Intrusion prevention events
For general best practices related to events, see About Deep Security event logging.
To see the intrusion prevention events captured by Deep Security, go to Events & Reports > Events > Intrusion Prevention Events.
What information is displayed for intrusion prevention events?
These columns can be displayed on the Intrusion Prevention Events page. You can click Columns to select which columns are displayed in the table.
- Time: Time the event took place on the computer.
- Computer: The computer on which this event was logged. (If the computer has been removed, this entry will read "Unknown Computer".)
- Reason: The intrusion prevention rule associated with this event.
- Tag(s): Any tags attached with the event.
- Application Type: The application type associated with the intrusion prevention rule which caused this event.
- Action: What action the intrusion prevention rule took (Block or Reset). If the rule is in Detect Only mode, the action is prefaced with "Detect Only:").
Intrusion prevention rules created before Deep Security 7.5 SP1 could also perform Insert, Replace, and Delete actions. These actions are no longer performed. If an older rule is triggered and attempts to perform those actions, the event will indicate that the rule was applied in detect-only mode.
- Rank: The ranking system provides a way to quantify the importance of intrusion prevention and firewall events. By assigning "asset values" to computers, and assigning "severity values" to intrusion prevention rules and firewall rules, the importance ("rank") of an event is calculated by multiplying the two values together. This allows you to sort events by rank when viewing intrusion prevention or firewall events.
- Severity: The intrusion prevention rule's severity value.
- Direction: The direction of the packet (incoming or outgoing)
- Flow: whether the packets(s) that triggered this event was travelling with ("Connection Flow") or against ("Reverse Flow") the direction of traffic being monitored by the intrusion prevention rule.
- Interface: The MAC address of the interface through which the packet was passing.
- Frame Type: The frame type of the packet in question. Possible values are "IPV4", "IPV6", "ARP", "REVARP", and "Other: XXXX" where XXXX represents the four digit hex code of the frame type.
- Protocol: Possible values are "ICMP", "ICMPV6", "IGMP", "GGP", "TCP", "PUP", "UDP", "IDP", "ND", "RAW", "TCP+UDP", AND "Other: nnn" where nnn represents a three digit decimal value.
- Flags: Flags set in the packet.
- Source IP: The packet's source IP.
- Source MAC: The packet's source MAC address.
- Source Port: The packet's source port.
- Destination IP: The packet's destination IP address.
- Destination MAC: The packet's destination MAC address.
- Destination Port: The packet's destination port.
- Packet Size: The size of the packet in bytes.
- Repeat Count: The number of times the event was sequentially repeated.
- Time (microseconds): Microsecond resolution for the time the event took place on the computer.
- Event Origin: The Deep Security component from which the event originated.
The following columns are also available. They display information for events that are triggered from containers on computers that are protected by Deep Security Agent 12 FR or newer:
- Interface Type: Container interface type.
- Container Name: Name of the container where the event occurred.
- Container ID: Container ID of the container where the event occurred.
- Image Name: Image name that was used to create the container where the event occurred.
- RepoDigest: A unique digest that identifies the container image.
- Process Name: Name of the process (from the container) that caused the event.
View additional Intrusion Prevention event information
When exporting Intrusion Prevention events, the exported data includes the fields listed above, as well as additional fields, which are not visible from the Deep Security Manager console. The single exception is the Severity field, which is not available in the CSV file.
- Note: Meaningful string for the event, such as CVE code.
- End Time: Time the packet was most recently seen.
- Position In Buffer: Position in packet.
- Position In Stream: Position of packet in TCP/IP stream.
- Data Flags: Refer to the table below for details on Data Flags values:
- Data Index: A unique ID for packet data (dataId). All records with the same dataId are from the same packet.
- Data: Payload of the packet.
- Original IP (XFF): Displays original IP address of the client. To obtain data for this field, enable the rule 1006450 - Enable X-Forwarded-For HTTP Header Logging.
| Code | Flag | Notes |
| 0x01 | dataTruncated | Indicates data could not be logged. |
| 0x02 | logOverflow | Logs overflowed after this entry. |
| 0x04 | suppressed | Logs threshold suppression occurred after this entry. |
| 0x08 | haveData | Packet Data is logged. |
| 0x10 | refData | DataId is logged. Packet payload is not logged in this event. The payload is only logged in the event with the 0x08 flag and the same Data Index. |
| 0x20 | haveRawPkt | Data is the complete, raw packet. |
The following fields are also available. They display information for events that are triggered from containers on computers that are protected by Deep Security Agent 12 FR or newer:
- Process ID: Process ID reported by the container.
- Thread ID: Thread ID reported by the container.
- Image ID: The local ID of the container image.
- Pod ID: The Pod ID (if applicable).
