Cisco Cisco Firepower Management Center 4000
22-9
FireSIGHT System User Guide
Chapter 22 Using Advanced Settings in an Intrusion Policy
Understanding Preprocessors
Note
Events generated by standard text rules have a generator ID of 1. The event’s SID indicates which
specific rule triggered. For shared object rules, the events have a generator ID of 3 and a SID that
indicates which specific rule was triggered.
specific rule triggered. For shared object rules, the events have a generator ID of 3 and a SID that
indicates which specific rule was triggered.
The following table describes the types of events that generate each GID.
Table 22-9
Generator IDs
ID
Component
Description
1
Standard Text Rule
The event was generated when the packet triggered a standard text rule. See the
table for more information.
2
Tagged Packets
The event was generated by the Tag generator, which generates packets from a tagged
session. This occurs when the
session. This occurs when the
tag
rule option is used. For more information, see
3
Shared Object Rule
The event was generated when the packet triggered a shared object rule. See the
table for more information.
102
HTTP Decoder
The decoder engine decoded HTTP data within the packet.
105
Back Orifice Detector
The Back Orifice Detector identified a Back Orifice attack associated with the packet.
See
See
for more information.
106
RPC Decoder
The RPC decoder decoded the packet. See
for more information.
116
Packet Decoder
The event was generated by the packet decoder. See
for more information.
119, 120
HTTP Inspect
Preprocessor
Preprocessor
The event was generated by the HTTP Inspect preprocessor. GID 120 rules relate to
server-specific HTTP traffic. See
server-specific HTTP traffic. See
for more
information.
122
Portscan Detector
The event was generated by the portscan flow detector. See
for more information
123
IP Defragmentor
The event was generated when a fragmented IP datagram could not be properly
reassembled. See
reassembled. See
for more information.
124
SMTP Decoder
The event was generated when the SMTP preprocessor detected an exploit against an
SMTP verb. See
SMTP verb. See
for more information.
125
FTP Decoder
The event was generated when the FTP/Telnet decoder detected an exploit within FTP
traffic. See
traffic. See
and
for more information.
126
Telnet Decoder
The event was generated when the FTP/Telnet decoder detected an exploit within
telnet traffic. See
telnet traffic. See
for more information.
128
SSH Preprocessor
The event was generated when the SSH preprocessor detected an exploit within SSH
traffic. See
traffic. See
for more
information.
129
Stream Preprocessor
The event was generated during stream preprocessing by the stream preprocessor. See
for more information.
131
DNS Preprocessor
The event was generated by the DNS preprocessor. See
for more information.