cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
324
Views
0
Helpful
1
Replies

RDEP Traffic Content

tami.martin
Level 1
Level 1

I am using RDEP to subscribe to IDS sensors and retrieve alerts. In a specific signature I am interested in the content of the traffic from the attacker and victim. In the XML format for RDEP, this content seems encrypted in some way, what format is the <content><fromAttacker></fromAttacker></content> given?

Example:

https://<sensor>/cgi-bin/event-server gives

<evAlert eventId="1164894001049869927" severity="low">

...

<context>

<fromAttacker>UE9TVCAvbm90aWZ5LyBIVFRQLzEuMQ0=</fromAttacker>

</context>

...

</evAlert>

For the same event, in CLI gives:

#show events alert low

evIdsAlert: eventId=1164894001049869927 severity=low vendor=Cisco

...

context:

fromAttacker:

000000 50 4F 53 54 20 2F 6E 6F 74 69 66 79 2F 20 48 54 POST /notify/ HT

000010 54 50 2F 31 2E 31 0D TP/1.1.

riskRatingValue: 37

...

How can I decipher the first to read like the second?

1 Reply 1

mhellman
Level 7
Level 7

It's base64 encoded. You will need to decode it. Whatever you've written your code in should have a module/library for handling base64.

Review Cisco Networking for a $25 gift card