Cisco Cisco Firepower Management Center 4000

22-9

FireSIGHT System User Guide

Chapter 22 Using Advanced Settings in an Intrusion Policy

Understanding Preprocessors

Note

Events generated by standard text rules have a generator ID of 1. The event’s SID indicates which
specific rule triggered. For shared object rules, the events have a generator ID of 3 and a SID that
indicates which specific rule was triggered.

The following table describes the types of events that generate each GID.

Table 22-9

Generator IDs

Component

Description

Standard Text Rule

The event was generated when the packet triggered a standard text rule. See the

Rule

Types

table for more information.

Tagged Packets

The event was generated by the Tag generator, which generates packets from a tagged
session. This occurs when the

tag

rule option is used. For more information, see

Evaluating Post-Attack Traffic, page 32-87

Shared Object Rule

The event was generated when the packet triggered a shared object rule. See the

Rule

Types

table for more information.

102

HTTP Decoder

The decoder engine decoded HTTP data within the packet.

105

Back Orifice Detector

The Back Orifice Detector identified a Back Orifice attack associated with the packet.
See

Detecting Back Orifice, page 28-1

for more information.

106

RPC Decoder

The RPC decoder decoded the packet. See

Using the Sun RPC Preprocessor,

page 25-44

for more information.

116

Packet Decoder

The event was generated by the packet decoder. See

Understanding Packet Decoding,

page 26-15

for more information.

119, 120

HTTP Inspect
Preprocessor

The event was generated by the HTTP Inspect preprocessor. GID 120 rules relate to
server-specific HTTP traffic. See

Decoding HTTP Traffic, page 25-30

for more

information.

122

Portscan Detector

The event was generated by the portscan flow detector. See

Detecting Portscans,

page 28-2

for more information

123

IP Defragmentor

The event was generated when a fragmented IP datagram could not be properly
reassembled. See

Defragmenting IP Packets, page 26-11

for more information.

124

SMTP Decoder

The event was generated when the SMTP preprocessor detected an exploit against an
SMTP verb. See

Understanding SMTP Decoding, page 25-59

for more information.

125

FTP Decoder

The event was generated when the FTP/Telnet decoder detected an exploit within FTP
traffic. See

Understanding Server-Level FTP Options, page 25-22

and

Understanding

Client-Level FTP Options, page 25-27

for more information.

126

Telnet Decoder

The event was generated when the FTP/Telnet decoder detected an exploit within
telnet traffic. See

Decoding FTP and Telnet Traffic, page 25-18

for more information.

128

SSH Preprocessor

The event was generated when the SSH preprocessor detected an exploit within SSH
traffic. See

Detecting Exploits Using the SSH Preprocessor, page 25-66

for more

information.

129

Stream Preprocessor

The event was generated during stream preprocessing by the stream preprocessor. See

Using TCP Stream Preprocessing, page 26-19

for more information.

131

DNS Preprocessor

The event was generated by the DNS preprocessor. See

Detecting Exploits in DNS

Name Server Responses, page 25-14

for more information.