Re: Wondering how to use the "context" information

nickbruno · ‎03-31-2005

I was looking at some of my events and saw that some of them have information under the Context section and some don't. 2 questions about this:

1) What is it used for?

2) If I am sending all events to monitoring console, why would it be coming over encryped?

a.arndt · ‎03-31-2005

IIRC, the context info (which was once called the context buffer, BTW) provides a snippet of the packet(s) that triggered the alarm.

It is only used for certain signatures (the Buffer Overflow-related ones use it a lot) to aid with alarm validation, or that's how we use it at least.

As for whether or not it's "encrypted" when you receive it in MC, I can't begin to suggest what you’re seeing. Perhaps it's just binary data captured from a packet that, by its nature, looks like encrypted data?

Care to provide more info (i.e. - SigID and a copy of the context message)?

Alex Arndt

nickbruno · ‎03-31-2005

Hi Alex,

The signature is 5442 - Cursor/Icon File format buffer overflow and the info in the context area is

Context

Attacker Context:

Victim Context:

Thanks in advance for the information.

scothrel · ‎03-31-2005

It is used to show the bytes immediately around whatever completed the signature (regex usually). That data is often useful for validating the alarm (determining the "context" of the alarm).

The data is not encrypted, it is Base 64 encoded for transmission and display purposes. The viewer in IEV will decode it for you.