Cisco Cisco Firepower Management Center 4000
17-6
FireSIGHT System User Guide
Chapter 17 Introduction to Intrusion Prevention
Analyzing Intrusion Event Data
For example, if the packet decoder receives an IP packet that is less than 20 bytes (which is the size of
an IP datagram without any options or payload), the decoder interprets this as anomalous traffic and,
when the accompanying decoder rule is enabled, generates an event. Similarly, at the preprocessing step,
if the IP defragmentation preprocessor encounters a series of overlapping IP fragments, the preprocessor
interprets this as a possible attack and, when the accompanying preprocessor rule is enabled, generates
an event. The same kind of response occurs within the rules engine, with most rules written so that they
also generate events when triggered by packets.
an IP datagram without any options or payload), the decoder interprets this as anomalous traffic and,
when the accompanying decoder rule is enabled, generates an event. Similarly, at the preprocessing step,
if the IP defragmentation preprocessor encounters a series of overlapping IP fragments, the preprocessor
interprets this as a possible attack and, when the accompanying preprocessor rule is enabled, generates
an event. The same kind of response occurs within the rules engine, with most rules written so that they
also generate events when triggered by packets.
Each event in the database includes two sources of information about the potential attack. The first is
called an event header and contains information about the event name and classification; the source and
destination IP addresses; ports; the process that generated the event; and the date and time of the event.
The second is the packet log and includes a copy of the decoded packet header and packet payload.
called an event header and contains information about the event name and classification; the source and
destination IP addresses; ports; the process that generated the event; and the date and time of the event.
The second is the packet log and includes a copy of the decoded packet header and packet payload.
Analyzing Intrusion Event Data
License:
Protection
As the system accumulates intrusion events, you can begin your analysis of potential attacks. The
FireSIGHT System provides you with the tools you need to review intrusion events and evaluate whether
they are important in the context of your network environment and your security policies. These tools
include:
FireSIGHT System provides you with the tools you need to review intrusion events and evaluate whether
they are important in the context of your network environment and your security policies. These tools
include:
•
an Intrusion Event Statistics page that gives you an overview of the current activity on your managed
device
device
For more information, see
•
text-based and graphical reports that you can generate for any time period you choose; you can also
design your own event reports and then configure them to run at scheduled intervals
design your own event reports and then configure them to run at scheduled intervals
For more information, see
.
•
an incident-handling tool that you can use to gather event and packet data related to an attack; you
can also add notes to help you track your investigation and response
can also add notes to help you track your investigation and response
For more information, see
•
predefined and custom workflows that you can use to drill down through the intrusion events and to
identify the events that you want to investigate further
identify the events that you want to investigate further