’s location. This may also
happen if the device detects an ARP transmission from the host, indicating
that the host is on a local segment.
Host Deleted: Host Limit Reached
This event is generated when the host limit on the Defense Center is
exceeded and a monitored host is deleted from the Defense Center’s
network map.