Cisco Cisco Firepower Management Center 4000
18-36
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Searching for Intrusion Events
Destination IP
Specify the IP address used by the destination host involved in the intrusion events.
Source/Destination IP
Specify the source or destination IP address used by the host whose intrusion events you want to
view.
view.
Source Country
Specify the country of the source host involved in the intrusion events.
Destination Country
Specify the country of the destination host involved in the intrusion events.
Source/Destination Country
Specify the country of the source or destination host involved in the intrusion events you want to
view.
view.
Source Continent
Specify the continent of the source host involved in the intrusion events.
Destination Continent
Specify the continent of the destination host involved in the intrusion events.
Source/Destination Continent
Specify the continent of the source or destination host involved in the intrusion events you want to
view.
view.
Original Client IP
The original client IP address that was extracted from an X-Forwarded-For (XFF), True-Client-IP,
or custom-defined HTTP header. To display a value for this field, you must enable the HTTP
preprocessor Extract Original Client IP Address option in the network analysis policy. Optionally,
in the same area of the network analysis policy, you can also specify up to six custom client IP
headers, as well as set the priority order in which the system selects the value for the Original Client
IP event field See
or custom-defined HTTP header. To display a value for this field, you must enable the HTTP
preprocessor Extract Original Client IP Address option in the network analysis policy. Optionally,
in the same area of the network analysis policy, you can also specify up to six custom client IP
headers, as well as set the priority order in which the system selects the value for the Original Client
IP event field See
for more
information.
XFF Priority Header
When Extract Original Client IP Address is enabled, specifies the order in which the system
processes original client IP HTTP headers. If, on your monitored network, you expect to encounter
original client IP headers other than X-Forwarded-For (XFF) or True-Client-IP, you can click
processes original client IP HTTP headers. If, on your monitored network, you expect to encounter
original client IP headers other than X-Forwarded-For (XFF) or True-Client-IP, you can click
Add
to
add up to six additional Client IP header names to the priority list. Note that if multiple XFF headers
appear in an HTTP request, the value for the Original Client IP event field is the header with the
highest priority. You can use the up and down arrow icons beside any header type to adjust its
priority.
appear in an HTTP request, the value for the Original Client IP event field is the header with the
highest priority. You can use the up and down arrow icons beside any header type to adjust its
priority.
Protocol