topic RDEP Traffic Content in Network Security https://community.cisco.com/t5/network-security/rdep-traffic-content/m-p/651931#M87743 <P>I am using RDEP to subscribe to IDS sensors and retrieve alerts. In a specific signature I am interested in the content of the traffic from the attacker and victim. In the XML format for RDEP, this content seems encrypted in some way, what format is the &lt;content&gt;&lt;fromAttacker&gt;&lt;/fromAttacker&gt;&lt;/content&gt; given?</P><P></P><P>Example:</P><P><A class="jive-link-custom" href="https://" target="_blank">https://</A>&lt;sensor&gt;/cgi-bin/event-server gives</P><P>&lt;evAlert eventId="1164894001049869927" severity="low"&gt;</P><P> ...</P><P>&lt;context&gt;</P><P>&lt;fromAttacker&gt;UE9TVCAvbm90aWZ5LyBIVFRQLzEuMQ0=&lt;/fromAttacker&gt;</P><P>&lt;/context&gt;</P><P>...</P><P>&lt;/evAlert&gt;</P><P></P><P>For the same event, in CLI gives:</P><P>#show events alert low</P><P>evIdsAlert: eventId=1164894001049869927 severity=low vendor=Cisco </P><P>...</P><P> context: </P><P> fromAttacker: </P><P>000000 50 4F 53 54 20 2F 6E 6F 74 69 66 79 2F 20 48 54 POST /notify/ HT</P><P>000010 54 50 2F 31 2E 31 0D TP/1.1.</P><P> riskRatingValue: 37</P><P>...</P><P></P><P>How can I decipher the first to read like the second?</P> Sun, 10 Mar 2019 10:25:48 GMT tami.martin 2019-03-10T10:25:48Z RDEP Traffic Content https://community.cisco.com/t5/network-security/rdep-traffic-content/m-p/651931#M87743 <P>I am using RDEP to subscribe to IDS sensors and retrieve alerts. In a specific signature I am interested in the content of the traffic from the attacker and victim. In the XML format for RDEP, this content seems encrypted in some way, what format is the &lt;content&gt;&lt;fromAttacker&gt;&lt;/fromAttacker&gt;&lt;/content&gt; given?</P><P></P><P>Example:</P><P><A class="jive-link-custom" href="https://" target="_blank">https://</A>&lt;sensor&gt;/cgi-bin/event-server gives</P><P>&lt;evAlert eventId="1164894001049869927" severity="low"&gt;</P><P> ...</P><P>&lt;context&gt;</P><P>&lt;fromAttacker&gt;UE9TVCAvbm90aWZ5LyBIVFRQLzEuMQ0=&lt;/fromAttacker&gt;</P><P>&lt;/context&gt;</P><P>...</P><P>&lt;/evAlert&gt;</P><P></P><P>For the same event, in CLI gives:</P><P>#show events alert low</P><P>evIdsAlert: eventId=1164894001049869927 severity=low vendor=Cisco </P><P>...</P><P> context: </P><P> fromAttacker: </P><P>000000 50 4F 53 54 20 2F 6E 6F 74 69 66 79 2F 20 48 54 POST /notify/ HT</P><P>000010 54 50 2F 31 2E 31 0D TP/1.1.</P><P> riskRatingValue: 37</P><P>...</P><P></P><P>How can I decipher the first to read like the second?</P> Sun, 10 Mar 2019 10:25:48 GMT https://community.cisco.com/t5/network-security/rdep-traffic-content/m-p/651931#M87743 tami.martin 2019-03-10T10:25:48Z Re: RDEP Traffic Content https://community.cisco.com/t5/network-security/rdep-traffic-content/m-p/651932#M87749 <HTML><HEAD></HEAD><BODY><P>It's base64 encoded. You will need to decode it. Whatever you've written your code in should have a module/library for handling base64.</P></BODY></HTML> Fri, 19 Jan 2007 18:42:18 GMT https://community.cisco.com/t5/network-security/rdep-traffic-content/m-p/651932#M87749 mhellman 2007-01-19T18:42:18Z