List of all intrusion prevention events
| ID | Event | Notes |
| 200 | Region Too Big | A region (edit region, uri etc) exceeded the maximum allowed buffering size (7570 bytes) without being closed. This is usually because the data does not conform to the protocol. |
| 201 | Insufficient Memory | The packet could not be processed properly because resources were exhausted. This can be because there are too many concurrent connections at the same time or simply because the system is out of memory. |
| 202 | Maximum Edits Exceeded | The maximum number of edits (32) in a single region of a packet was exceeded. |
| 203 | Edit Too Large | Editing attempted to increase the size of the region above the maximum allowed size (8188 bytes). |
| 204 | Max Matches in Packet Exceeded | There are more than 2048 positions in the packet with pattern match occurrences. An error is returned at this limit and the connection is dropped because this usually indicates a garbage or evasive packet. |
| 205 | Engine Call Stack Too Deep | |
| 206 | Runtime Error | Runtime error. |
| 207 | Packet Read Error | Low level problem reading packet data. |
| 258 | Fail Open: Reset | Log the connection that should be reset but not when Fail-Open feature is on and in Inline mode |
| 300 | Unsupported Cipher | An unknown or unsupported Cipher Suite has been requested. |
| 301 | Error Generating Master Key(s) | Unable to derive the cryptographic keys, Mac secrets, and initialization vectors from the master secret. |
| 302 | Record Layer Message (not ready) | The SSL state engine has encountered an SSL record before initialization of the session. |
| 303 | Handshake Message (not ready) | The SSL state engine has encountered a handshake message after the handshake has been negotiated. |
| 304 | Out Of Order Handshake Message | A well formatted handshake message has been encountered out of sequence. |
| 305 | Memory Allocation Error | The packet could not be processed properly because resources were exhausted. This can be because there are too many concurrent connections at the same time or simply because the system is out of memory. |
| 306 | Unsupported SSL Version | A client attempted to negotiate an SSL V2 session. |
| 307 | Error Decrypting Pre-master Key | Unable to un-wrap the pre-master secret from the ClientKeyExchange message. |
| 308 | Client Attempted to Rollback | A client attempted to rollback to an earlier version of the SSL protocol than that which was specified in the ClientHello message. |
| 309 | Renewal Error | An SSL session was being requested with a cached session key that could not be located. |
| 310 | Key Exchange Error | The server is attempting to establish an SSL session with temporarily generated key. |
| 311 | Maximum SSL Key Exchanges Exceeded | The maximum number of concurrent key exchange requests was exceeded. |
| 312 | Key Too Large | The master secret keys are larger than specified by the protocol identifier. |
| 313 | Invalid Parameters In Handshake | An invalid or unreasonable value was encountered while trying to decode the handshake protocol. |
| 314 | No Sessions Available | |
| 315 | Compression Method Unsupported | |
| 316 | Unsupported Application-Layer Protocol | An unknown or unsupported SSL Application-Layer Protocol has been requested. |
| 386 | Fail Open: Reset | Log the connection that should be reset but not when Fail-Open feature is on and in Tap mode. |
| 500 | URI Path Depth Exceeded | Too many "/" separators. Max 100 path depth. |
| 501 | Invalid Traversal | Tried to use "../" above root. |
| 502 | Illegal Character in URI | Illegal character used in uri. |
| 503 | Incomplete UTF8 Sequence | URI ended in middle of utf8 sequence. |
| 504 | Invalid UTF8 encoding | Invalid or non-canonical encoding attempt. |
| 505 | Invalid Hex Encoding | %nn where nn are not hex digits. |
| 506 | URI Path Length Too Long | Path length is greater than 512 characters. |
| 507 | Invalid Use of Character | Use of disabled characters |
| 508 | Double Decoding Exploit | Double decoding exploit attempt (%25xx, %25%xxd, etc). |
| 700 | Invalid Base64 Content | Packet content that was expected to be encoded in Base64 format was not encoded correctly. |
| 710 | Corrupted Deflate/GZIP Content | Packet content that was expected to be encoded in Base64 format was not encoded correctly. |
| 711 | Incomplete Deflate/GZIP Content | Incomplete Deflate/GZIP content |
| 712 | Deflate/GZIP Checksum Error | Deflate/GZIP checksum error. |
| 713 | Unsupported Deflate/GZIP Dictionary | Unsupported Deflate/GZIP dictionary. |
| 714 | Unsupported GZIP Header Format/Method | Unsupported GZIP header format or method. |
| 801 | Protocol Decoding Search Limit Exceeded | A protocol decoding rule defined a limit for a search or pdu object but the object was not found before the limit was reached. |
| 802 | Protocol Decoding Constraint Error | A protocol decoding rule decoded data that did not meet the protocol content constraints. |
| 803 | Protocol Decoding Engine Internal Error | |
| 804 | Protocol Decoding Structure Too Deep | A protocol decoding rule encountered a type definition and packet content that caused the maximum type nesting depth (16) to be exceeded. |
| 805 | Protocol Decoding Stack Error | A rule programming error attempted to cause recursion or use to many nested procedure calls. |
| 806 | Infinite Data Loop Error |