Event Details
Use the Event Details dialog box to examine all the properties of an event.
| Tab |
Notes |
| Summary |
This tab show the most important information from the other tabs
|
| Details |
This tab provides detailed properties of an event
|
| Signature |
This tab shows details of the signature, if one was matched, for this event.
It allows direct access to edit the signature rule or to create a new signature rule from this event.
|
| Data |
This tab shows both the received and the response data of the event.
|
The Event Interpretation section describes how you can
analyze this data.
Event Fields
- Sensor ID
The ID of the sensor on which the event was detected
- Event ID
The event identification number
- Start Time
The time of the start of an event
- End Time
The time of the end of an event
- Type
The type of the event
- Severity
The severity level of the event
- Description
Additional information
- Closed By
Displays who closed the connection, the visitor or the sensor server
- Limit Exceeded
If the visitor attempted to send more data to the sensor than
the maximum permitted then this will be indicated
- Received
The number of bytes sent by the visitor to the sensor.
- Response
The number of bytes sent by the sensor to the visitor.
Visitor Fields
- IP
The IP address of the visitor that generated the event
- Port
The port number on the visitor's machine used in the connection.
N.B. This is likely to be a random port selection.
- Domain
The domain name of the visitor that generated the event.
This is obtained by a reverse DNS lookup on the visitor's IP address.
Sensor Fields
- Name
The Name of the sensor listen that generated the event
- IP
The IP address of the sensor on which the event was detected
- Port
The port number of the sensor on which the event was detected
- Bound
The address to which the sensor was bound.
This will be blank if the sensor is not bound to a single IP address
- Protocol
The communication protocol used in the event
- Action
The action taken by the sensor
- Sim Server
The name of the Sim Server used, if specified
- Create Visitor Rule
This fills in the basic details of the Visitor Rule dialog allowing for fast rule creation.
Signature
If a signature rule has been matched for this event then its details will be displayed in the Signature tab.
- ID
The ID uniquely identifies a rule.
The ID may be up to twelve characters long.
There are two conventions to rules names; external rules start with a $ and rules from KeyFocus start with a !
- Message
The message is a piece of text displayed to the user that describes what the rule identified.
- Source Reference
This is a URL link to more information on a rule.
- Browse button
This button opens a web browse with the URL specified in the source reference.
- Source Type
The source type specified the origin of a rule and is used by the signature engine to give priority to rule.
- Created
The date and time that the rule was created or imported.
- Edited
The date and time that the rule was last edited.
- Edit button
Edit the signature rule using the Edit Signature Rule dialog box
- Create button
Create a new signature rule using the
Add Signature Rule dialog box.
The details of the new rule will be automatically populated with details from the event.
Data
- Received
The data sent by the visitor to the sensor.
Only a limited number of bytes are displayed and non ASCII displayable bytes are encoded
- Response
The data sent by the sensor to the visitor.
Only a limited number of bytes are displayed and non ASCII displayable bytes are encoded
- Expand
Use the Expand button to view the received or sent data in an expanded view in the
Event Details Viewer.
KFSensor On-Line Manual Contents