Cisco Cisco FirePOWER Appliance 7020
17-3
FireSIGHT System User Guide
Chapter 17 Introduction to Intrusion Prevention
Understanding How Traffic Is Analyzed
•
a network layer decoder, such as the IP decoder
•
a transport layer decoder such, as the TCP decoder
•
an application layer decoder or preprocessor, such as the HTTP Inspect preprocessor
•
the rules engine
Events include such information as:
•
the date and time the event was generated
•
the event priority
•
when you use network discovery, the impact flag associated with the event
•
whether the packet that caused the event was dropped or would have been dropped in an inline,
switched, or routed deployment
switched, or routed deployment
•
the name of the device that generated the event
•
the protocol of the packet that caused the event
•
the source IP address and port for the event
•
the destination IP address and port for the event
•
the name of the user logged into the source host
•
the ICMP type and code (for ICMP traffic)
•
the FireSIGHT System component that generated the event (for example, the rule, decoder, or
preprocessor)
preprocessor)
•
a brief description of the event
•
the classification of the rule that generated the event
•
the VLAN where the host is a member
For a complete list and descriptions of the information included in intrusion events, see
.
Note
For events generated by shared object rules, the rule itself is not available.
The following sections describe more about how the system acquires and processes information:
•
•
•
Capturing and Decoding Packets
License:
Protection
Before packets can be inspected, the packets must be captured from the network. The following
illustration shows how the system sniffs packets, then decodes them before any further analysis.
illustration shows how the system sniffs packets, then decodes them before any further analysis.