View event details

• Event No.- The order in which the event appeared in the SMS.
• Hit Count - The number of packets aggregated before notification was sent. Click Packet Trace at the bottom of the screen to view more information about the packets involved in the event. The Packet Trace button is disabled when packet trace information is not available. See View the packet trace.
• Event Time - The time on the device that the traffic was first encountered.
• Action - The flow control action associated with the event filter that matched the event.
• Severity - The importance of the event.
• Event Msg - The message for the event.
• Comment - User-generated text added to the event.

• Rule - The rule that triggered the event
• Device - The device that responded to the traffic
• Interface In and Out

• Segment
• Segment Port In
• Device
• VLAN

This section provides the Source Address and Port, and the Destination Address and Port of the event. If the additional event information option has been selected, the client IP address also appears in addition to the geographic location for the IP address including the country and flag icon (if available), region, and city.

If both an X-Forwarded-For value and a True-Client-IP value are available, and they differ from each other, the Client IP field reflects the X-Forwarded-For value.

• Filter Name - The name of the filter that triggered the event. If the filter is editable, the Edit Filter button will allow you to easily modify the filter.
• Description - Description of the filter
• Class - Class of the event/filter
• Category - Type of event filter
• Profile - Profile associated with the alert or block
• Protocol - Protocol the filter monitors
• Platform - Platform the filter applies to
• CVE ID - The CVE ID (if available) of the event trigger. The CVE is a dictionary of publicly known information security vulnerabilities and exposures.
• Function
• Globally Collected Filter Info (via ThreatLinQ) - Helps you to understand the global impact of the issue. See TMC ThreatLinQ charts and graphs for more information.

If the additional event information option has been selected, this panel provides the client IP address and hostname information associated with any HTTP URI. X-Forwarded-For and True Client technology captures a client IP address before it can be overwritten by a forwarding proxy IP address. Additional information for this panel includes values for the following possible categories:

A URL Information panel appears only when an HTTP URI value is displayed in the Additional Event Information panel. If a valid URL is established, this panel displays a table that dissects the URL according to its components. If a valid URL cannot be constructed from the URI string, the SMS attempts to construct a URI, which, if successful, appears in a URI Information panel. If the attempt fails, the URI Information panel displays a message describing why the URI is malformed.

The device collects URI Metadata on a web request. If the corresponding web response triggers a filter, the log displays the URI Metadata only if the device successfully correlated the request with the response. In typical network scenarios, this normally occurs. However, in network scenarios where the response has a different VLAN, IP address/port, or protocol than the request, the device interprets the two flows as non-related and does not correlate the URI information. Without the URI Metadata in the log, the SMS cannot forward the URI information to the Deep Discovery Analyzer as part of URL Threat Analysis.

TippingPoint devices enforce a maximum length of 8 KB for URI strings. URI strings are transmitted over HTTP, which might or might not be encrypted (HTTPS) with Transport Layer Security (TLS) or Secure Socket Layer (SSL).

To display the URI information, the SMS encodes the URI data. Non-ASCII characters, with byte values less than 20h and greater than 7Eh, will be encoded as \xHH where HH represents two hex digits. Backslash characters—5Ch—will be encoded as two consecutive backslash characters.

For example, the following unencoded data:

/foo\bar.htmlDELbaz

where DEL represents a single byte, would be encoded as:

/foo\\bar.html\x7Fbaz

A Filter Information panel appears for geographic filter events. It displays the name of the filter, the matching IP address, and the countries that are included or excluded in the filter. From here, you can quickly edit the filter or view additional geographic information.