Cisco Cisco Firepower Management Center 4000
18-22
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Using the Packet View
Ingress Interface
The ingress interface of the packet that triggered the event. Only this interface column is populated
for a passive interface. See
for a passive interface. See
Egress Interface
For an inline set, the egress interface of the packet that triggered the event. See
Source/Destination IP
The host IP address or domain name where the packet that triggered the event (source) originated,
or the target (destination) host of the traffic that triggered the event.
or the target (destination) host of the traffic that triggered the event.
Note that to display the domain name, you must enable IP address resolution; for more information,
see
see
Click the address or domain name to view the context menu, then select
Whois
to do a whois search
on the host,
View Host Profile
to view host information, or
Blacklist Now
or
Whitelist Now
to add the
address to a global blacklist or whitelist. See
and
Source Port/ICMP Type
Source port of the packet that triggered the event. For ICMP traffic, where there is no port number,
the system displays the ICMP type.
the system displays the ICMP type.
Destination Port/ICMP Code
The port number for the host receiving the traffic. For ICMP traffic, where there is no port number,
the system displays the ICMP code.
the system displays the ICMP code.
Email Headers
The data that was extracted from the email header. Note that email headers do not appear in the table
view of intrusion events, but you can use email header data as a search criterion.
view of intrusion events, but you can use email header data as a search criterion.
To associate email headers with intrusion events for SMTP traffic, you must enable the SMTP
preprocessor
preprocessor
Log Headers
option. See
for more
information. For rule-based events, this row appears when email data is extracted.
HTTP Hostname
The host name, if present, extracted from the HTTP request Host header. This row displays the
complete host name, up to 256 bytes. Click the expand arrow (
complete host name, up to 256 bytes. Click the expand arrow (
) to display the complete host
name when longer than a single row.
To display host names, you must enable the HTTP Inspect preprocessor
Log Hostname
option. See
for more information.
Note that HTTP request packets do not always include a host name. For rule-based events, this row
appears when the packet contains the HTTP host name or the HTTP URI.
appears when the packet contains the HTTP host name or the HTTP URI.
HTTP URI
The raw URI, if present, associated with the HTTP request packet that triggered the intrusion event.
This row displays the complete URI, up to 2048 bytes. Click the expand arrow (
This row displays the complete URI, up to 2048 bytes. Click the expand arrow (
) to display the
complete URI when it is longer than a single row.
To display the URI, you must enable the HTTP Inspect preprocessor
Log URI
option. See
for more information.