I am using RDEP to subscribe to IDS sensors and retrieve alerts. In a specific signature I am interested in the content of the traffic from the attacker and victim. In the XML format for RDEP, this content seems encrypted in some way, what format is the <content><fromAttacker></fromAttacker></content> given?
Example:
https://<sensor>/cgi-bin/event-server gives
<evAlert eventId="1164894001049869927" severity="low">
...
<context>
<fromAttacker>UE9TVCAvbm90aWZ5LyBIVFRQLzEuMQ0=</fromAttacker>
</context>
...
</evAlert>
For the same event, in CLI gives:
#show events alert low
evIdsAlert: eventId=1164894001049869927 severity=low vendor=Cisco
...
context:
fromAttacker:
000000 50 4F 53 54 20 2F 6E 6F 74 69 66 79 2F 20 48 54 POST /notify/ HT
000010 54 50 2F 31 2E 31 0D TP/1.1.
riskRatingValue: 37
...
How can I decipher the first to read like the second?