https://community.cisco.com/t5/network-security/vms-secmon-and-trigger-packet/m-p/790222#M86580 <HTML><HEAD></HEAD><BODY><P>Check to see if you are still reporting Risk Ratings on your events in SecMon. We have had some senor updates break Risk Ratings. Re-importing the sensor in VMS fixes that problem.</P></BODY></HTML> Fri, 25 May 2007 15:44:31 GMT rhermes 2007-05-25T15:44:31Z https://community.cisco.com/t5/network-security/vms-secmon-and-trigger-packet/m-p/790221#M86579 <P>Right, in the network is a VMS Server 2.3sp2 and several 5.1.5E1s283.0 sensors. We have enabled the following commands on the sensors:</P><P></P><P>overrides produce-verbose-alert </P><P>override-item-status Enabled</P><P>risk-rating-range 50</P><P></P><P>SDEE events are received in VMS SecMon console. In the past with this enabled, when the Risk Rating was above 50 on any event received in the console, this would produce a (verbose) trigger packet that would be viewable on the console by right clicking the event and the selecting tools/trigger packet. However it seams that this is not the case anymore. </P><P></P><P>Could someone tell me if this function still works or has something changed that makes it not possible anymore?</P><P></P> Sun, 10 Mar 2019 10:37:45 GMT https://community.cisco.com/t5/network-security/vms-secmon-and-trigger-packet/m-p/790221#M86579 darin.marais 2019-03-10T10:37:45Z https://community.cisco.com/t5/network-security/vms-secmon-and-trigger-packet/m-p/790222#M86580 <HTML><HEAD></HEAD><BODY><P>Check to see if you are still reporting Risk Ratings on your events in SecMon. We have had some senor updates break Risk Ratings. Re-importing the sensor in VMS fixes that problem.</P></BODY></HTML> Fri, 25 May 2007 15:44:31 GMT https://community.cisco.com/t5/network-security/vms-secmon-and-trigger-packet/m-p/790222#M86580 rhermes 2007-05-25T15:44:31Z https://community.cisco.com/t5/network-security/vms-secmon-and-trigger-packet/m-p/790223#M86581 <HTML><HEAD></HEAD><BODY><P>If I run show event on a sensor were I have enabled the commands:</P><P></P><P>overrides produce-verbose-alert </P><P>override-item-status Enabled</P><P>risk-rating-range 50</P><P></P><P>The event that is captured on the screen is as follows.</P><P></P><P>sensor# sh events</P><P></P><P>evIdsAlert: eventId=removed severity=high vendor=Cisco </P><P> originator: </P><P> hosted sensor</P><P> appName: sensorApp</P><P> appInstanceId: 5037</P><P> time: 2007/05/30 08:05:57 2007/05/30 10:05:57 CET</P><P> signature: description=Cursor/Icon File Format Buffer Overflow id=5442 version=S137 </P><P> subsigId: 0</P><P> sigDetails: Malicious ANI File</P><P> interfaceGroup: </P><P> vlan: 0</P><P> participants: </P><P> attacker: </P><P> addr: locality=OUT removed</P><P> port: 8080</P><P> target: </P><P> addr: locality=OUT removed</P><P> port: 46531</P><P> context: </P><P> fromTarget: </P><P>text removed</P><P> fromAttacker: </P><P>text removed</P><P> riskRatingValue: 60</P><P> interface: ge2_0</P><P> protocol: tcp</P><P></P><P>The event includes the risk rating value. Is that what you mean?</P><P></P><P>In the past the events collected were IDIOM events but now the are SDEE. Is there a difference as far as the triggered packets are concerned. In the past the event included a section called triggerPacket but I don?t see that anymore.</P><P></P></BODY></HTML> Wed, 30 May 2007 07:35:28 GMT https://community.cisco.com/t5/network-security/vms-secmon-and-trigger-packet/m-p/790223#M86581 darin.marais 2007-05-30T07:35:28Z