Cisco Cisco Firepower Management Center 4000
18-11
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Viewing Intrusion Events
Security Context
The metadata identifying the virtual firewall group through which the traffic passed. Note that the
system only populates this field for ASA FirePOWER devices in multi-context mode.
system only populates this field for ASA FirePOWER devices in multi-context mode.
Ingress Interface
The ingress interface of the packet that triggered the event. Only this interface column is populated
for a passive interface. See
for a passive interface. See
Egress Interface
For an inline set, the egress interface of the packet that triggered the event. This interface column is
not populated for a passive interface. See
not populated for a passive interface. See
.
Intrusion Policy
The intrusion policy where the intrusion, preprocessor, or decoder rule that generated the event was
enabled. You can select an intrusion policy as the default action for an access control policy, or you
can associate an intrusion policy with an access control rule. See
enabled. You can select an intrusion policy as the default action for an access control policy, or you
can associate an intrusion policy with an access control rule. See
and
.
Access Control Policy
The access control policy that includes the intrusion policy where the intrusion, preprocessor, or
decoder rule that generated the event is enabled. See
decoder rule that generated the event is enabled. See
Access Control Rule
The access control rule associated with an intrusion rule that generated the event; see
Default Action
indicates that the
intrusion policy where the rule is enabled is not associated with an access control rule but, instead,
is configured as the default action of the access control policy; see
is configured as the default action of the access control policy; see
.
HTTP Hostname
The host name, if present, that was extracted from the HTTP request Host header. Note that request
packets do not always include the host name.
packets do not always include the host name.
To display host names, you must enable the HTTP Inspect preprocessor
Log Hostname
option. See
for more information.
This column displays the first fifty characters of the extracted host name. You can hover your pointer
over the displayed portion of an abbreviated host name to display the complete name, up to 256
bytes. You can also display the complete host name, up to 256 bytes, in the packet view. See
over the displayed portion of an abbreviated host name to display the complete name, up to 256
bytes. You can also display the complete host name, up to 256 bytes, in the packet view. See
for more information.
This field is disabled by default.
HTTP URI
The raw URI, if present, associated with the HTTP request packet that triggered the intrusion event.
Note that request packets do not always include a URI.
Note that request packets do not always include a URI.
To display the extracted URI, you must enable the HTTP Inspect preprocessor
Log URI
option. See
for more information.
To see the associated HTTP URI in intrusion events triggered by HTTP responses, you should
configure HTTP server ports in the
configure HTTP server ports in the
Perform Stream Reassembly on Both Ports
option; note, however, that
this increases resource demands for traffic reassembly. See