Cisco Cisco Firepower Management Center 2000 Entwickleranleitung
2-17
FireSIGHT System Database Access Guide
Chapter 2 Setting Up Database Access
Sample Queries
DESCLIMIT 0, 25;
Intrusion Events and Their Associated Policies
The following query lists intrusion events from the specified week. For each event it shows the
associated intrusion policy violation and rule classification.
associated intrusion policy violation and rule classification.
SELECT FROM_UNIXTIME(event_time_sec) AS event_time, event_id AS intrusion_event,
intrusion_event_policy_name
AS policy, rule_classification AS classification
FROM intrusion_event
WHERE event_time_sec BETWEEN UNIX_TIMESTAMP(’2011-10-01 00:00:00’) AND
UNIX_TIMESTAMP(’2011-10-07 23:59:59’)
ORDER BY policy ASC;
Lists of Detected Hosts
The following query returns the basic information in the hosts network map for all MAC hosts (hosts
without an IP address) detected on your network, along with the hardware vendor for each NIC:
without an IP address) detected on your network, along with the hardware vendor for each NIC:
SELECT HEX(mac_address), mac_vendor, host_type, FROM_UNIXTIME(last_seen_sec)
FROM rna_mac_host;
The following query maps IP addresses to MAC addresses:
SELECT HEX(ipaddr), HEX(mac_address), HEX(host_id)
FROM rna_host_ip_map LEFT JOIN rna_host_mac_map on
rna_host_ip_map.host_id=rna_host_mac_map.host_id;
List of Detected Servers
The following query joins two related tables to give you a list of the servers detected on your network
along with many of their attributes, similar to what you can see in a table view of servers on the Defense
Center’s web interface:
along with many of their attributes, similar to what you can see in a table view of servers on the Defense
Center’s web interface:
SELECT FROM_UNIXTIME(s.last_used_sec), HEX(s.host_id), s.port, s.protocol, s.hits,
i.service_name, i.vendor, i.version, i.source_type, s.confidence
FROM AS s
LEFT JOIN _info AS i ON (s.host_id = i.host_id AND s.port = i.port AND s.protocol =
i.protocol);
Note that this query left joins the tables on the set of
host_id
,
port
, and
protocol
, as required by
Database Access. See
.
Server Vulnerabilities on Your Network
The following query joins two vulnerability-related tables to give you a list of valid server-related
vulnerabilities detected for a particular host, along with whether each vulnerability is exploitable across
a network:
vulnerabilities detected for a particular host, along with whether each vulnerability is exploitable across
a network:
SELECT h.rna_vuln_id, v.title, v.remote
FROM rna_host_service_vulns AS h
LEFT JOIN rna_vuln AS v ON (h.rna_vuln_id = v.rna_vuln_id)