IPS Event Context Data in Log Messages
Attack context logging can now be enabled for an IPS sensor, which will add two new fields, attackcontext and attackcontextid, into an attack log.
The atkctx field in log will output BASE64 encoded string of:
<PATTERNS> trigger patterns separated by ';' </PATTERNS> <URI> uri buffer </URI> <HEADER> header buffer </HEADER> <BODY> body buffer </BODY> <PACKET> packet buffer </PACKET>"
Attackcontext entries longer than 1KB is split in multiple log entries, which share the same incidentserialno. Attackcontextid will help identify these segment by showing what order they have in the sequence; for example, <1/3> means this log is the first segment of a log message containing three segments in total.