Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
728
Views
0
Helpful
2
Replies

IPS event query ** Help needed badly**

gdntsoc
Level 1
Level 1

‎09-24-2007 07:37 AM - edited ‎03-10-2019 03:48 AM

Greetings all. Apologies for the dramatic headline but I'm in a bit of a time crunch.

I have a 4215 running 6.0(3)E1. The device is inline. Below is an event which triggered,

========================

evIdsAlert: eventId=1184881408377311643 severity=low vendor=Cisco

originator:

hostId: xyz

appName: sensorApp

appInstanceId: 380

time: 2007/09/24 15:11:25 2007/09/24 15:11:25 UTC

signature: description=Recognized content type id=12673 version=S149

subsigId: 0

sigDetails: Recognized content type

marsCategory: Info/Misc

interfaceGroup: vs0

vlan: 0

participants:

attacker:

addr: locality=any a.a.a.a

port: 80

target:

addr: locality=any b.b.b.b

port: 51095

os: idSource=unknown relevance=relevant type=unknown

actions:

deniedFlow: true

context:

fromAttacker: <stuff>

riskRatingValue: attackRelevanceRating=relevant targetValueRating=medium 50

threatRatingValue: 15

interface: fe2_1

protocol: tcp

========================

I have an external application which pull this same event from the sensor using a query *like* the following,

wget --user foo --password hoo http://a.b.c.d/cgi-bin/event-server?events=evAlert

I'm able to pull most of the event information but not all. What I can't seem to get from query is the " deniedFlow: true" value. I'm seeing something like,

></attack></participants><actions></actions></evAlert>

Notice the "deniedFlow: true" information missing between action.

Is my wget-ish query missing some arguments which is preventing me from pulling all the same information I can see from the CLI?

Thanks in advance.

Labels:
0 Helpful
2 Replies 2

jamesand
Cisco Employee
Cisco Employee

‎09-24-2007 07:46 AM

The problem is that you are using the 5.x-style event-server and so you do not see all of the event fields. You need to change the app to pull from the "sdee-server" and then you will see all of the event fields:

http://a.b.c.d/cgi-bin/sdee-server?events=evAlert

0 Helpful

gdntsoc
Level 1
Level 1
In response to jamesand

‎09-24-2007 07:55 AM

That solved it. Thank you very much, James. I appreciate it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card