Cisco Cisco Firepower Management Center 4000
18-9
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Viewing Intrusion Events
same area of the network analysis policy, you can also specify up to six custom client IP headers, as
well as set the priority order in which the system selects the value for the Original Client IP event
field. See
well as set the priority order in which the system selects the value for the Original Client IP event
field. See
for more information.
This field is enabled by default.
XFF Header Priority
When Extract Original Client IP Address is enabled, specifies the order in which the system
processes original client IP HTTP headers. If, on your monitored network, you expect to encounter
original client IP headers other than X-Forwarded-For (XFF) or True-Client-IP, you can click
processes original client IP HTTP headers. If, on your monitored network, you expect to encounter
original client IP headers other than X-Forwarded-For (XFF) or True-Client-IP, you can click
Add
to
add up to six additional Client IP header names to the priority list. Note that if multiple XFF headers
appear in an HTTP request, the value for the Original Client IP event field is the header with the
highest priority. You can use the up and down arrow icons beside any header type to adjust its
priority.
appear in an HTTP request, the value for the Original Client IP event field is the header with the
highest priority. You can use the up and down arrow icons beside any header type to adjust its
priority.
Source Port / ICMP Type
The port number on the sending host. For ICMP traffic, where there is no port number, the system
displays the ICMP type.
displays the ICMP type.
Destination Port / ICMP Code
The port number for the host receiving the traffic. For ICMP traffic, where there is no port number,
the system displays the ICMP code.
the system displays the ICMP code.
VLAN ID
The innermost VLAN ID associated with the packet that triggered the intrusion event.
MPLS Label
The Multiprotocol Label Switching label associated with the packet that triggered this intrusion
event.
event.
This field is disabled by default.
Message
The explanatory text for the event. For rule-based intrusion events, the event message is pulled from
the rule. For decoder- and preprocessor-based events, the event message is hard coded.
the rule. For decoder- and preprocessor-based events, the event message is hard coded.
Classification
The classification where the rule that generated the event belongs. See the
table
for a list of rule classification names and numbers.
Generator
The component that generated the event. See the
table for a list of intrusion event
generator IDs.
Source User
The User ID for any known user logged in to the source host.
Destination User
The User ID for any known user logged in to the destination host.