Cisco Cisco FirePOWER Appliance 8390
18-19
FireSIGHT System User Guide
Chapter 18 Working with Intrusion Events
Using the Packet View
Tip
At any point in the process, you can save the constraints as a set of search criteria. For example, if you
find that over the course of a few days your network is being probed by an attacker from a single IP
address, you can save your constraints during your investigation and then use them again later. You
cannot, however, save compound constraints as a set of search criteria. For more information, see
find that over the course of a few days your network is being probed by an attacker from a single IP
address, you can save your constraints during your investigation and then use them again later. You
cannot, however, save compound constraints as a set of search criteria. For more information, see
Tip
If no intrusion events appear on the event views, adjusting the selected time range might return results.
If you selected an older time range, events in that time range might have been deleted. Adjusting the rule
thresholding configuration might generate events.
If you selected an older time range, events in that time range might have been deleted. Adjusting the rule
thresholding configuration might generate events.
Using the Packet View
License:
Protection
A packet view provides information about the packet that triggered the rule that generated an intrusion
event.
event.
Tip
The packet view on a Defense Center does not contain packet information when the
Transfer Packet
option
is disabled for the device detecting the event.
The packet view indicates why a specific packet was captured by providing information about the
intrusion event that the packet triggered, including the event’s time stamp, message, classification,
priority, and, if the event was generated by a standard text rule, the rule that generated the event. The
packet view also provides general information about the packet, such as its size.
intrusion event that the packet triggered, including the event’s time stamp, message, classification,
priority, and, if the event was generated by a standard text rule, the rule that generated the event. The
packet view also provides general information about the packet, such as its size.
In addition, the packet view has a section that describes each layer in the packet: data link, network, and
transport, as well as a section that describes the bytes that comprise the packet. You can expand collapsed
sections to display detailed information.
transport, as well as a section that describes the bytes that comprise the packet. You can expand collapsed
sections to display detailed information.
Note
Because each portscan event is triggered by multiple packets, portscan events use a special version of
the packet view. See
the packet view. See
for more information.
The following table describes the actions you can take on the packet view.