03-31-2005 07:39 AM - edited 03-10-2019 01:22 AM
I was looking at some of my events and saw that some of them have information under the Context section and some don't. 2 questions about this:
1) What is it used for?
2) If I am sending all events to monitoring console, why would it be coming over encryped?
03-31-2005 08:15 AM
IIRC, the context info (which was once called the context buffer, BTW) provides a snippet of the packet(s) that triggered the alarm.
It is only used for certain signatures (the Buffer Overflow-related ones use it a lot) to aid with alarm validation, or that's how we use it at least.
As for whether or not it's "encrypted" when you receive it in MC, I can't begin to suggest what youre seeing. Perhaps it's just binary data captured from a packet that, by its nature, looks like encrypted data?
Care to provide more info (i.e. - SigID and a copy of the context message)?
Alex Arndt
03-31-2005 09:52 AM
Hi Alex,
The signature is 5442 - Cursor/Icon File format buffer overflow and the info in the context area is
Context
Attacker Context:
Victim Context:
Thanks in advance for the information.
03-31-2005 09:52 AM
It is used to show the bytes immediately around whatever completed the signature (regex usually). That data is often useful for validating the alarm (determining the "context" of the alarm).
The data is not encrypted, it is Base 64 encoded for transmission and display purposes. The viewer in IEV will decode it for you.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide